Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 7397 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebAdmin access gone after Up2Date 9.4004.005

marcelbleeker

Hi all,

Curious problem that I can not solve via other posts:

After update our firewalls, I'm not able to access the Webadmin via the WAN ports.

And yes I added the access to the correct network (even checked it via the console)
And yes I checked if the user has access.

FW01 / FW02 / FW03: UTM9 appliance
FW04 : ASG220 appliance

This all worked fine for many years now, but after the update the situation is as on the drawing.

Please advise / help.

Greetz,

Marcel.



This thread was automatically locked due to age.
  • 0

    Marcel,

    Take a look at 9.405, it may fix your issue. There's a line in the release notes for [NUTM-3174]: [Basesystem, Network] It is not possible to start the webadmin GUI anymore.

    Doug

  • 0

    I had the same problem. You can reset your password following the steps here:  community.sophos.com/.../115346

  • 0

    Thanks for the replies so far.

    I've updated the firewall's to the latest version 9.405, but that didn't solve the issue.

     : The password is not the issue. I still can access 2-3-4 from the LAN side.

    Strange thing is that FW1 still can be accessed from the WAN side but not from the LAN side.

    Also checked it from different pc's in the network, but all had the same issue. That rules out any pc-related issue.

  • 0 in reply to marcelbleeker

    Hi, Marcel, and welcome to the UTM Community!

    I'm a little confused by the Redensart because I don't have direct experience with Windows auf Deutsch. Does "während die Seite geladen wurde" indicate that no connection to the site was made, or am I correct in reading that as "the server timed out?"  If Web Filtering is activated on FW01 and it is in Standard mode, do you have your client browser configured to skip the Proxy for the IP of "Internal (Address)" of FW01?

    If not, does #1 in Rulz provide a clue?

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi all,

    I checked all clue's, but without results.

    Next thing I did was that I took a spare hardware UTM-220 unit and flashed new firmware from ISO image. (9.405-5)

    Made some standard settings for access but left all items as default as possible.

    assigned ip_addresses to all eth ports from 192.168.0.1 / 192.168.1.1 / 192.168.2.1 / etc etc.

    Checked the webAdmin allow: ANY networks and SuperAdmins

    Tried access from all configured subnets:

    Result:

    eth0: access (std. config port)
    eth1: access (std. WAN port)
    eth2: access (std. DMZ port)
    eth4: access
    eth5: access
    eth6: access
    eth7: access

    Restored the running config of the production firewall (FW02) to it and checked the webAdmin allow: ANY networks and SuperAdmins, result:

    eth0: access (standard config port)
    eth1: no access
    eth2: no access
    eth4: no access (external network)
    eth5: no access
    eth6: no access
    eth7: access (internal network)

    triple reviewed the running config with several other firewall guru's but it all looks very standard.

    I'm lost.......

  • 0

    Hi Marcel,

    Check if any DNAT rule is configured to map the incoming requests on WAN address. 

    Are you able to access Web Admin from internal network? Take SSH to UTM and execute /etc/init.d/httpd restart . Let us know if that helps.

    Thanks

  • 0 in reply to sachingurung

    Hi sachingurung,

    On one of the walls, we have the following:

    1 masquerading rule LAN -> WAN-side

    1 SNAT host1 -> message Queuing ports > host X on WAN side

    1 SNAT host2 -> message Queuing ports > host X on WAN side

    1 DNAT WAN -> Terminal Apps. -> LAN

    But these were also active before the issue occurred.

    Greetz,

    Marcel.

  • 0 in reply to marcelbleeker

    Hi Marcel,

    Did restarting the HTTPd services help? It can be hard to tell why the GUI services are stuck if it is not caused due to an incorrect DNAT or the GUI services responsible for it.

    Take tcpdump for the remote IP address and check if you receive the request packets on the UTM, alongside also capture *.log grepping the remote IP address, if UTM is dropping the connection then you will capture some information here.

    Thanks

  • 0 in reply to marcelbleeker

    Since you didn't correct my translation of the German error message, I'll guess that it's correct.  I'll guess that the client you're using to attempt to connect to the WAN port does not have an IP that's in 'Allowed Networks' for WebAdmin.  If it appears in WebAdmin that the IP should be allowed, temporarily add "Any" to test.    If that works, then restore a configuration backup from before the last Up2Date.

    If you still get no joy, check Allowed Networks from the command line:

    cc
    webadmin
    allowed_networks@
    exit

    Any luck with any of that?

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi Bob,

    Sadly to say that I did all of the above with no positive result.

    Though, it is strange that a fully fresh installed latest version image(from iso-usb boot) is working ok.

    So next thing for me is by hand adding all the rules one by one to see where it goes wrong.

    Keep you all posted.