This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

From SSL VPN Client - Unable to Log into Remote Site Sophos Web - Invalid Traffic

Ben Sanderson over 2 years ago

From SSL VPN Client at Head Office to a Remote Sophos unable to connect to Web Interface either on 4444 or 443.

I am able to SSH to the device with no issues.

All of the firewall rules are in place at both ends, have multiple sites that work with no issue, just this one.

Thanks,

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 2 years ago in reply to emmosophos +2 verified

Yeah. IPsec is a different story. Die IPsec MTU is to big for the webadmin. Therefore this issue appears. Try this workaround: https://community.sophos.com/sophos-xg-firewall/f/discussions/104507/site…

Parents

0 FormerMember over 2 years ago

Hi Ben Sanderson,

Thank you for reaching out to the Community!

Go to Administration > Device Access > Check if admin services(HTTPS) and User Portal are allowed on the VPN zone. It also could be an issue with the MTU, and you probably have to lower the MTU on the client-side.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 FormerMember over 2 years ago

Hi Ben Sanderson,

Thank you for reaching out to the Community!

Go to Administration > Device Access > Check if admin services(HTTPS) and User Portal are allowed on the VPN zone. It also could be an issue with the MTU, and you probably have to lower the MTU on the client-side.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Ben Sanderson over 2 years ago in reply to FormerMember

Harsh,

Changed the MTU size from 1500 to 1400 on my interface with no success.

Admin Services was already checked for the VPN Zone.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Ben Sanderson

Check the LAN Zone or where ever the destination Interface is placed. You are using a IP of a Interface within your network.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Sanderson over 2 years ago in reply to LuCar Toni

Yes the Zones and Networks Allowed are correct, doubled checked everything, I am able to SSH to the remote firewall from my VPN'd PC.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Ben Sanderson

Can you share screenshots of the device access and the network page? Maybe there is something odd.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Sanderson over 2 years ago in reply to LuCar Toni

Attached Device Access and Rules - Under Network, that is the SSL VPN Network and under Zones VPN and Management - which is the zone I have the management of the Sophos. - Again I am able to SSH to the device so the network rules are working.
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 2 years ago in reply to Ben Sanderson

Hello there,

Adding to what Luca and Harsh mentioned, could you check if you have any bypass for the Advanced Firewall

console> show advanced-firewall

You will need to SSH into the XG and once in the Main Menu press 5>4 to land in the console.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Sanderson over 2 years ago in reply to emmosophos

Emmanuel,

Do not see anything in this screen to would show bypass, but included a screenshot of the command.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Ben Sanderson

Can you check this via tcpdump on the appliance itself? Is the traffic simply not replied or is the traffic forwarded to something else?

Perform a tcpdump -ni any port 4444

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Sanderson over 2 years ago in reply to LuCar Toni

LuCar,

Tried the following command and did not work...

console> tcpdump -ni any port 4444
% Error: Unknown Parameter 'any'

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Sanderson over 2 years ago in reply to LuCar Toni

LuCar, was able to change the tcpdump a bit, here is the output, the SSL client is hitting the firewall.
Cancel
Vote Up 0 Vote Down

Cancel