From SSL VPN Client at Head Office to a Remote Sophos unable to connect to Web Interface either on 4444 or 443.
I am able to SSH to the device with no issues.
All of the firewall rules are in place at both ends, have multiple sites that work with no issue, just this one.
Yeah. IPsec is a different story. Die IPsec MTU is to big for the webadmin. Therefore this issue appears. Try this workaround: https://community.sophos.com/sophos-xg-firewall/f/discussions/104507/site-tosite…
Hi Ben Sanderson,
Thank you for reaching out to the Community!
Go to Administration > Device Access > Check if admin services(HTTPS) and User Portal are allowed on the VPN zone. It also could be an issue with the MTU, and you probably have to lower the MTU on the client-side.
Changed the MTU size from 1500 to 1400 on my interface with no success.
Admin Services was already checked for the VPN Zone.
Check the LAN Zone or where ever the destination Interface is placed. You are using a IP of a Interface within your network.
Yes the Zones and Networks Allowed are correct, doubled checked everything, I am able to SSH to the remote firewall from my VPN'd PC.
Can you share screenshots of the device access and the network page? Maybe there is something odd.
Attached Device Access and Rules - Under Network, that is the SSL VPN Network and under Zones VPN and Management - which is the zone I have the management of the Sophos. - Again I am able to SSH to the device so the network rules are working.
Adding to what Luca and Harsh mentioned, could you check if you have any bypass for the Advanced Firewall
console> show advanced-firewall
You will need to SSH into the XG and once in the Main Menu press 5>4 to land in the console.
Do not see anything in this screen to would show bypass, but included a screenshot of the command.
Can you check this via tcpdump on the appliance itself? Is the traffic simply not replied or is the traffic forwarded to something else?
Perform a tcpdump -ni any port 4444
Tried the following command and did not work...
console> tcpdump -ni any port 4444% Error: Unknown Parameter 'any'
LuCar, was able to change the tcpdump a bit, here is the output, the SSL client is hitting the firewall.