Thread Info
  • Locked Locked
  • Replies 66 replies
  • Subscribers 26 subscribers
  • Views 223664 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable bad bugfix in 9.405-5 "Fix [NUTM-2840]: [AWS] UTM ignores MTU sent by DHCP server"

Vegard77Norway

Do not do this if you don't feel comfortable messing up your UTM. 

I'm pretty shure this voids the warranty.  But my UTM is pretty useless using a MTU of 576 from my ISP.

The 9.405-5 upgrade introduces a mandatory, non disable, usage of the MTU provided with DHCP, if one is provided.

A lot of us have ISP's that provide bad MTU values. Like my own ISP giving a MTU of 576 (Confirmed with wireshark).

This is what you need to do to disable the usage of MTU from DHCP. Beware, you will be touching the system, and also.. it will not update MTU based on any DHCP.

(I'm not telling you how to get into the UTM, if you don't know... you have no business being there... better wait for the fix.)

In the 

/var/chroot-dhcpc/etc

There is a file named: default.conf

cat default.conf

interface "[<INTERFACE>]" {
timeout 20;
retry 60;
script "/usr/sbin/dhcp_updown.plx";
request subnet-mask, broadcast-address, time-offset,
routers, domain-name, domain-name-servers, host-name,
domain-search, nis-domain, nis-servers,
ntp-servers, interface-mtu;
[<HOSTNAME>]
}

"interface-mtu" : If you remove that (not the following ;!!!), and take your interface down/up, your MTU is possible to edit by hand again in the GUI.

AND ... it will use the number you give it, not the dumb MTU value one of your ISP's let be in their equipment because they did not bother to change it.

Finally I have a UTM back up and working, and I can get back to business.



This thread was automatically locked due to age.

  • THANK YOU, I too have been fighting with strange issues the last couple weeks. Glad I decided to look here. 

    I made the fix and was able to set the MTU to 15000 and all is back to normal.

  • in reply to DennisMatzen

    DennisMatzen said:
    set the MTU to 15000

    Super Jumbo frames.

  • : I love you, you beautiful wonderful person... I have been fighting this issue for nearly three weeks... I moved to 9.405-5 right as I added a new connection to my environment and couldn't for the life of me find out WTF was causing my upload to be slow:
    https://community.sophos.com/products/unified-threat-management/f/51/t/79888

    I finally found this thread as I was looking for MTU bits as to why I couldn't change it from 576 and after applying these changes, I am at full connection speed...

    Thanks...

  • in reply to ChrisShill

    Does this issue with MTU only happens to those that have their ISP interface (external) set to dynamic instead of static?

  • in reply to SVITPRO

    Yeap, it happens because of ISP routers sending a low MTU as a DHCP option. Prior to 9.405-5, MTU values received as a DHCP option were just ignored, so the issue never presented itself. As long as you use static addresses or your ISP does not provide a crazy low MTU value as a DHCP option, this should never happen.

    Regards - Giovani

  • I just upgraded 3 days ago.  I'm guessing this is issue is the reason I cannot connect to a cPanel site and web mail for an ISP?

  • @VegardOestengen, very nice find. I wound up finding the very same solution to my problem as well.

    Any word on whether or not there's an "Official" or "Supported" fix for this at all yet?

  • Just experienced exactly this and wanted to add I applied 406 just in case and it did not resolve the issue (I didn't expect it to).

    Client is on Rogers in Ottawa. DHCP is handing out MTU value of 576. 

  • in reply to plecavalier

    I was expecting that the next fix would take care of this too. When I received the notice of update 406 I did not see any reference to the MTU issue. But I applied it and tested. No fix. I cannot believe that it is taking so long to get a fix for this issue.

  • in reply to plecavalier

    I am with Rogers here in Ottawa as well, and can confirm that the steps above DO indeed work as advertised.

    As for Rogers, I have opened a ticket with them last week to have this addressed, but I haven't gotten any updates of value since. I have requested escalation on the case, and filed some complaints, but I doubt this will be addressed at all anytime soon (if at all, ever). I would suggest you get your client to file a case/complaint as well, and maybe even yourself if you can, and maybe (just MAYBE), if we get enough people screaming about this they just MIGHT do something about this.

    The real problem here, in my opinion, is with the DHCP server that is handing out such tiny MTUs. An MTU of 576 seems to be a hold-over from ye ole' dial-up days... And if this, a very basic configuration, hasn't been addressed since that time, what else within that infrastructure is just as equally outdated? What about security? Has any of the infrastructure security been updated since then? But I digress...

Unfiltered HTML