This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9.407-3 released


Up2Date 9.407003 package description:

Remarks:
System will be rebooted
Configuration will be upgraded
Connected REDs will perform firmware upgrade
Connected Wifi APs will perform firmware upgrade

News:
Maintenance Release

Bugfixes:
Fix [NUTM-4079]: [AWS] DNS Resolver too slow for ELBs
Fix [NUTM-3885]: [Access & Identity] [RED] RED50 reconnecting every 30 minutes
Fix [NUTM-4502]: [Access & Identity] [RED] reactivating RED management causes problem with provisioning server
Fix [NUTM-4749]: [Access & Identity] [RED] interface default routes are not written
Fix [NUTM-4832]: [Access & Identity] 9.404 SSL site-to-site VPN client is not compatibal with older UTM versions
Fix [NUTM-4870]: [Access & Identity] STAS: Packetfilter rule is written too late when enabling the feature
Fix [NUTM-4875]: [Access & Identity] 9.404 SSL site-to-site VPN doesn't work with static IP setting
Fix [NUTM-4881]: [Access & Identity] IPsec remote access xauth fails with "could not find cache entry"
Fix [NUTM-4918]: [Access & Identity] HTML5 VPN: Portuguese (Brazil) keyboard doesn't appear to support special characters
Fix [NUTM-4974]: [Access & Identity] UTM unable to connect to support tunnel
Fix [NUTM-4981]: [Access & Identity] [RED] RED management can't be reactivated after a Backup / Restore
Fix [NUTM-4987]: [Access & Identity] 9.404 SSL site-to-site VPN client compatibility to older openvpn versions
Fix [NUTM-5004]: [Access & Identity] [RED] misleading peer status send
Fix [NUTM-4941]: [Basesystem] NTP Vulnerability
Fix [NUTM-5132]: [Basesystem] Disable weak ciphers for webadmin
Fix [NUTM-3180]: [Confd] IP Address change was not applied properly to the interface
Fix [NUTM-4346]: [Documentation] Enhance documentation regarding unencrypted SSO AD password in printable configuration
Fix [NUTM-3225]: [Email] JSON error when accessing Data Loss Prevention Tab and SMTP Profiles
Fix [NUTM-3483]: [Email] Missing/incomplete logging for sandstorm in SMTP proxy
Fix [NUTM-3505]: [Email] MIME type blacklist can be bypassed if an another file is whitelisted
Fix [NUTM-3666]: [Email] Mail log in user portal is case-sensitive
Fix [NUTM-3667]: [Email] RAR and XLSX files causing Scanner timeout or deadlock - moving to error queue
Fix [NUTM-4331]: [Email] Implement more error handling in QMGR for error cases
Fix [NUTM-4874]: [Email] SMTP proxy can't be disabled when upgrading from 9.31x
Fix [NUTM-5228]: [Email] change LogLevel in httpd-spx-reply.conf to warn
Fix [NUTM-5355]: [Email] Increase AV Scanner timeout to 60 seconds
Fix [NUTM-2768]: [HA/Cluster] 36307: Postgres can't be started on Slave / rsync error: error in socket IO (code 10) at clientserver.c(122) [receiver=3.0.4]
Fix [NUTM-4894]: [Logging] Fallback log on slave node is filling up the partition
Fix [NUTM-1954]: [Network] 35457: Amazon vpc gets imported but quagga doesnt start
Fix [NUTM-3092]: [Network] snmp does not work: because 10G modules query of link status timeout if no GBIC is plugged
Fix [NUTM-3115]: [Network] AFC misclassifying HTTPS connections as 'OpenVPN'
Fix [NUTM-3157]: [Network] [INFO-152] Network Monitor not running - restarted
Fix [NUTM-3229]: [Network] IPv6 over transparent proxy
Fix [NUTM-3247]: [Network] Spam Filter cannot query database servers from Slave if a block all AFC rule exists
Fix [NUTM-4037]: [Network] Update kernel to 3.12.58
Fix [NUTM-4992]: [Network] Unitymedia / KabelBW customer getting always the MTU 576
Fix [NUTM-4885]: [Reporting] SSL VPN reporting shows no user with a "#" sign in the username
Fix [NUTM-4593]: [Sandboxd] Constant error when inserting record into sandstorm transactionlog table
Fix [NUTM-5128]: [Virtualization] Incorrect interface order on HyperV
Fix [NUTM-4868]: [WAF] WAF service restart issue (segmentation fault in mod_avscan)
Fix [NUTM-5266]: [WAF] Form auth default template login not possible with chrome and FF
Fix [NUTM-4916]: [WebAdmin] User portal: add Windows 10 to list of supported OSs for SSL VPN
Fix [NUTM-2447]: [Web] 36231: HTTP proxy policy matching with backend groups is sometimes not working
Fix [NUTM-4525]: [Web] Handle ha zeroconf for sandbox_reportd
Fix [NUTM-4806]: [Web] postgres[xxxxx]: [x-x] STATEMENT: INSERT INTO TransactionLog
Fix [NUTM-4877]: [Web] segfault after installing ep-httpproxy-9.40-319.g32fa996.i686.rpm
Fix [NUTM-4127]: [WiFi] MAC filter whitelist does not work after editing the MAC Address List
Fix [NUTM-4451]: [WiFi] Mesh AP doesn't connect after deleting the AP from webadmin
Fix [NUTM-4913]: [WiFi] Hotspot voucher QR code pointing to IP address instead of configured host name
Fix [NUTM-5032]: [WiFi] 'STA WPA Failure' messages not appearing in wireless log

