Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Up2Date 9.407003 package description:
Remarks: System will be rebooted Configuration will be upgraded Connected REDs will perform firmware upgrade Connected Wifi APs will perform firmware upgrade
News: Maintenance Release
Bugfixes: Fix [NUTM-4079]: [AWS] DNS Resolver too slow for ELBs Fix [NUTM-3885]: [Access & Identity] [RED] RED50 reconnecting every 30 minutes Fix [NUTM-4502]: [Access & Identity] [RED] reactivating RED management causes problem with provisioning server Fix [NUTM-4749]: [Access & Identity] [RED] interface default routes are not written Fix [NUTM-4832]: [Access & Identity] 9.404 SSL site-to-site VPN client is not compatibal with older UTM versions Fix [NUTM-4870]: [Access & Identity] STAS: Packetfilter rule is written too late when enabling the feature Fix [NUTM-4875]: [Access & Identity] 9.404 SSL site-to-site VPN doesn't work with static IP setting Fix [NUTM-4881]: [Access & Identity] IPsec remote access xauth fails with "could not find cache entry" Fix [NUTM-4918]: [Access & Identity] HTML5 VPN: Portuguese (Brazil) keyboard doesn't appear to support special characters Fix [NUTM-4974]: [Access & Identity] UTM unable to connect to support tunnel Fix [NUTM-4981]: [Access & Identity] [RED] RED management can't be reactivated after a Backup / Restore Fix [NUTM-4987]: [Access & Identity] 9.404 SSL site-to-site VPN client compatibility to older openvpn versions Fix [NUTM-5004]: [Access & Identity] [RED] misleading peer status send Fix [NUTM-4941]: [Basesystem] NTP Vulnerability Fix [NUTM-5132]: [Basesystem] Disable weak ciphers for webadmin Fix [NUTM-3180]: [Confd] IP Address change was not applied properly to the interface Fix [NUTM-4346]: [Documentation] Enhance documentation regarding unencrypted SSO AD password in printable configuration Fix [NUTM-3225]: [Email] JSON error when accessing Data Loss Prevention Tab and SMTP Profiles Fix [NUTM-3483]: [Email] Missing/incomplete logging for sandstorm in SMTP proxy Fix [NUTM-3505]: [Email] MIME type blacklist can be bypassed if an another file is whitelisted Fix [NUTM-3666]: [Email] Mail log in user portal is case-sensitive Fix [NUTM-3667]: [Email] RAR and XLSX files causing Scanner timeout or deadlock - moving to error queue Fix [NUTM-4331]: [Email] Implement more error handling in QMGR for error cases Fix [NUTM-4874]: [Email] SMTP proxy can't be disabled when upgrading from 9.31x Fix [NUTM-5228]: [Email] change LogLevel in httpd-spx-reply.conf to warn Fix [NUTM-5355]: [Email] Increase AV Scanner timeout to 60 seconds Fix [NUTM-2768]: [HA/Cluster] 36307: Postgres can't be started on Slave / rsync error: error in socket IO (code 10) at clientserver.c(122) [receiver=3.0.4] Fix [NUTM-4894]: [Logging] Fallback log on slave node is filling up the partition Fix [NUTM-1954]: [Network] 35457: Amazon vpc gets imported but quagga doesnt start Fix [NUTM-3092]: [Network] snmp does not work: because 10G modules query of link status timeout if no GBIC is plugged Fix [NUTM-3115]: [Network] AFC misclassifying HTTPS connections as 'OpenVPN' Fix [NUTM-3157]: [Network] [INFO-152] Network Monitor not running - restarted Fix [NUTM-3229]: [Network] IPv6 over transparent proxy Fix [NUTM-3247]: [Network] Spam Filter cannot query database servers from Slave if a block all AFC rule exists Fix [NUTM-4037]: [Network] Update kernel to 3.12.58 Fix [NUTM-4992]: [Network] Unitymedia / KabelBW customer getting always the MTU 576 Fix [NUTM-4885]: [Reporting] SSL VPN reporting shows no user with