This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-toSite VPN cannot access XG on remote site using normal 4444 port.

I have set up a iPsec VPN between 2 sites (Site A 192.168.99.x, Site B 192.168.1.x)

The VPN works fine and I can access servers on SITE B from SITE A via RDP connections using local IP's

However If I try to access the XG device at SITE B (https://192.168.1.3:4444) from SITE A it will not connect. - I have also found other connections on SITE B are also not found including the Sophos Firewall Manger device (hardware). I can ping these device with no problem from SITE A -> SITE B - very strange ?

Running ( XG210 (SFOS 17.1.1 MR-1) )

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 5 years ago in reply to Pascal G +1 verified

Maybe i can provide some kind of Workaround. Let me paint the picuture. Client with Browser - Router - Ipsec Tunnel - XG - Webadmin Interface(192.168.190.1/24) On The Router (SG / XG / Whatever…

Parents

0 sachingurung over 5 years ago

Hi Mark,

Check if device access over HTTPS is allowed for VPN in Administration > Device Access > VPN > HTTPS.

Device Access allows you to limit administrative access to certain services from custom and default zones (LAN, WAN, DMZ, VPN, Wi-Fi).

Thanks,

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mark Stoker over 5 years ago in reply to sachingurung

This is already done. Just fails every time. It seems to be any device on the SITE B Lan e.g NAS drives, Sophos Firewall Manager (typically ones that have a PORT option)
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to Mark Stoker

Which device do you use on the other site of the XG tunnel?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Mark Stoker over 5 years ago in reply to LuCar Toni

XG 210 itself, Synology NAS, Sophos Firewall Manager. (XG125 on branch office A)
Cancel
Vote Up 0 Vote Down

Cancel
0 Ludo over 5 years ago in reply to Mark Stoker

Hi,

Did you solved your issue ?

I've the same problem.

Thanks in advance,

Ludo.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mark Stoker over 5 years ago in reply to Ludo

Nope - I logged a case with tech support and it has been escalated right up to senior support - I have spent many hours on remote sessions but still no solution !!

It only seems to be when the WAN connection to the ISP is STATIC - if it is PPoe then all works fine.
Cancel
Vote Up 0 Vote Down

Cancel
0 Pascal G over 5 years ago in reply to Mark Stoker

Hello,

Which IPSEC policy was used? Did you enable data compression?

I had the problem once before. Servers were available. Ping went too but I could not open the web interface of the XG (TLS handshake timeout) and traceroute did not work either.

It can be checked relatively quickly whether you can open the XG with Internet Explorer.

best regards,

Pascal

IT-SECURITY CONSULTANT

Certified Architect - XG | UTM | MOBILE
Cancel
Vote Up 0 Vote Down

Cancel
0 Ludo over 5 years ago in reply to Pascal G

Hello,

Thanks for your reply.

I use the DefaultBranchOffice Ipsec profile. (and DefaultHeadOffice on my central Sophos XG)

In SFOS16 DefaultBranchOffice IPSec Profile, the compression is ON.

Not in SFOS17.

Do you think I have to test with the compression ON ?

Because in SFOS16, we don't have this Admin Login Page access problem.

Problem is the same with IE or Firefox.

Thanks in advance.

Ludo.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mark Stoker over 5 years ago in reply to Pascal G

We used default Headoffice/Branch office policies.

Did you solve this using data compression ?
Cancel
Vote Up 0 Vote Down

Cancel
0 Pascal G over 5 years ago in reply to Mark Stoker

So in my case it looked like this.

Without compression

With compression

best regards,

Pascal

IT-SECURITY CONSULTANT

Certified Architect - XG | UTM | MOBILE
Cancel
Vote Up 0 Vote Down

Cancel
+1 LuCar Toni over 5 years ago in reply to Pascal G
Maybe i can provide some kind of Workaround.

Let me paint the picuture.

Client with Browser - Router - Ipsec Tunnel - XG - Webadmin Interface(192.168.190.1/24)

On The Router (SG / XG / Whatever), i apply following iptables command.

iptables -t mangle -I POSTROUTING -d 192.168.190.1/32 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900
__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel

Reply

+1 LuCar Toni over 5 years ago in reply to Pascal G
Maybe i can provide some kind of Workaround.

Let me paint the picuture.

Client with Browser - Router - Ipsec Tunnel - XG - Webadmin Interface(192.168.190.1/24)

On The Router (SG / XG / Whatever), i apply following iptables command.

iptables -t mangle -I POSTROUTING -d 192.168.190.1/32 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900
__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel

Children

0 Ludo over 5 years ago in reply to LuCar Toni

Hi,

It's seems to work when I apply a 900 MSS on the LAN Interface.

So now, what's the impact on the trafic or anything else if I let this like that ?

Thanks.

Ludo.
Cancel
Vote Up 0 Vote Down

Cancel