RPM packages contained:
firmwares-bamboo-9400-0.239798409.gadeedea.rb1.i586.rpm
freerdp-1.0.2-5.g9ab7846.rb6.i686.rpm
modavscan-9.40-88.g4be0a1f.rb3.i686.rpm
perf-tools-3.12.58-0.238097715.g942ca6f.rb5.i686.rpm
red-firmware2-5033-0.237486050.g1d6fa2f.rb1.noarch.rpm
red15-firmware-5033-0.237486204.g88604a9.rb4.noarch.rpm
uma-9.40-9.g4114428.rb3.i686.rpm
ep-reporting-9.40-28.g366bbbd.rb8.i686.rpm
ep-reporting-c-9.40-29.gdbdd0e5.rb7.i686.rpm
ep-reporting-resources-9.40-28.g366bbbd.rb8.i686.rpm
ep-aua-9.40-29.g044c154.rb4.i686.rpm
ep-branding-ASG-afg-9.40-45.ga7a71f4.rb4.noarch.rpm
ep-branding-ASG-ang-9.40-45.ga7a71f4.rb4.noarch.rpm
ep-branding-ASG-asg-9.40-45.ga7a71f4.rb4.noarch.rpm
ep-branding-ASG-atg-9.40-45.ga7a71f4.rb4.noarch.rpm
ep-branding-ASG-aug-9.40-45.ga7a71f4.rb4.noarch.rpm
ep-confd-9.40-758.g4ba8297.i686.rpm
ep-confd-tools-9.40-699.g3e73a8d.rb11.i686.rpm
ep-endpoint-0.5-0.238842559.g74c0041.rb3.i686.rpm
ep-ha-aws-9.40-193.gbbbdb1f.rb1.noarch.rpm
ep-libs-9.40-18.g98311c6.rb4.i686.rpm
ep-mdw-9.40-473.gbb2acca.rb1.i686.rpm
ep-migration-agent-9.40-0.238246977.g97d8100.rb2.i686.rpm
ep-repctl-0.1-0.236091535.g244907c.rb4.i686.rpm
ep-screenmgr-9.40-1.g05ac056.rb11.i686.rpm
ep-utm-watchdog-9.40-9.gb87dc68.rb5.i686.rpm
ep-webadmin-9.40-649.gcf9df68.rb15.i686.rpm
ep-webadmin-contentmanager-9.40-48.g2579cc5.rb7.i686.rpm
ep-chroot-dhcpc-9.40-7.g5875cb6.rb4.noarch.rpm
ep-chroot-httpd-9.40-13.g05599fc.rb4.noarch.rpm
ep-chroot-smtp-9.40-108.g7e71836.rb1.i686.rpm
chroot-ntp-4.2.8p8-0.g2398560.rb7.i686.rpm
chroot-openvpn-9.40-26.g733afa5.rb6.i686.rpm
chroot-reverseproxy-2.4.10-242.g832ffb5.rb3.i686.rpm
ep-httpproxy-9.40-351.gd42c00a.rb8.i686.rpm
kernel-smp-3.12.58-0.238097715.g942ca6f.rb6.i686.rpm
kernel-smp64-3.12.58-0.238097715.g942ca6f.rb6.x86_64.rpm
ep-release-9.407-3.noarch.rpm



This thread was automatically locked due to age.
Parents
  • Looks promising :-)

    Fix [NUTM-4992]: [Network] Unitymedia / KabelBW customer getting always the MTU 576

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • I just installed and tested the MTU issues on a Sophos UTM 9 Home install using Charter cable and it is NOT fixed for me.  I have another site that is Comcast that I will test later this morning.  I guess they only fixed two ISP's from what they said.  Doesn't make much sense.

