Issue: GS1200-8HP v2 switch is not accessable by Web browser from other IP subnets.

ewi

Hi,

were you able to solve this issue? I encounterd exactly the same behaviour just the model is GS1200-5HP v2. Would be helpfull to fix this issue.

Thanks and regards

EWI

Zyxel_Kay

Let me summarize this case. The network topology of @Konstantins_Sterns is as follows:

In his previous situation, he was unable to access the web GUI of SW(10.2.16.6) from PC_1(192.168.88.130) when it was across VPN_2.

To diagnose the potential issue, we attempted to reproduce his situation using both L2TP VPN and Site-to-site VPN at our site. It worked normally; we successfully accessed the switch’s web GUI even over a VPN connection. Additionally, his Remote_PC(10.2.16.253), which is under the same subnet as SW(10.2.16.6), is able to access it.

Based on the private message discussion with Konstaintins, we determined that the issue is not related to the switch but rather to the VPN connection.

Dear @ewi ,

To determine if your situation is similar to Konstaintins's, could you please share your network topology and provide a detailed description of your situation? If possible, a screen video recording demonstrating your situation would be most helpful. Feel free to send us this information via private message if you have any privacy concerns.

ewi

Hi,

thanks for your reply. The situation is as you described on the picture. Two sides, two Mikrotik routers. When using Open VPN connection from the remote location

ewi

the web acces to the Zyxel switch is functional remotely. When connected through side to side IPSEC VPN, the web acces to Zyxel switch is NOT working remotely. Ping to Zyxel switch and also web acces to other resources (e.g. camera) works through IPSEC VPN fine. I tried also two CISCO instead Mikrotik routers and the results are the same. Any ideas appreciated.

Regards

EWI

ewi

Hi Kay,

thank you for your quick response. Let me give you some details. The configuration is the same as in your picture, just the IP adressing is different. On both sides there is the Mikrotik router L009UiGS and there are two possibilities how to connect remotely.

1. Side to side IPSEC VPN connection between two Mikrotik routers = the web acces to the Zyxel switch from the remote side is NOT functional, however all other devices on the same LAN as the SW is located are accesible (e.g. Synology, Cameras etc). Zyxel switch is accessible by ping through IPSEC channel without issues.

2. Open VPN client to Open VPN server in Mikrotik router connection = the web acces to the Zyxel switch from the remote client IS functional as well as to the other devices. Zyxel switch is accesible by ping.

I also thought that there must be a problem within VPN IPSEC configuration but I have completely the same behaviour when using CISCO routers. I believe there could be the problem with MTU which could be handled differently in IPSEC. Any ideas would be appreciated.

THX EWI

Zyxel_Kay

Hi @ewi

We've attempted to replicate your setup with two scenarios of site-to-site IPSEC VPN at our end, and here are our findings:

1. PC — Mikrotik < - - (S2S VPN) - - > Zyxel USG FLEX 100 — Switch GS1200-5HP v2
   • Ping is successful, and we were able to access the switch's web GUI.
2. PC — Mikrotik < - - (S2S VPN) - - > Mikrotik — Switch GS1200-5HP v2
   • Ping is successful, but we couldn’t access the switch's web GUI.

Based on our tests, we've identified that the issue may be related to the VPN connection between the two Mikrotik routers. Therefore, we recommend reaching out to Mikrotik support for further assistance.

ewi

Hi Kay,

thanks for your effort. I have found the solution by the decreasing the MTU (1390 max.) in the IPSEC tunnel. Seems that PMTU does not work properly as probably on the LAN side of the router there are some bytes in the packet used for the VLAN identification (that is my guess). Means if the "too big" packet arrives through IPSEC tunnel, the VLAN identification cannot be added.

Thanks again for your help

EWI