Modification of the interface MTU

Hello Nils Kroll ,

Thank you for reaching out to the community, you can leave the MTU settings default and change the mss size according to your requirement !
https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/Set/index.html#network
e.g: console> set network mtu-mss Port2 mtu default mss <number value>

Just tried this out, the VLAN ist still there even if I change both MTU and MSS.

Just tried this out, the VLAN ist still there even if I change both MTU and MSS.

Hallo Philipp!

thanks for trying. Did you make the change via WBM or CLI?

When I use WBM I get this message: SFOS 19.0.0 GA-Build317, 23.01.2023

try with the CLI command I mentioned above in the e.g, and leave the mtu default just change the required mss value !

Hi Vivek!

The MSS adjustment solves the problem only for TCP connections. I will propose this to the customer but I don't expect him to agree to the solution.

Background: It is a network in an industrial facility where the PRP protocol is used. There is a valid network layout in which connections to "single attached nodes" are established. When using PRP the packet is lengthened by a 6Byte trailer by a PRP switch. Neither the endpoints nor the firewall are involved. Packets with max payload can therefore exceed the MTU of the recipient. The requirement is that at least routed connections can be established without interface configuration at the endpoints. This should be transport layer independent.

As of now this can be consider a workaround or a probable solution. What are your customer's expectation as a solution then ?

Hi!

This is a short-term workaround (MSS config). Previously we used UTM instead of XG with reduced MTU but we missed that detail when switching to XGS. The goal is therefore a reduced MTU again.

I had hoped that there is a way to correct the MTU without serious effects.. I will reduce the MTU in any case and restore the lost configuration.

Thanks for your support!

I used the CLI, as Vivek suggested.

To my surprise, changing BOTH values and changig EITHER value did not "destroy" my defined VLAN-Port.

Thank you jprusch , I am glad my suggestion works !

Philipp vielen Dank!

I will try CLI instead of WBM as soon as possible. Would also be very interesting if these settings are persistent and why it behaves differently in CLI than via WBM config.

Yes they are persistent Nils Kroll , sure you can let me know your feedback on this !

Today I had contact with another SFOS specialist and we were able to discuss the issue. The change is to be made on an active-passive HA cluster(new information in this post... I know). He said I should break up the cluster, make the change via CLI and set up the cluster again. Problem: I lose Node2 because I don't have remote access to the OOB interface.

At that point, unfortunately, I can no longer use the CLI and have to work using the WBM. Perhaps someone would like to comment on the problem with cluster because the information may still be useful for other users.

Thanks for all Comments I appreciate the help very much!