a "#" sign in the username Fix [NUTM-4593]: [Sandboxd] Constant error when inserting record into sandstorm transactionlog table Fix [NUTM-5128]: [Virtualization] Incorrect interface order on HyperV Fix [NUTM-4868]: [WAF] WAF service restart issue (segmentation fault in mod_avscan) Fix [NUTM-5266]: [WAF] Form auth default template login not possible with chrome and FF Fix [NUTM-4916]: [WebAdmin] User portal: add Windows 10 to list of supported OSs for SSL VPN Fix [NUTM-2447]: [Web] 36231: HTTP proxy policy matching with backend groups is sometimes not working Fix [NUTM-4525]: [Web] Handle ha zeroconf for sandbox_reportd Fix [NUTM-4806]: [Web] postgres[xxxxx]: [x-x] STATEMENT: INSERT INTO TransactionLog Fix [NUTM-4877]: [Web] segfault after installing ep-httpproxy-9.40-319.g32fa996.i686.rpm Fix [NUTM-4127]: [WiFi] MAC filter whitelist does not work after editing the MAC Address List Fix [NUTM-4451]: [WiFi] Mesh AP doesn't connect after deleting the AP from webadmin Fix [NUTM-4913]: [WiFi] Hotspot voucher QR code pointing to IP address instead of configured host name Fix [NUTM-5032]: [WiFi] 'STA WPA Failure' messages not appearing in wireless log
RPM packages contained: firmwares-bamboo-9400-0.239798409.gadeedea.rb1.i586.rpm freerdp-1.0.2-5.g9ab7846.rb6.i686.rpm modavscan-9.40-88.g4be0a1f.rb3.i686.rpm perf-tools-3.12.58-0.238097715.g942ca6f.rb5.i686.rpm red-firmware2-5033-0.237486050.g1d6fa2f.rb1.noarch.rpm red15-firmware-5033-0.237486204.g88604a9.rb4.noarch.rpm uma-9.40-9.g4114428.rb3.i686.rpm ep-reporting-9.40-28.g366bbbd.rb8.i686.rpm ep-reporting-c-9.40-29.gdbdd0e5.rb7.i686.rpm ep-reporting-resources-9.40-28.g366bbbd.rb8.i686.rpm ep-aua-9.40-29.g044c154.rb4.i686.rpm ep-branding-ASG-afg-9.40-45.ga7a71f4.rb4.noarch.rpm ep-branding-ASG-ang-9.40-45.ga7a71f4.rb4.noarch.rpm ep-branding-ASG-asg-9.40-45.ga7a71f4.rb4.noarch.rpm ep-branding-ASG-atg-9.40-45.ga7a71f4.rb4.noarch.rpm ep-branding-ASG-aug-9.40-45.ga7a71f4.rb4.noarch.rpm ep-confd-9.40-758.g4ba8297.i686.rpm ep-confd-tools-9.40-699.g3e73a8d.rb11.i686.rpm ep-endpoint-0.5-0.238842559.g74c0041.rb3.i686.rpm ep-ha-aws-9.40-193.gbbbdb1f.rb1.noarch.rpm ep-libs-9.40-18.g98311c6.rb4.i686.rpm ep-mdw-9.40-473.gbb2acca.rb1.i686.rpm ep-migration-agent-9.40-0.238246977.g97d8100.rb2.i686.rpm ep-repctl-0.1-0.236091535.g244907c.rb4.i686.rpm ep-screenmgr-9.40-1.g05ac056.rb11.i686.rpm ep-utm-watchdog-9.40-9.gb87dc68.rb5.i686.rpm ep-webadmin-9.40-649.gcf9df68.rb15.i686.rpm ep-webadmin-contentmanager-9.40-48.g2579cc5.rb7.i686.rpm ep-chroot-dhcpc-9.40-7.g5875cb6.rb4.noarch.rpm ep-chroot-httpd-9.40-13.g05599fc.rb4.noarch.rpm ep-chroot-smtp-9.40-108.g7e71836.rb1.i686.rpm chroot-ntp-4.2.8p8-0.g2398560.rb7.i686.rpm chroot-openvpn-9.40-26.g733afa5.rb6.i686.rpm chroot-reverseproxy-2.4.10-242.g832ffb5.rb3.i686.rpm ep-httpproxy-9.40-351.gd42c00a.rb8.i686.rpm kernel-smp-3.12.58-0.238097715.g942ca6f.rb6.i686.rpm kernel-smp64-3.12.58-0.238097715.g942ca6f.rb6.x86_64.rpm ep-release-9.407-3.noarch.rpm
Looks promising :-)
Fix [NUTM-4992]: [Network] Unitymedia / KabelBW customer getting always the MTU 576
----
Best regards Martin ;-)
Sophos UTM Certified Engineer v9.7Sophos XG Certified Architect v18.0Homelab: 2 x SG210 XG v18 (HA A/P) - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)
I just installed and tested the MTU issues on a Sophos UTM 9 Home install using Charter cable and it is NOT fixed for me. I have another site that is Comcast that I will test later this morning. I guess they only fixed two ISP's from what they said. Doesn't make much sense.
