Solved: Re: Mobility express management through IPSec

korky · ‎01-31-2021

Hi, I have IPSec remote access VPN setup on Mikrotik router. I am not able to reach WLC/ME web interface through browser. I have no problem to open any website HTTP/HTTPS when connected to VPN, only web management of WLC is an issue, SSH CLI works fine. I have no problem accessing web GUI on LAN, my PC and WLC management are in different VLANs. After entering https://ip to my browser, it asks me whether I trust certificate, I click yes and it loads to infinite. I tried different browsers too. I did a PCAP on client and also on router, there are duplicate ACKs and retransmits, also ICMP fragmentation needed messages. No split tunneling si set, MSS is adjusted on forward traffic to 1000, firewall is setup correctly as PC in VPN get same IP/subnet as in LAN also router is not overloaded. I think it can be connected with MTU/MSS. Access points 1815i were updated twice to 8.10.130 and now 8.10.142. Thank you for any relevant ideas.

korky · ‎02-06-2021

ICMP Echo with DF had been tested before, also different browsers, clearing
cache and different ISPs from which I tried to establish IPSec. Finally I
found mistake, after examing PCAP, I saw, that MTU is too high, so it
seems, that change of MSS on router side is not applied. My hypothesis was
true. Policy which changes MSS was applied just one direction. Now it works
as expected, web mananagement is reachable. Thank you for all suggestions.

View solution in original post

Jegan Rajappa · ‎02-01-2021

Ok, https session is not loading, did you try opening http session?

Does WLC has proper clock settings?

If the certificate is self-signed, then i would recommend to regenerate and retry

korky · ‎02-02-2021

Time is set from NTP, which indicates "in sync". I can try to
regenerate, but in LAN it works OK. Only through tunnel it behaves strange.

Jegan Rajappa · ‎02-02-2021

Did you try http instead of https?

korky · ‎02-02-2021

Good point, I enabled it via CLI, but still the same, just loading. But
I can see that CLI freezes sometimes, when going through tunnel. The
issue with CLI starts when using autocomplete with TAB, after that it
freeze and I can see in PCAP TCP ACK with Analysis Flag "Previous
segment not captured (common at capture start)". Now I can see this
message on client side (browser) when i do PCAP for HTTP/HTTPS.

patoberli · ‎02-04-2021

You can verify the MTU issue by pinging with the "do-not-fragment" bit set. All ping clients should have this option. Also try a different browser, might be a policy or cache issue on the local client.

korky · ‎02-06-2021

ICMP Echo with DF had been tested before, also different browsers, clearing
cache and different ISPs from which I tried to establish IPSec. Finally I
found mistake, after examing PCAP, I saw, that MTU is too high, so it
seems, that change of MSS on router side is not applied. My hypothesis was
true. Policy which changes MSS was applied just one direction. Now it works
as expected, web mananagement is reachable. Thank you for all suggestions.