Hi marce1000, 

what i understand on the article, means the traffic going to the EWC WebUI is using different route, then when it comes back, it using other route?

But I dont think thats the issue since we have also switches and routers there, and if I am trying accessing their WebUI, somehow, it success.

I was thinking its the bug on the version, I have downgrade and upgrade as well to the latest version, however, still not solve the problem.

Any suggestion where I can check? 

Hi Scott, 

Yes, I am able to access from same subnet.

  - What error do you get ? Also can you then ping the 9115 (e.g.)

 M.

Hi Marce1000, 

There is no error I get from the browser, its just that keep loading and display at below "Waiting for 10.62.31.254"

I can ping without any ping drop and able to SSH remotely on the same PC that I use to access the WebUI.

 - Make sure that no local rules such as ACL or other prevent this remote access WebUI access. In that respect, using SSH check the device logs when this is attempted. Also try wget to fetch the page , and turn on debugging , this may give more insights (too).

                          https://linux.die.net/man/1/wget

  M.

Can you ping the EWC remotely? (in other words does it have a route back to the remote user?)

Hi rrudling, 

Sorry for the late feedback. Yes I can ping the EWC and I also able to access via SSH remotely. I also suspecting the issue is either from the Palo Alto remote site or the local site. However, the Firewall team inform they have allow all the session and not blocking it. Not sure how to troubleshoot on this, currently, I am using SSH to configure the EWC remotely. I will use GUI when Im at site.

Hi marce1000, 

sorry for the late reply. I might can use this way also to see if the traffic is really reaching the EWC. Will try it later. thanks!

Have you got a packet capture of the PC you're trying to access the GUI from?
Do you get *any* reply from the EWC?
Just an idea (in case it's fragmentation related - since you mention IPSEC): try "ip tcp mss 1250" on the EWC?
And if your firewall supports TCP MSS adjust then set that to 1250 too (your remote VPN might be doing that which is why it works)

Hello Rich R,

thanks for your answer. Yes, i get a reply, if I analyzed it right, it stops somewhere after the SSL handshake, i can see the certificate in the packets and many, many retransmissions, after a while the connection is resetted. SSH connection ist no problem, i am also recieving snmp and syslog data, so it seems to be only http/https related problem.

I configured "ip tcp mss 1250" on one of the controllers to test (by ssh), but no luck. Do i have to reboot the EWC to activate this setting? If yes, i will have to wait for the night, as EWC is in production.

The Sophos UTM doesnt seem to support this option, at least not on the IPSec Tunnel, only on real ethernet interfaces. I have remote session with them tomorrow, maybe the will find something.

best regards
M. Baltruschat