FYI I did not reboot my modem.
EDIT: I just fully powered down the modem for a minute and same 576 MTU issue.
For NUTM-4992 a new confd option has been introduced.
For interface objects there now is a "mtu_auto_discovery" flag. 1 = take interface MTU from DHCP and overwrite value in confd (default) 0 = do not take interface MTU from DHCP
Hope that helps.
bulirich said: For NUTM-4992 a new confd option has been introduced. For interface objects there now is a "mtu_auto_discovery" flag. 1 = take interface MTU from DHCP and overwrite value in confd (default) 0 = do not take interface MTU from DHCP Hope that helps.
Thanks Bulirich, I tried it and it works hooray :-)
The fix:
Login as loginuser then root in ssh shell:
cc RAW lock_override OBJS interface ethernet (or cable, or other type) REF_ (Tap TAB two times - then you can see the interface list. Mine is called "REF_IntCabExternaWan[WAN,interface,ethernet]"(You will get a look like this:)
'additional_addresses' => [], 'bandwidth' => 0, 'comment' => 'Added by installation wizard', 'inbandwidth' => 100000000, 'itfhw' => 'REF_ItfEthEth1', 'link' => 1, 'mtu' => 576, 'mtu_auto_discovery' => 1, 'name' => 'WAN', 'outbandwidth' => 20000000, 'primary_address' => 'REF_ItfPri000024', 'proxyarp' => 0, 'proxyndp' => 0, 'status' => 1 }
Then write:
mtu_auto_discovery=0 w (write the changes)
Now go into Webadmin and find the WAN link, change the MTU under Advanced to 1500 and voila! :-)
This is not configurable in webadmin? If not this is the most stupid fix I have seen a long time. Why would they fix it for two ISP's only. All I can say is WOW!!! It seems like such a simple concept to allow a user to enable or disabled in the webadmin instead of forcing this down our throats and make us go to a command line interface to fix
You have it all wrong... Somebody at Sophos clearly thought it'd be funny if they turned this bug fix into an easter egg customers have to find and activate. I have to drive out to one of my locations now to fix the problem, completely flushing my weekend down the drain.
I need a little help with twister5800's reply. I previously had the 576 MTU problem, and had applied VegardOestengen's suggestion from another thread, which fixed the problem. The fix continued to work after the upgrade to 9.406-3. Last night, however, I upgraded my home (software-based) UTM to 9.407-3, and it's been a disaster. Although the web interface tells me that the internet-facing interface is still using a MTU of 1500, I'm not believing it. Most websites are unreachable. Pings and traceroutes work, but not much else. I've had some experience with MTU problems before, and this pretty clearly seems to be an MTU problem. I've tried changing the MTU in the web interface to 1492, and then back to 1500, but it didn't help.
So I want to try twister5800's suggestion, but I'm lost. I know how to ssh into the UTM, but I'm not sure what to do after that. "cc", "RAW", "lock_override", etc., don't appear to be shell commands. So what's going on? Have I missed a step?
