Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 66 replies
  • Subscribers 24 subscribers
  • Views 217888 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable bad bugfix in 9.405-5 "Fix [NUTM-2840]: [AWS] UTM ignores MTU sent by DHCP server"

Vegard77Norway

Do not do this if you don't feel comfortable messing up your UTM. 

I'm pretty shure this voids the warranty.  But my UTM is pretty useless using a MTU of 576 from my ISP.

The 9.405-5 upgrade introduces a mandatory, non disable, usage of the MTU provided with DHCP, if one is provided.

A lot of us have ISP's that provide bad MTU values. Like my own ISP giving a MTU of 576 (Confirmed with wireshark).

This is what you need to do to disable the usage of MTU from DHCP. Beware, you will be touching the system, and also.. it will not update MTU based on any DHCP.

(I'm not telling you how to get into the UTM, if you don't know... you have no business being there... better wait for the fix.)

In the 

/var/chroot-dhcpc/etc

There is a file named: default.conf

cat default.conf

interface "[<INTERFACE>]" {
timeout 20;
retry 60;
script "/usr/sbin/dhcp_updown.plx";
request subnet-mask, broadcast-address, time-offset,
routers, domain-name, domain-name-servers, host-name,
domain-search, nis-domain, nis-servers,
ntp-servers, interface-mtu;
[<HOSTNAME>]
}

"interface-mtu" : If you remove that (not the following ;!!!), and take your interface down/up, your MTU is possible to edit by hand again in the GUI.

AND ... it will use the number you give it, not the dumb MTU value one of your ISP's let be in their equipment because they did not bother to change it.

Finally I have a UTM back up and working, and I can get back to business.



This thread was automatically locked due to age.
Parents

  • Just experienced exactly this and wanted to add I applied 406 just in case and it did not resolve the issue (I didn't expect it to).

    Client is on Rogers in Ottawa. DHCP is handing out MTU value of 576. 

  • in reply to plecavalier

    I am with Rogers here in Ottawa as well, and can confirm that the steps above DO indeed work as advertised.

    As for Rogers, I have opened a ticket with them last week to have this addressed, but I haven't gotten any updates of value since. I have requested escalation on the case, and filed some complaints, but I doubt this will be addressed at all anytime soon (if at all, ever). I would suggest you get your client to file a case/complaint as well, and maybe even yourself if you can, and maybe (just MAYBE), if we get enough people screaming about this they just MIGHT do something about this.

    The real problem here, in my opinion, is with the DHCP server that is handing out such tiny MTUs. An MTU of 576 seems to be a hold-over from ye ole' dial-up days... And if this, a very basic configuration, hasn't been addressed since that time, what else within that infrastructure is just as equally outdated? What about security? Has any of the infrastructure security been updated since then? But I digress...

  • in reply to jdmoore0883

    jdmoore0883 said:

    I am with Rogers here in Ottawa as well, and can confirm that the steps above DO indeed work as advertised.

    As for Rogers, I have opened a ticket with them last week to have this addressed, but I haven't gotten any updates of value since. I have requested escalation on the case, and filed some complaints, but I doubt this will be addressed at all anytime soon (if at all, ever). I would suggest you get your client to file a case/complaint as well, and maybe even yourself if you can, and maybe (just MAYBE), if we get enough people screaming about this they just MIGHT do something about this.

    The real problem here, in my opinion, is with the DHCP server that is handing out such tiny MTUs. An MTU of 576 seems to be a hold-over from ye ole' dial-up days... And if this, a very basic configuration, hasn't been addressed since that time, what else within that infrastructure is just as equally outdated? What about security? Has any of the infrastructure security been updated since then? But I digress...

    I have been told there is new pricy ($$) equipment being delivered with a default MTU on the DHCP server of 576. Did not get a vendor to name and shame.

    My understanding is that Sophos did this change (NUTM-2840) on the request of Amazon EC2 customers needing jumbo frames.

    Happy you are able to put the "fix" to good use. 

    Edit: Page 3 snipe!

  • in reply to jdmoore0883

    I am with Rogers as well in Toronto. I have also opened a ticket with Rogers to see if they can change their MTU settings, so far I'm not holding out much hope. I work in networking and you'd be surprised by some of things i see in customer networks

Reply Children
No Data
Unfiltered HTML