Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 13184 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't reach admin interface from SSL VPN

Mattia Trussardi

Hello...

As the "subject" says, since we upgraded to 17.X and on (MR-2, MR-3) we can't access Sophos XG Admin interface from VPN (ssl vpn tunnel).

The page doesn't respond! BUT ... If we access the web Admin interface from inside the LAN zone (you don't even have to login, just load the admin page) at the same time (for example using a Terminal Server inside the LAN zone), the web admin interface is suddenly displayed also through the VPN SSL Tunnel!

Are we missing something? This happens on the latest 17.X releases: old firmware appliances are working fine.

If we can provide something to help please write.

Thanks, Mattia Trussardi



This thread was automatically locked due to age.
  • 0

    Can you provide the settings that you have, because I don't have any problem accessing my Admin interface

  • +1

    Hello  ,

     

    Enable following setting to get admin access

    • HTTPS for VPN under Administration > Device access
    • Create firewall rule form VPN to LAN
    • If SSL VPN is configured in Split mode, make sure you have added Sophos XG LAN IP in SSL VPN (Remote Access) > Permitted Network Resources 
    • Access Sophos XG through your LAN IP

    This should solve your issue.

     

    Regards, Ronak.

  • 0 in reply to Ronak Sheth

    Thanks Ronak, all the setting are already right, exactly as you suggested!

    The admin interface is correctly reachable if I boot the old firmware, we did not make any changes, before upgrading to > 17.2.X all was ok, just after the update the issue came out.

    Mattia Trussardi

  • +2 in reply to Ronak Sheth

    Hello.

    I find out that on the SSL vpn config file (downloaded from the firewall) the "comp-lzo" parameter is always set to "no" (also on other firewalls we manage) although on the SSL vpn configuration parameters the "use compression" is flagged.

    Maybe on old firmware versions client and server used to negotiate that parameter: not now with new firmware releases.

    I have to manually set "yes" in the configuration file or disable compression in the VPN ssl config to make things work right again.

    Mattia Trussardi