Outgoing Google Hangouts video no longer works

Hi, John, and welcome to the UTM Community!

Turning off IPS may not have been what you needed - does #1 in Rulz give you any hint?

Cheers - Bob

Howdie Bob,

I actually had looked through the rulez before posting this. :) When I did a full reset to factory defaults I verified that IPS and application control were both off (their default setting). The only non-stock change I made was to add in the Internal (Network) -> Any -> Any firewall rule to allow all outgoing communication which I only added after seeing that hangouts still didn't work in the stock config. That firewall rule also didn't seem to help.

I definitely have digging through the firewall logs and only saw three sets of dropped packets from the machine I was testing on. They were to the UTM box and were UDP ports 1900, 5353, and 192. The were infrequent and a little googling brought me to this page from Apple (it's an Apple laptop): https://support.apple.com/en-us/HT202944. It seems those comms are related to bonjour and other protocols MacOS uses.

The full clearing of all firewall rules (and setting the defaults to ALLOW) in iptables not fixing the problem further seems to support that the packets aren't being dropped due to the iptables packet filtering. Unless, that is, it's happening in the NAT table (or some other default table I'm not aware of).

So, unfortunately, no, I didn't find anything from the rulez that narrowed down the problem. :-(

Cheers,

-John S.

Also,

One update I have. While looking into this more I discovered that chrome has a built in utility for debugging webrtc stuff (which is what hangouts uses). You just go to chrome://webrtc-internals/. It's pretty cool. There are lots of graphs in there and of particular interest was a graph labeled packetsLost for the "Sending video" stream which gives # of packets lost over time for video sending. When I use hangouts behind UTM that graph is forever increasing. The stats shown for the video stream indicate ~60% of all video packets are lost over time. When I use hangouts from work (different network without UTM) or behind my linksys router, that packetsLost graph is mainly flat with only occasional lost packets. So, something somewhere is definitely causing the packets to not get send (either dropped, rejected, not routed...something).

Cheers,

John

John, if you didn't look at the Intrusion Prevention log, you can't know if Anti-UDP Flooding activity is causing your problem.

Cheers - Bob

I was not aware udp flood protection would still happen with IPS off. All three DoS protections are actually unchecked in the IPS config as well. But, just the same, I just double checked all four logs while replicating the problem. IPS is completely empty as is the Advanced Threat Protection log (also off anyway). The Application Control log has a few entries of the form:

2016:09:24-16:57:37 astaro afcd[11313]: _afc_conn_get_age(): The timestamp of connection 0x00043600 is in the future; correcting ...

But, they're all from much earlier today. NOTE: I do have application control on right now as I've since restored my normal configuration after resetting to factory defaults since resetting address the problem.

The firewall log does have blocked items in my current configuration, but I don't think any of them are related to this problem. Mostly the items I already mentioned in the original post with one additional guy that's popping up a lot (whether replicating this problem or not) from a btsync box I have running. That's a thing to look into for another day.

-John

Out of curiosity, would you be willing to try a hangout to test if you're seeing this problem (assuming you're behind a UTM box)? It'd be nice to verify I'm not crazy. :) That would at least narrow down if there really is something specific to my setup I've missed with a factory reset or if there's something different from a couple months ago. This definitely used to work...I've been using hangouts while working from home since 2010 and I've been using Astaro for a lot longer than that. :)

I've found using the chrome://webrtc-internals page in chrome that you don't even have to connect to another person. You can see the packet loss directly in the tool in the graphs at the bottom if you expand the send (video) graph. You just need to be connected to a hangout (no one else has to be on it). On a non-UTM network the packet loss graph is mostly flat and a very low number. It's monotonically increasing on my network showing a lot of packet loss. E.g., here's an example with being on a hangout for only about 2 minutes. The packetLoss graph shows a steady positive slope and is already getting up near the thousands.

John, I'm beginning to suspect a hardware issue or an MTU setting.  Does #7 in Rulz help?

Cheers - Bob

I actually tried almost all of the suggestions in #7 before I even found the Rulz post. :) Specifically, #1 doesn't apply (Intel NICs on both machines I used), #2 is ok (settings already off after reset), #4 done, #5 done, #6 done (I suspected the cable modem couldn't handle throughput...I was wrong, but now I have a backup!), and #8 (tried a different port).