    FYI I did not reboot my modem.

    EDIT:  I just fully powered down the modem for a minute and same 576 MTU issue.

  • For NUTM-4992 a new confd option has been introduced.

    For interface objects there now is a "mtu_auto_discovery" flag.
    1 = take interface MTU from DHCP and overwrite value in confd (default)
    0 = do not take interface MTU from DHCP

    Hope that helps.

  • bulirich said:

    For NUTM-4992 a new confd option has been introduced.

    For interface objects there now is a "mtu_auto_discovery" flag.
    1 = take interface MTU from DHCP and overwrite value in confd (default)
    0 = do not take interface MTU from DHCP

    Hope that helps.

    Thanks Bulirich, I tried it and it works hooray :-)

    The fix:

    Login as loginuser then root in ssh shell:

    cc 
    RAW 
    lock_override 
    OBJS 
    interface 
    ethernet (or cable, or other type) 
    REF_ (Tap TAB two times - then you can see the interface list. Mine is called "REF_IntCabExternaWan[WAN,interface,ethernet]"
    (You will get a look like this:)

    'additional_addresses' => [],
    'bandwidth' => 0,
    'comment' => 'Added by installation wizard',
    'inbandwidth' => 100000000,
    'itfhw' => 'REF_ItfEthEth1',
    'link' => 1,
    'mtu' => 576,
    'mtu_auto_discovery' => 1,
    'name' => 'WAN',
    'outbandwidth' => 20000000,
    'primary_address' => 'REF_ItfPri000024',
    'proxyarp' => 0,
    'proxyndp' => 0,
    'status' => 1
    }

    Then write:

    mtu_auto_discovery=0 
    w  (write the changes) 

    Now go into Webadmin and find the WAN link, change the MTU under Advanced to 1500 and voila! :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • That really doesn't help people who remotely administer UTMs... Right now I don't have a stable enough connection to my branch location to get in and make that change. Now my only choice is to drive out to this location, a 3 hour drive. The default should be to ignore the MTU from DHCP as it always had in the past so it doesn't affect the ability to administer these boxes.

  • Dlabun said:

    That really doesn't help people who remotely administer UTMs... Right now I don't have a stable enough connection to my branch location to get in and make that change. Now my only choice is to drive out to this location, a 3 hour drive. The default should be to ignore the MTU from DHCP as it always had in the past so it doesn't affect the ability to administer these boxes.

    I agree with you, mtu_auto_discovery should be 0 (diabled) as default.

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • This is not configurable in webadmin? If not this is the most stupid fix I have seen a long time. Why would they fix it for two ISP's only. All I can say is WOW!!! It seems like such a simple concept to allow a user to enable or disabled in the webadmin instead of forcing this down our throats and make us go to a command line interface to fix

  • You have it all wrong... Somebody at Sophos clearly thought it'd be funny if they turned this bug fix into an easter egg customers have to find and activate. I have to drive out to one of my locations now to fix the problem, completely flushing my weekend down the drain.

  • I need a little help with twister5800's reply. I previously had the 576 MTU problem, and had applied VegardOestengen's suggestion from another thread, which fixed the problem. The fix continued to work after the upgrade to 9.406-3. Last night, however, I upgraded my home (software-based) UTM to 9.407-3, and it's been a disaster. Although the web interface tells me that the internet-facing interface is still using a MTU of 1500, I'm not believing it. Most websites are unreachable. Pings and traceroutes work, but not much else. I've had some experience with MTU problems before, and this pretty clearly seems to be an MTU problem. I've tried changing the MTU in the web interface to 1492, and then back to 1500, but it didn't help.

    So I want to try twister5800's suggestion, but I'm lost. I know how to ssh into the UTM, but I'm not sure what to do after that. "cc", "RAW", "lock_override", etc., don't appear to be shell commands. So what's going on? Have I missed a step?

  • When you tipe cc and press enter you will enter kind of a second shell. Inside that shell you will type those command twister5800 provided. I'll try to explain a bit further to you:

    type cc and press [enter]

    You will get and output like:

    Confd command-line client. Maintainer: <Ingo.Schwarze@sophos.com>

    Connected to 127.0.0.1:4472, SID = VGdqvYBurSTNHXVdhnqk.
    Available modes: MAIN OBJS RAW WIZARD.
    Type mode name to switch mode.
    Typing 'help' will always give some help.
    127.0.0.1 MAIN >

    This means your are inside cc shell.

    type RAW and press [ENTER]

    type lock_override and press [ENTER]

    type OBJS and press [ENTER]

    type interface and press [ENTER]

