Thread Info
  • Locked Locked
  • Replies 66 replies
  • Subscribers 26 subscribers
  • Views 223664 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable bad bugfix in 9.405-5 "Fix [NUTM-2840]: [AWS] UTM ignores MTU sent by DHCP server"

Vegard77Norway

Do not do this if you don't feel comfortable messing up your UTM. 

I'm pretty shure this voids the warranty.  But my UTM is pretty useless using a MTU of 576 from my ISP.

The 9.405-5 upgrade introduces a mandatory, non disable, usage of the MTU provided with DHCP, if one is provided.

A lot of us have ISP's that provide bad MTU values. Like my own ISP giving a MTU of 576 (Confirmed with wireshark).

This is what you need to do to disable the usage of MTU from DHCP. Beware, you will be touching the system, and also.. it will not update MTU based on any DHCP.

(I'm not telling you how to get into the UTM, if you don't know... you have no business being there... better wait for the fix.)

In the 

/var/chroot-dhcpc/etc

There is a file named: default.conf

cat default.conf

interface "[<INTERFACE>]" {
timeout 20;
retry 60;
script "/usr/sbin/dhcp_updown.plx";
request subnet-mask, broadcast-address, time-offset,
routers, domain-name, domain-name-servers, host-name,
domain-search, nis-domain, nis-servers,
ntp-servers, interface-mtu;
[<HOSTNAME>]
}

"interface-mtu" : If you remove that (not the following ;!!!), and take your interface down/up, your MTU is possible to edit by hand again in the GUI.

AND ... it will use the number you give it, not the dumb MTU value one of your ISP's let be in their equipment because they did not bother to change it.

Finally I have a UTM back up and working, and I can get back to business.



This thread was automatically locked due to age.
  • in reply to BAlfson

    Again, This has always been available even with new builds. And the setting works with the removal of the config

  • in reply to BAlfson

    Oh, I see. Me feels so foolish now. You're absolutely right, It's definitely not a DHCP interface. it's Ethernet with the new special "Dynamic IP" Protocol to auto-magically Configure the Host. That old DHCP stuff went out so long ago.

    But what I don't understand now is how modifying the default.conf file in the dhcpc folder affects the new DynIP protocol???? And why the people that are following this thread running an un-patched 9.1 UTM are somehow affected by the 576 MTU bugfix from 9.405-5 on service providers that lease IP addresses via DHCP????

    Please help! I'm so confused.

  • in reply to PaulHieb1

    "But what I don't understand now is how modifying the default.conf file in the dhcpc folder affects the new DynIP protocol??"

    Because the "new DynIP" is nothing more than the plain old DHCP client.

    There are two fixes available for this issue: one is a workaround, from this thread here, on which you edit default.conf and remove the instruction for the DHCP client do accept the MTU option provided by the DHCP server. The issue with this approach is that if the default.conf file is replaced by a future update, as it has happened after upgrading to 9.407-3, this workaround ceases to work.

    The other fix, from the thread over https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/80641/sophos-utm-9-407-3-released, is a "proper fix" that was introduced after 9.407-3 and should survive any future upgrades (even through I agree with others that think this should be available on Webadmin as an option under "Dynamic IP", and not buried under a shell configuration, it's still a fix).

    "And why the people that are following this thread running an un-patched 9.1 UTM are somehow affected by the 576 MTU bugfix from 9.405-5 on service providers that lease IP addresses via DHCP?"

    I don't know from where you got that. AFAIK, there has been no reports from this specific MTU issue before 9.405-4, specially because the behavior of the DHCP client was modified from this version on to allow higher MTU from AWS for customers running UTM on Amazon. Until 9.403, any MTU option provided by the DHCP server was simply ignored by UTM. Again, AFAIK. 

    Regards - Giovani

  • Thanks for this fix!  I literally wasted a half a day trying to track down an FTP upload problem.  Despite having a clean 4 Mbps upload pipe, I was only getting about 150kbps upload via FTP! Swapped the UTM9 out for a basic Netgear router and upload went back to 4 Mbps, so I knew it was something with the UTM9.  Tried all sorts of changes (disabling filtering, threat protection, etc.) until I stumbled upon this thread.  With the MTU set back to 1500, the problem completely went away and now doing 4 Mbps uploads again (via Charter)

    - Scott

  • in reply to sneader

    Yet another client this morning with the same problem and Rogers is yet again unwilling to adjust the incorrect MTU setting.

  • in reply to plecavalier

    Problem is back in 9.508.10.

    Re-imaging ISO 9.5 fixed it.

    Latest update has broken it again!

  • in reply to Martin Murray

    I can confirm that the dozen or so I have updated have not had this come back. So from.my side of things his appears to have been permanently addressed.

  • in reply to plecavalier

    I finally got to the bottom of this problem, which is entirely of Sophos' own making.

    If you factory restore to 9.5 ISO, the problem seems to have disappeared.

    Until you connect to the internet and the ISP (Telstra the biggest in Australia), sends the 576 MTU.

    Then all your problems start.

    You have to go into CLI to fix it.

    All subsequent updates leave this setting alone.

     

    Sophos, fix this.

    If you must get the MTU from the ISP, then ok, but allow us to change it in the GUI.

    That's why the GUI is there.

  • in reply to Martin Murray

    Unfortunately I can't agree that it's Sophos ownis with regards to the MTU setting. The purpose of the MTU is to allow compliance and the deciding side should be the ISP. The fact that an ISP would set a high speed internet to 576 is simply irresponsible. I do think that an actual.patch should have been rolled out since it is clear there is a large enough pool of ISP's being irresponsible in setting their mtu and should therefore not be trusted which should have prompted a resulting retroactive patch to follow 9.5-x. but it's not Sophos' fault or responsibility. I would just hoped to have seen a better response. In that sense, I agree.

  • in reply to plecavalier

    Well, we'll have to agree to disagree :)

    I spent 3 months troubleshooting problems with Sophos all based on this problem.

    Even to the extent of Sophos sending me new hardware, which had absolutely no effect.

    It was only one Sophos Tech that finally realised what the problem was.

    I was then told that 9.5 ISO factory restting would fix it.

    Wrong.

    So Sophos wasted months of my time, their time and pointless hardware replacements.

    If the MTU setting in the GUI is inoperative, grey it out.

    Even better, revert back to the previous behaviour:

    1) UTM sees the ISP MTU, changes it to ISP value.

    2) Above setting causes problems, allow GUI to change it.

     

    As it stands, every Sophos UTM I setup has to be fixed in CLI.

    Any time I factory reset using the ISO, I have to fix in CLI.

Unfiltered HTML