When you tipe cc and press enter you will enter kind of a second shell. Inside that shell you will type those command twister5800 provided. I'll try to explain a bit further to you:
type cc and press [enter]
You will get and output like:
Confd command-line client. Maintainer: <Ingo.Schwarze@sophos.com>
Connected to 127.0.0.1:4472, SID = VGdqvYBurSTNHXVdhnqk.Available modes: MAIN OBJS RAW WIZARD.Type mode name to switch mode.Typing 'help' will always give some help. 127.0.0.1 MAIN >
This means your are inside cc shell.
type RAW and press [ENTER]
type lock_override and press [ENTER]
type OBJS and press [ENTER]
type interface and press [ENTER]
Now it gets a little tricky. Most setups which has this issue uses an ethernet type WAN, so:
type ethernet and press [ENTER]
Here you will have to "select" your WAN interface. To do that:
type REF_ (this is case sensitive) and press [TAB] two times. It should list all your ethernet type interfaces, like this:
REF_DefaultInternal[Internal,interface,ethernet]REF_IntEthExternaWan[WAN,interface,ethernet]
On a default configuration system, it should look exactly like this, but don't worry if it doesn't. From that lines, look for the one that contains something like "REF_IntEthExternaWan" or the name of your WAN interface.After you locate the name for your WAN interface from the list, type the rest of the object name (case sensitive). To avoid any typos, you can copy and paste the rest of the object name after REF_.
For example, provided that your WAN interface is using the default name, you should then complete REF_ with:
REF_IntEthExt and press [TAB] again.
That will autocomplete the name for your WAN interface. Then, press [ENTER] again.
You should get an output iike this:
'additional_addresses' => [],'bandwidth' => 0,'comment' => 'Added by installation wizard','inbandwidth' => 100000000,'itfhw' => 'REF_ItfEthEth1','link' => 1,'mtu' => 576,'mtu_auto_discovery' => 1,'name' => 'WAN','outbandwidth' => 20000000,'primary_address' => 'REF_ItfPri000024','proxyarp' => 0,'proxyndp' => 0,'status' => 1}
If you do, you are in the right track. Then type:
mtu_auto_discovery=0
and press [ENTER]
You will get the same output as before, but mind the subtle change on 'mtu_auto_discovery' line, that should now be 0.
To save, type
w
this will save your configuration.
type exit and press [ENTER]
this will return to the shell.
After that, fix the MTU in Webadmin and it should not revert to 576 anymore.
Let me know how it goes.
Regards - Giovani
Thanks, Giovani! That did the trick. I was on the right track, but I must have mistyped the first ("cc") command somehow, because when I tried it earlier, I got a bash command not found error, so I didn't try to go any farther. How do you mistype a two-character command? I don't know, but I somehow managed to do it. Anyway, I followed your instructions and set mtu_auto_discovery to 0. Saved, set the MTU to 1500 (even though the web interface said it already was), rebooted the UTM (not sure if that was necessary but figured it couldn't hurt), and now everything is working again.
I'm still not sure why the web interface was showing the MTU setting was 1500 (before I applied the latest fix), when it pretty clearly (by the evidence) wasn't. Maybe that was a side-effect of the earlier patch?
You can use Giovani's fix directly from the command line...
I would start in cc to find out the REF_ of the interface you want to change:
cc interfaces interfaces@ exit
That lets you see the REF_s along with the WebAdmin names of the interfaces.
Assuming that you found the REF was REF_IntEthExternal, you could issue the command
cc change_object REF_IntEthExternal mtu_auto_discovery 0
To check your work:
cc get_object REF_IntEthExternal
Cheers - Bob
BAlfson said: I would start in cc to find out the REF_ of the interface you want to change: cc interfaces interfaces@ exit
That is largely replaceable with "cc get interfaces"
A different approach is "cc get_interface_ref_by_hardware <interface>". Example usage "cc get_interface_ref_by_hardware eth0"
Also, out-of-band management was briefly discussed in the past, perhaps it is a topic for the community to revisit.
You can use Giovani's fix
Just to give credit where credit is due, that's Twister5800's fix, not mine. I was just explaining to Bruce, with a little more detail, how to get it done.
The MTU fix worked like a champ for me. FYI, I'm a Comcast subscriber and after updating I was still seeing a 576 MTU size. As described above I disabled the auto-discover and manually set the MTU at 1500. This actually fixed quite a few of my UTM problems. (I'm brand new to UTM).
Thanks guys!
If you go under Interface & Routing > Interface, what do you have under interface type?
I just want to confirm this MTU issue is not affecting users that have a static IP for interface type: Ethernet