This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable bad bugfix in 9.405-5 "Fix [NUTM-2840]: [AWS] UTM ignores MTU sent by DHCP server"

Do not do this if you don't feel comfortable messing up your UTM. 

I'm pretty shure this voids the warranty.  But my UTM is pretty useless using a MTU of 576 from my ISP.

The 9.405-5 upgrade introduces a mandatory, non disable, usage of the MTU provided with DHCP, if one is provided.

A lot of us have ISP's that provide bad MTU values. Like my own ISP giving a MTU of 576 (Confirmed with wireshark).

This is what you need to do to disable the usage of MTU from DHCP. Beware, you will be touching the system, and also.. it will not update MTU based on any DHCP.

(I'm not telling you how to get into the UTM, if you don't know... you have no business being there... better wait for the fix.)

In the 

/var/chroot-dhcpc/etc

There is a file named: default.conf

cat default.conf

interface "[<INTERFACE>]" {
timeout 20;
retry 60;
script "/usr/sbin/dhcp_updown.plx";
request subnet-mask, broadcast-address, time-offset,
routers, domain-name, domain-name-servers, host-name,
domain-search, nis-domain, nis-servers,
ntp-servers, interface-mtu;
[<HOSTNAME>]
}

"interface-mtu" : If you remove that (not the following ;!!!), and take your interface down/up, your MTU is possible to edit by hand again in the GUI.

AND ... it will use the number you give it, not the dumb MTU value one of your ISP's let be in their equipment because they did not bother to change it.

Finally I have a UTM back up and working, and I can get back to business.



This thread was automatically locked due to age.
Parents
  • Thanks for this fix!  I literally wasted a half a day trying to track down an FTP upload problem.  Despite having a clean 4 Mbps upload pipe, I was only getting about 150kbps upload via FTP! Swapped the UTM9 out for a basic Netgear router and upload went back to 4 Mbps, so I knew it was something with the UTM9.  Tried all sorts of changes (disabling filtering, threat protection, etc.) until I stumbled upon this thread.  With the MTU set back to 1500, the problem completely went away and now doing 4 Mbps uploads again (via Charter)

    - Scott

  • Yet another client this morning with the same problem and Rogers is yet again unwilling to adjust the incorrect MTU setting.

  • I can confirm that the dozen or so I have updated have not had this come back. So from.my side of things his appears to have been permanently addressed.

  • I finally got to the bottom of this problem, which is entirely of Sophos' own making.

    If you factory restore to 9.5 ISO, the problem seems to have disappeared.

    Until you connect to the internet and the ISP (Telstra the biggest in Australia), sends the 576 MTU.

    Then all your problems start.

    You have to go into CLI to fix it.

    All subsequent updates leave this setting alone.

     

    Sophos, fix this.

    If you must get the MTU from the ISP, then ok, but allow us to change it in the GUI.

    That's why the GUI is there.

  • Unfortunately I can't agree that it's Sophos ownis with regards to the MTU setting. The purpose of the MTU is to allow compliance and the deciding side should be the ISP. The fact that an ISP would set a high speed internet to 576 is simply irresponsible. I do think that an actual.patch should have been rolled out since it is clear there is a large enough pool of ISP's being irresponsible in setting their mtu and should therefore not be trusted which should have prompted a resulting retroactive patch to follow 9.5-x. but it's not Sophos' fault or responsibility. I would just hoped to have seen a better response. In that sense, I agree.

  • Well, we'll have to agree to disagree :)

    I spent 3 months troubleshooting problems with Sophos all based on this problem.

    Even to the extent of Sophos sending me new hardware, which had absolutely no effect.

    It was only one Sophos Tech that finally realised what the problem was.

    I was then told that 9.5 ISO factory restting would fix it.

    Wrong.

    So Sophos wasted months of my time, their time and pointless hardware replacements.

    If the MTU setting in the GUI is inoperative, grey it out.

    Even better, revert back to the previous behaviour:

    1) UTM sees the ISP MTU, changes it to ISP value.

    2) Above setting causes problems, allow GUI to change it.

     

    As it stands, every Sophos UTM I setup has to be fixed in CLI.

    Any time I factory reset using the ISO, I have to fix in CLI.

  • That's certainly unfortunate. I was lucky in that the MTU setting caught my eye pretty quick so I was able to mitigate the downtime. I also only have a handful of clients that aren't on dedicated fibre connections so I'm obviously not in harm's way like you seem to be. I can honestly say I've never had to factory reset a UTM (other than wiping settings) so for me it's been a one time set it and forget it thing. I do agree this should be patched permanently. Don't know why they haven't been forthcoming in doing that. Perhaps this discussion can help.

  • Yes, it's strange that they can't seem to fix this.

     

    Or at least make sure everyone in Sophos Support knows about it.

     

    And put a note in the GUI that the MTU setting can only be changed in CLI.

     

    But fixing it would be best :)

  • In V9.509, you can set the MTU on every interface type.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    You could change the Internet MTU in the GUI to whatever you wanted but it wouldn't stick unless the changed the settings in the CLI.

    If you didn't change the CLI, then leaving the MTU page then returning, the MTU would change back to its original setting.

    You have to change this:

    to

     

    Unless Sophos have changed these settings in CLI?

  • You're right, Martin, that it's not something you can do in WebAdmin.  I saw the recommendation to use cc in an interactive mode.  Instead, I would do the following:

    Find the REF_ of the Interface object named, for example, External (change ethernet to pppoe, pppoa or other if the following returns no result):

    cc get_object_by_name interface ethernet External |grep \'ref\'

    Say that returned REF_IntEthExternal:

    cc change_object REF_IntEthExternal mtu_auto_discovery 0

    If that returns REF_IntEthExternal, the change was successful.  Then change the MTU to 1500 in WebAdmin.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • This just came back for me. I can only assume it comes from 702 but have no proof at the moment.

Reply Children
No Data