XG125 SFOS V18 - IPsec tunnel - can't access web resources at other side

Question

I have a site to site configured between 2 Sophos XG's - This has been active since 17.5 and has been very reliable - I'm now unable to access web portals (with self signed certs) over the VPN (such as printer admin panels / onsite Apache dev servers etc - RDP traffic traverses just fine - just cant access web - it shows the default browser "this page is not secure - do you want to proceed" then when i click yes it just freezes - i have played with all the SSL protection settings i can find but to no avail - if someone can give me some insight into how to fix this - I'll owe you a beer!!!

This thread was automatically locked due to age.

VikenNajarian · Accepted Answer

Hello,

I had the exact same issue for one of my custommers.

They have XG with IPSEC tunnel, everything works well but I cannot reach the http pages to manage switches or printers ...

The trick in my case was to lower the MTU of the wan interface of both XG. They have PPPOE FTTH connexions and I set the MTU to 1464, and now everything works well.

LuCar Toni · Answer

Another trick would be to use VTI (Virtual Tunnel Interface) or Route Based VPN. 
 If the other End of the Tunnel supports VTI, you could switch over and do not have to edit the MTU size. 
 
 Another Trick would be to workaround the used MTU size. 
 https://community.sophos.com/products/xg-firewall/f/network-and-routing/104507/site-tosite-vpn-cannot-access-xg-on-remote-site-using-normal-4444-port

Benjamin Cox · Answer

Thank you all for the help and advice on this. 
 
 MTU did indeed seem to be the solution, My connection is a PPPoE VDSL2 (UK ISP BT Business) using the Sophos VDSL2 SFP and the MTU was set to 1492 as that is the standard for this ISP - after trying a lot of combinations of lower values as recommended to no avail, I researched more and discovered this knowledge base article https://community.sophos.com/kb/en-us/127690 which lead me to believe i should set the MTU to a value of 1500 - this worked instantly and put an end to my unbelievably annoying VPN issue. 
 
 As i interpret it (if anyone more knowledgeable on the matter knows better then please correct me) but the MTU value set for PPPoE within the interface in the GUI is for the physical interface, and 8 is removed from that, so 1500 will infact be 1492 (take away the 28 (20 + 8) for overhead, that will give a true MTU of 1464. 
 
 I have attached a screenshot from running the ifconfig command in the Advanced Shell that shows this

Hope this helps save someone else from experiencing the world of pain I have endured trying to work this one out!