This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable bad bugfix in 9.405-5 "Fix [NUTM-2840]: [AWS] UTM ignores MTU sent by DHCP server"

Do not do this if you don't feel comfortable messing up your UTM. 

I'm pretty shure this voids the warranty.  But my UTM is pretty useless using a MTU of 576 from my ISP.

The 9.405-5 upgrade introduces a mandatory, non disable, usage of the MTU provided with DHCP, if one is provided.

A lot of us have ISP's that provide bad MTU values. Like my own ISP giving a MTU of 576 (Confirmed with wireshark).

This is what you need to do to disable the usage of MTU from DHCP. Beware, you will be touching the system, and also.. it will not update MTU based on any DHCP.

(I'm not telling you how to get into the UTM, if you don't know... you have no business being there... better wait for the fix.)

In the 

/var/chroot-dhcpc/etc

There is a file named: default.conf

cat default.conf

interface "[<INTERFACE>]" {
timeout 20;
retry 60;
script "/usr/sbin/dhcp_updown.plx";
request subnet-mask, broadcast-address, time-offset,
routers, domain-name, domain-name-servers, host-name,
domain-search, nis-domain, nis-servers,
ntp-servers, interface-mtu;
[<HOSTNAME>]
}

"interface-mtu" : If you remove that (not the following ;!!!), and take your interface down/up, your MTU is possible to edit by hand again in the GUI.

AND ... it will use the number you give it, not the dumb MTU value one of your ISP's let be in their equipment because they did not bother to change it.

Finally I have a UTM back up and working, and I can get back to business.



This thread was automatically locked due to age.
  • Thank you soooo sooo much. I have been having problems connecting to certain things the past two days. I have been looking at all logs and turning off IDS etc. I only knew it was the UTM when I switched to my test XG box.

    Once I removed the mtu from the file and put it back to 1500 all is well. I get having the option to grab the dhcp but under advanced settings I should be able to set it to what I want it. That is just horrible.

  • Nice Linux-fu. Work-around does the job well and everything is back to DHCP with MTU 1500. 

  • Nice catch! Thanks for the workaround :-)

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer 9.5
    Sophos  XG  Certified Engineer 17.1
    Homelab: 1 x SG210 XG v18 - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • Hoping for a Sophos solution very soon but much longer and I will have to do this. Thanks for the very informative posts on several threads!

  • I was able to just edit my External WAN and uncheck the box for Dynamic IP.  This left my current IP info in the fields.  I then changed my MTU to 1500, clicked save and I was back up and running fine.


    This is a temporary solution, but easier then performing an edit on the box.

    Rick

  • Thanks, this did work very easily for a temporary solution. Generally my IPs don't change unless there is a power loss for one reason or another (maintenance, power outage, etc) so it's isn't permanent but works for now.

  • leitzr said:

    I was able to just edit my External WAN and uncheck the box for Dynamic IP.  This left my current IP info in the fields.  I then changed my MTU to 1500, clicked save and I was back up and running fine.


    This is a temporary solution, but easier then performing an edit on the box.

    Rick

    Hi,

    I hope you did not just make your DHCP allocated address your static IP. If you'r on a DHCP subscription it can be a very bad idea to "just" switch to a static IP.

    As you know your DHCP client renew's your IP towards your DHCP server. Without that renewal someone else will get your IP assigned, resulting in a IP conflict.

    I'm not telling you what to do, but that I would NOT do.

  • Vegard,

    You have a valid point.  I happen to know what my typical dhcp lease time is and I manually renew my lease before the 50% point, which I should have recommended.  I prefer to do this while we wait for this issue to be resolved, instead of hacking my system.

    Rick

  • I tired this work around and it didn't work for me. I was forced to re-install to the previous version and restore a backup config...

    I hope Sophos plans to fix this by allowing us to override the MTU provided otherwise many people will be looking for new UTM software. I would hate to do that and many others would as well but a broken connection isn't worth good software. 

  • pclov3r said:

    I tired this work around and it didn't work for me. I was forced to re-install to the previous version and restore a backup config...

    I hope Sophos plans to fix this by allowing us to override the MTU provided otherwise many people will be looking for new UTM software. I would hate to do that and many others would as well but a broken connection isn't worth good software. 

    Just curious,

    Would you be able to describe how this workaround did not work for you?