Device not reachable trough VPN

Question

I have two hardware appliances (XG210) in an HA array. The auxiliary device is not reachable via HTTPS or SSH from the VPN. From the LAN without problems. HTTPS and SSH are enabled on the auxiliary device in the ACL. The IP address of the auxiliary firewall is in the same subnet as the primary firewall. The entire subnet should be accessible via VPN. 
 f.e. LAN 192.168.0.254/255.255.255.0 VPN 10.25.25.0/255.255.255.0 DMZ 10.123.123.2/255.255.255.252 
 Primary FW: 192.168.0.254 Auxiliary FW: 192.168.0.252 
 VPN -> Primary FW -> Works LAN -> Primary FW -> Works VPN -> Auxiliary FW -> does not work 
 LAN -> Auxiliary FW -> Works 
 
 I have deactivated the HA The second firewall is still not accessible from the VPN. 
 The firewall logs show that all packets from my client (VPN) are allowed to the second firewall.

LuCar Toni · Answer

Thats a known limitation. Its simply because the webadmin used MTU is to big to route them through VPN. 
 Try this workaround: https://community.sophos.com/xg-firewall/f/discussions/104507/site-tosite-vpn-cannot-access-xg-on-remote-site-using-normal-4444-port

LuCar Toni · Answer

I know this limitation only for IPSec (site to site or Remote access) not for SSLVPN. This needs some additional debugging. The limitation also only applies to Webadmin, not SSH. 
 There is a old routing issue with the loop back. So coming from VPN, going out to the switch and coming back to the AUX does not work in some cases. But after disable the HA, this should work.

Device not reachable trough VPN

Top Replies