Outgoing Google Hangouts video no longer works

Question

Howdie, 
 I have a problem that's cropped up with Sophos UTM in recent months and was hoping to get some input from others on it. I've been using UTM since the astaro days (Astaro 6 maybe? Don't recall when I first set it up) when the home user IP limit was 10. I still think it's the best solution out there for firewall, IPS, etc. Which is why this is frustrating. I don't want to switch. :) I'm currently running UTM on a quad port Qotom PC (specifically, this guy: https://smile.amazon.com/gp/product/B01AAKGQQG/ref=oh_aui_detailpage_o05_s00?ie=UTF8&psc=1 ) and before that an older fit-PC (a celeron dual NIC version). I use UTM as my gateway to my ISP (Comcast using the "Blast" speeds which are ~12 up and 150 down). 
 Up until about a month or so ago I was able to use google hangouts without a problem (i.e., teleconferencing for work). But, recently my outgoing video won't work for hangouts. I can see my video locally, but it won't show up for anyone remotely. This only happens on my network and on any computer / phone / device I use on my network to access a hangout. I assumed I had changed something that broke it. 
 After much finagling, I couldn't find any setting in UTM that would fix it so I made a backup and reset UTM to factory settings. It still didn't work. So...I put in the most basic of firewall rules (Internal (network) -> Any protocol -> Any) thinking maybe something outgoing was being blocked. Nope. I rechecked to make sure all proxying, filtering, etc was off. Yep, all off. In desperation, I SSH'd to the box (after enabling SSH) and manually cleared all iptables rules (left the nat table untouched however so I still had internet access). Nope, still doesn't work. 
 To rule out some kind of ISP issue, I took UTM out of the loop entirely and set my Linksys AC1200 router up as my internet gateway. THAT worked. Others could then see my video just fine. Seeing as how I did not have this problem previously with UTM, my only conclusion is that some update has done something to muck up google hangouts outgoing video (I try to apply UTM updates pretty regularly). I'm not clear where this would happen however. I don't know exactly how hangouts video works, but I understand it uses STUN for NAT traversal. Although I believe it has several other protocols it falls back on. The linksys router is quite likely not linux based (probably vxworks) so probably handles NAT a little differently. But...seeing as how this used to work with UTM I'm assuming it's from a UTM update. Unless Google changed something...which would make me very sad. 
 So, anyone have any idea what might be going on here? 
 Also, could some kind soul please try using a hangout on a network behind an up to date UTM (I'm currently using 9-405.5...I haven't yet applied the 9-406.3 update that just came out today) and see if you get video. You can easily replicate the problem by using two browsers (e.g., Chrome and Safari) on the same hangout (it won't work with two tabs in the same browser...hangouts prevents it). 
 NOTE: Though I never had these rules before, as a troubleshooting exercise I tried opening up ports referenced in here: https://support.google.com/a/answer/1279090?hl=en . That also didn't help. Which isn't surprising since that one rule I added in allowed all outgoing internal traffic anyway.

JohnStucklen · Accepted Answer

Bob, I've finally fixed it. It was an MTU setting. I finally discovered it by running tcpdump on both the internal and external IFs in two terminals with a hangouts session going. What I found was something like this: What I found was that on the local network I'd have packets like this: 12:22:06.565503 IP 172..61021 > 74.125.134.127.19305: UDP, length 855 and on the external IF I'd see packets like this: 12:22:06.565605 IP 66..61021 > 74.125.134.127.19305: UDP, length 855 12:22:06.565617 IP 66. > 74.125.134.127: ip-proto-17 The ip-proto-17 caught my attention. With a little research that lead me to believe the packets from the internal interface were getting fragmented when going to the external IF. Looking in sophos I found the MTU of the external IF was set to 576. I attempted to override it to 1500, but it would just revert again. Which lead me to this post: https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/79288/disable-bad-bugfix-in-9-405-5-fix-nutm-2840-aws-utm-ignores-mtu-sent-by-dhcp-server with a discussion about auto-mtu-discovery being added to UTM. Which seemed to basically force the MTU reported by the DHCP provider. Which lead to this later post: https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/80641/sophos-utm-9-407-3-released talking about a flag to disable that now being exposed in CC. And, specifically, this comment with instructions on how to flip that flag off on an interface: https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/80641/sophos-utm-9-407-3-released#306734 It would be REALLY nice if Sophos could add a UI option to flip that flag in the advanced interface configuration section as it's fairly complex to flip and a very easy step to forget about. I appreciate your help in looking into this and hope it helps for anyone else running into a similar issue. NOTE: In case that link with the steps to flip off the auto-mtu-discovery flags is ever lost, these are the steps from the linked comment: >Thanks Bulirich, I tried it and it works hooray :-) > >The fix: >Login as loginuser then root in ssh shell: >cc >RAW >lock_override >OBJS >interface >ethernet (or cable, or other type) >REF_ (Tap TAB two times - then you can see the interface list. Mine is called "REF_IntCabExternaWan[WAN,interface,ethernet]" >(You will get a look like this:) >'additional_addresses' => [], >'bandwidth' => 0, >'comment' => 'Added by installation wizard', >'inbandwidth' => 100000000, >'itfhw' => 'REF_ItfEthEth1', >'link' => 1, >'mtu' => 576, >'mtu_auto_discovery' => 1, >'name' => 'WAN', >'outbandwidth' => 20000000, >'primary_address' => 'REF_ItfPri000024', >'proxyarp' => 0, >'proxyndp' => 0, >'status' => 1 >} >Then write: >mtu_auto_discovery=0 >w (write the changes) >Now go into Webadmin and find the WAN link, change the MTU under Advanced to 1500 and voila! :-) > >---- >Best regards Martin ;-)