    Now it gets a little tricky. Most setups which has this issue uses an ethernet type WAN, so:

    type ethernet and press [ENTER]

    Here you will have to "select" your WAN interface. To do that:

    type REF_ (this is case sensitive) and press [TAB] two times. It should list all your ethernet type interfaces, like this:

    REF_DefaultInternal[Internal,interface,ethernet]
    REF_IntEthExternaWan[WAN,interface,ethernet]

    On a default configuration system, it should look exactly like this, but don't worry if it doesn't. From that lines, look for the one that contains something like "REF_IntEthExternaWan" or the name of your WAN interface.After you locate the name for your WAN interface from the list, type the rest of the object name (case sensitive). To avoid any typos, you can copy and paste the rest of the object name after REF_.

    For example, provided that your WAN interface is using the default name, you should then complete REF_ with:

    REF_IntEthExt and press [TAB] again.

    That will autocomplete the name for your WAN interface. Then, press [ENTER] again.

    You should get an output iike this:

    'additional_addresses' => [],
    'bandwidth' => 0,
    'comment' => 'Added by installation wizard',
    'inbandwidth' => 100000000,
    'itfhw' => 'REF_ItfEthEth1',
    'link' => 1,
    'mtu' => 576,
    'mtu_auto_discovery' => 1,
    'name' => 'WAN',
    'outbandwidth' => 20000000,
    'primary_address' => 'REF_ItfPri000024',
    'proxyarp' => 0,
    'proxyndp' => 0,
    'status' => 1
    }

    If you do, you are in the right track. Then type:

    mtu_auto_discovery=0 

    and press [ENTER]

    You will get the same output as before, but mind the subtle change on 'mtu_auto_discovery' line, that should now be 0.

    To save, type 

    and press [ENTER]

    this will save your configuration.

    type exit and press [ENTER]

    this will return to the shell.

    After that, fix the MTU in Webadmin and it should not revert to 576 anymore.

    Let me know how it goes.

    Regards - Giovani

  • Thanks, Giovani! That did the trick. I was on the right track, but I must have mistyped the first ("cc") command somehow, because when I tried it earlier, I got a bash command not found error, so I didn't try to go any farther. How do you mistype a two-character command? I don't know, but I somehow managed to do it. Anyway, I followed your instructions and set mtu_auto_discovery to 0. Saved, set the MTU to 1500 (even though the web interface said it already was), rebooted the UTM (not sure if that was necessary but figured it couldn't hurt), and now everything is working again.

    I'm still not sure why the web interface was showing the MTU setting was 1500 (before I applied the latest fix), when it pretty clearly (by the evidence) wasn't. Maybe that was a side-effect of the earlier patch?

  • You can use Giovani's fix directly from the command line...

    I would start in cc to find out the REF_ of the interface you want to change:

    cc
    interfaces
    interfaces@
    exit

    That lets you see the REF_s along with the WebAdmin names of the interfaces.

    Assuming that you found the REF was REF_IntEthExternal, you could issue the command

    cc change_object REF_IntEthExternal mtu_auto_discovery 0

    To check your work:

    cc get_object REF_IntEthExternal

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • You can use Giovani's fix directly from the command line...

    I would start in cc to find out the REF_ of the interface you want to change:

    cc
    interfaces
    interfaces@
    exit

    That lets you see the REF_s along with the WebAdmin names of the interfaces.

    Assuming that you found the REF was REF_IntEthExternal, you could issue the command

    cc change_object REF_IntEthExternal mtu_auto_discovery 0

    To check your work:

    cc get_object REF_IntEthExternal

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • BAlfson said:

    I would start in cc to find out the REF_ of the interface you want to change:

    cc
    interfaces
    interfaces@
    exit

    That is largely replaceable with "cc get interfaces"

    A different approach is "cc get_interface_ref_by_hardware <interface>". Example usage "cc get_interface_ref_by_hardware eth0"

     

    Also, out-of-band management was briefly discussed in the past, perhaps it is a topic for the community to revisit.

  • You can use Giovani's fix

    Just to give credit where credit is due, that's Twister5800's fix, not mine. I was just explaining to Bruce, with a little more detail, how to get it done.

    Regards - Giovani

  • The MTU fix worked like a champ for me. FYI, I'm a Comcast subscriber and after updating I was still seeing a 576 MTU size. As described above I disabled the auto-discover and manually set the MTU at 1500. This actually fixed quite a few of my UTM problems. (I'm brand new to UTM).

    Thanks guys!

  • If you go under Interface & Routing > Interface, what do you have under interface type?

    I just want to confirm this MTU issue is not affecting users that have a static IP for interface type: Ethernet