Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 38 subscribers
  • Views 1200 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 115 / SFOS 18.0.3 MR-3 / Web admin access working locally and through WAN access but not through VPN

armarzook

Dear Community,

The subject itself tells the whole story in brief.

I can locally access the web admin access and also through WAN (public) without any issues,

VPN is working fine and other web server sites published in master site are accessible without a glitch.

Kindly help me to rectify this.

Sophos support advised to change the MTU on the WAN port of XG firewall to which nothing happened.

Looking Forward,

Mohamed Marzook.



Edited TAGs
[edited by: emmosophos at 6:46 PM (GMT -7) on 3 Jun 2021]
  • 0

    Hi Mohamed,

    please check your web admin security settings at SYSTEM > Adminstration > Device access.

    Regards,

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link

  • 0 in reply to intrusus

    Dear,

    FYI, Of course the same is checked and still not working.

  • 0 in reply to armarzook

    Hi,

    also check the following then:

    • Check that the SSL VPN port and the admin web portal port don't interfere 
    • Create a firewall rule from VPN to LAN
    • If SSL VPN is configured in Split mode, make sure you have added Sophos XG LAN IP in SSL VPN (Remote Access) > Permitted Network Resources 
    • Access Sophos XG through your LAN IP
    • Check the traffic Flow on XG for request for port 4444 > Use Packet capture and see if the traffic is reachable to XG and what action XG has taken.
    • Compress SSL VPN Traffic should be disabled. 

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link

  • 0 in reply to intrusus

    Dear,

    Site A - SonicWALL NSA2600

    Site B - Sophos XG

    VPN type - IPSec

    Working - Everything else

    Not working - Web admin access of Sophos XG on Site A.

    Web admin port - Changed to 20443. So the URL is https://xxx.xxx.xxx.xxx:20443

    Web admin access through WAN using the public IP with the same port is working very well.

    Now tell me what am I missing.?

  • 0

    Hello Amarzook,

    Thank you for contacting the Sophos Community!

    Make sure that the traffic directed to the Portal is crossing the VPN trough a Packet Capture on the GUI of the XG.

    Also what IP/Port is being used for the users behind the IPsec to access the User Portal? Are they trying to use the WAN IP address?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Dear,

    I have checked the packet capture and it shows the traffic from the site A and keeps dropping it with the response "invalid traffic"

    XG ip range - 172.16.xx.xx

    Site A ip range - 192.168.xx.xx

    We are using citrix and other webapps between these sites using the same VPN and its all working very well.

  • 0 in reply to armarzook

    Hello Armarzook,

    Thank you! 

    May have your Case ID to better understand the steps taken so far.

    I am not understanding what IP the users on the VPN are using to connect to the GUI of the XG.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    tbh I think it's an issue with allowed subnets on one of the firewalls. 

    please provide screenshots and/or excerpts of logfiles when trying to connect to the XG from site B. Provide logfiles from both, your XG and your SonicWALL. Also provide screenshots of your site2site VPN configurations of both firewalls. You're also free to open a case if needed at Sophos Support and provide the case ID to in this thread. 

    Thanks!

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link

Unfiltered HTML