Issues After 9.405-5 update

Hi Mike,

What do you see in the packetfilter.log? What is the operating mode deployed for Web protection in the UTM? 

Also, try changing the DNS forwarders in the UTM.

Thanks

So what is very odd, is that this appears to (so far) only be affecting my linux clients...  And on top of that, it might only be interesting traffic to remote systems over my VPN's that's affected...  (Apologies, I am testing while I write this various scenario's to see what works and what does not)

In the firewall log, there is nothing being blocked, things are traversing fine.  For Web Protection, the VLAN that I am dealing with is not in there...  I do web protection for my Guest LAN, not my main Private LAN where I am having issues.

Current DNS forwarders are Google DNS (8.8.8.8 & 8.8.4.4)

So far, this may just be a VPN issue, and on top of that, one that is only affecting Linux clients...  which makes no sense to me at all, but who knows... :)

I'm going to need to delve into this more when I get home this evening...

Since the last update I also have weird problems with client-side VPN connections from within our intranet and also FTP transfers which keep dropping.

In the kernel.log of the UTM I found these entries:

nf_queue: full at 2048 entries, dropping packets(s)

A couple of hundret of these entries per day... I guess there are some big performance issues since the update.

+1 to this. Specifically I am having issues using an IPSEC over HTTPS vpn from behind my 9.405-5 UTM to something else external (basically my client is just going through this GW). Prior to this update I had no issues.

My vpn client connects just fine and SOME connections work ok but others fail, websites saying connections are reset, etc. Again, I never had issues prior to this firmware update. So far I haven't found anything useful in logs but I have tried going through and disabling IPS, web filtering, etc to see if it made any difference to narrow it down but haven't hit anyhting.

I will second the notion that this is "driving me nuts". It's actually really hurting things. Additionally, when I disconnect from the client VPN, everything works normally other than the things I need the VPN for obviously.

Well now I believe it's related to this:

https://community.sophos.com/products/unified-threat-management/f/52/t/79288

I've confirmed my interface MTU is showing a mere 576 on the external interface and when I try to change it to 1500 in the WebUI, it bounces the interface and resets to 576. I'd rather not do/attempt the file mod in the above post but I wish there was a more formal answer to it or a complete solution. Any recommendations Sophos?

This, in my head, is the issue. I have noticed increased video streaming buffering on non-VPNd devices as well. The VPN is adding overhead and I think I'm just getting too fragmented.

Last Edit (maybe), based on the Up2Date thread (https://community.sophos.com/products/unified-threat-management/f/52/t/79150#pi394=5) it sounds like I'm not the only one. Hopefully something is coming soon.

I too have had the same issues but mine started back on the 9.404 update. I've been on the phone with level 2 support(under the developers) and I'm still waiting for an answer and a fix for this after 3 weeks. Sophos when are you going to fix this???

I'm losing patience and seriously considering moving to another firewall that has better and faster support.

Hi All.

x12Mike I do not have a Linux test system so it will be difficult for me to recreate this issue. My guess is that it cannot be an issue related to MTU(as suggested by others) because, only Linux client is facing the impact. Meanwhile, SladeWalter can you provide me the case# raised in support, I will look into the matter and revert back if it relates.

Thanks

Actually I can confirm that this is not a client side issue as I have experienced this issue with windows clients, media streaming devices, etc. I was most noticeably experiencing it with my daily windows PC. All connections would (as far as I could tell) work normally until I connected a unrelated VPN client that would passthrough the UTM gateway. This additional packet overhead apparently was enough to surpass the MTU and lead to excessive fragmentation, to the point of most connections not working at all. The problem was with the external interface and my ISP Comcast. Granted they should not be handing out the 576 MTU, it appears to be a problem with many service providers that unfortunately we have to deal with. Being able to modify my MTU when using DHCP, or just defaulting to 1500 unless specifically changed (as was the case prior to 9.405-5) would be the ideal solution.

For me, I am aware of the CLI modifications that can strip out the MTU setting. I chose not to follow this path however in hopes that Sophos would issue an update/fix. In the meantime I did follow the advice to turn OFF dhcp, though I am on a residential non-static ISP IP, so that I could modify the MTU in the WebUI. This resolved all of my issues. I know this isn't ideal and I certainly wouldn't recommend in a corporate environment, but for home, it's ok.

I do fully admit I am a Home license user and am not paying for this product. I am an experienced Firewall Engineer professionally though and am familiar with everything this product provides. I also regularly recommend Sophops UTM to colleagues as I've been using it since v7. It is for these reasons that I am sticking to the forums and hoping some solution comes from it. I don't expect Sophos to give me special attention or work with me directly but I am overall happy with the product and am not to the point of looking for something else.

PS - One last thing, I have my UTM running on dedicated, pretty high end hardware so I'm sure the excessive fragmentation issue is not due to my box. Perhaps it's overwhelming the ISP devices but I just wanted to rule that out. Using the correct MTU though is key.

I would have to concur that my issue is related to the MTU bug.  I just checked my outside interface, and yes, it's set to 576.

If there is a patch coming soon, I'll wait it out, but if not, I'll follow the thread above to try to resolve manually.

Hi,

Thanks for choosing Sophos. I will follow up on with the developers to provide a quick fix. I will update the thread as soon as I receive any associated information from the developers on this matter.

Cheers