The only two I didn't try are MTU settings (#3) and link settings (#7). I can try those later today when not working. Though I feel like it is a very specific form of packet loss (i.e., basically all hangouts video packets). I would expect all of sorts of connectivity issues in such an instance of a hardware problem rather than only hangouts video.

By any chance, do you have the ability to try this for yourself behind a UTM router? I'd really love to see if someone else can replicate this issue. Starting a google hangout is very easy (assuming you have a google account :)) E.g., this is one I just created from https://hangouts.google.com/hangouts which I think anyone can access: https://hangouts.google.com/hangouts/_/7zydsosg4vgcnjw4hlrgi2mfnae?authuser=0&hl=en. As I mentioned in a past reply, you can verify the problem by joining that with two different browsers (e.g., firefox and chrome) and observing the lack of video for the caller from the opposite browser in each browser (you can always see your own video).

-John

Bob,

I've finally fixed it. It was an MTU setting. I finally discovered it by running tcpdump on both the internal and external IFs in two terminals with a hangouts session going. What I found was something like this:

What I found was that on the local network I'd have packets like this:

12:22:06.565503 IP 172.<OBSCURED FOR SECURITY>.61021 > 74.125.134.127.19305: UDP, length 855

and on the external IF I'd see packets like this:

12:22:06.565605 IP 66.<OBSCURED FOR SECURITY>.61021 > 74.125.134.127.19305: UDP, length 855
12:22:06.565617 IP 66.<OBSCURED FOR SECURITY> > 74.125.134.127: ip-proto-17

The ip-proto-17 caught my attention. With a little research that lead me to believe the packets from the internal interface were getting fragmented when going to the external IF. Looking in sophos I found the MTU of the external IF was set to 576. I attempted to override it to 1500, but it would just revert again.

Which lead me to this post: https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/79288/disable-bad-bugfix-in-9-405-5-fix-nutm-2840-aws-utm-ignores-mtu-sent-by-dhcp-server

with a discussion about auto-mtu-discovery being added to UTM. Which seemed to basically force the MTU reported by the DHCP provider. Which lead to this later post: https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/80641/sophos-utm-9-407-3-released talking about a flag to disable that now being exposed in CC.

And, specifically, this comment with instructions on how to flip that flag off on an interface: https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/80641/sophos-utm-9-407-3-released#306734

It would be REALLY nice if Sophos could add a UI option to flip that flag in the advanced interface configuration section as it's fairly complex to flip and a very easy step to forget about.

I appreciate your help in looking into this and hope it helps for anyone else running into a similar issue.

NOTE: In case that link with the steps to flip off the auto-mtu-discovery flags is ever lost, these are the steps from the linked comment:

>Thanks Bulirich, I tried it and it works hooray :-)

>

>The fix:

>Login as loginuser then root in ssh shell:

>cc 
>RAW 
>lock_override 
>OBJS 
>interface 
>ethernet (or cable, or other type) 
>REF_ (Tap TAB two times - then you can see the interface list. Mine is called "REF_IntCabExternaWan[WAN,interface,ethernet]"
>(You will get a look like this:)

>'additional_addresses' => [],
>'bandwidth' => 0,
>'comment' => 'Added by installation wizard',
>'inbandwidth' => 100000000,
>'itfhw' => 'REF_ItfEthEth1',
>'link' => 1,
>'mtu' => 576,
>'mtu_auto_discovery' => 1,
>'name' => 'WAN',
>'outbandwidth' => 20000000,
>'primary_address' => 'REF_ItfPri000024',
>'proxyarp' => 0,
>'proxyndp' => 0,
>'status' => 1
>}

>Then write:

>mtu_auto_discovery=0 
>w  (write the changes) 

>Now go into Webadmin and find the WAN link, change the MTU under Advanced to 1500 and voila! :-)

>----

>Best regards Martin ;-)

As ancient as this is I just got caught up in this bug again. This must be the third time. Low and behold, MTU was 576. Kids couldn't do their google meet after upgrading to 702. Pulled my hair out all day trying to figure this out and it was this bug again. The fix is the same and still works.