USG40 IPSec VPN : some TCP protocols are blocked

flefebure · May 2018

Hi,
We have an Ipsec Gateway is configured on a USG40W behind a VDSL router.

I connect to this VPN from an Ubuntu laptop with Shrew VPN client.
Many protocols have no problems, eg SSH, Telnet, HTTP/S over various ports, Mysql ..
But I have problems (connections hangs) with :
Oracle databases (TCP1521)
GIT server over SSH (SSH access to the server is OK)
the USGW40 admin page (after login hangs on https://xxx.xxx.xxx.xxx:4443/cgi-bin/zysh-cgi)

Any idea?
Franck

Zyxel_Cooldia · May 2018

Hi @flefabure,
Once the VPN is established, the IP layer routing should be okay to forward the packets to Intranet.
If it is fail on specific service port, it could be affect by security policy rule.
Can you check the security rule log on USG. is there any packets blocking log?

flefebure · May 2018

Hi @Zyxel_Cooldia, thanks for your answer,

I meet the problems connected from my home's ADSL.
Today I'm at the office, with the same laptop, so to answer your question, I try to reproduce the problem with theses steps :
- disconnect laptop from the office's LAN
- connect it to Internet through a 4G connection (with my mobile internet sharing)
- mount the VPN
- access one of the blocking resource.

==> They are now all accessibles ! problem seems gone.
It's weird because when I'm at home the problem is totally reproducible

So it doesn't look like a firewall problem. That sounds like something like MTU problem, or related (but I'm not a network specialist)

Zyxel_Cooldia · May 2018

Hi @flefebure,
Do you have packets capture on server side(Service side packets trace) when you use VPN to connect Oracle databases and GIT server from home?
Just want to confirm does the server receive the specific port connection packets from VPN client.

USG40 IPSec VPN : some TCP protocols are blocked

Comments

Categories

Security Help Center