Low MTU Issue on Sophos UTM

Low MTU Issue on Sophos UTM

If you know me, you know that I am one that likes to apply the latest firmware or software updates to my equipment at home. I hate looking at my consoles and seeing that there is an update waiting to be applied. Well this finally bit me at home about a month ago. If you saw my other post, you know that I use Sophos UTM Home Edition at home as my firewall of choice. I have been using this for close to a year now. For the entire time that I have been using UTM I have been applying the firmware updates as soon as I see them available in the WebAdmin. Not once have I had a problem. That is until version 9.405-5.

Like any other update I applied it like normal and everything appeared happy and functioning. Then comes the day of the Battlefield 1 demo for the Xbox One. I was geared up to play this demo all day at work. I get home, eat dinner with the family and put the kids to bed. Finally, it is time to play. I jump on create a party and let me buddy know that I am online. He jumps online and attempts to join the party. Next thing you know I get the message “your network settings are blocking party chat”. We attempt to create the party a few more times unsuccessfully. At this point I am puzzled and angry. This is starting to cut into my game time.

It had been a while since I last check my NAT on Xbox so I decided to go there to check what my NAT type was. I went to the Home screen the chose Settings > All Settings > Network > Network Settings. Sure enough right there on my screen was my NAT type still showing Open. So now what? I figured maybe that was a false reading so why not run the test manually and see what happens. I went ahead and clicked on “Test Network Connection” located on the right hand side of the screen. The test took 10 – 15 seconds to run (felt longer than that when it is chewing into my limited gaming time) and came back with all test passed. So I go back to the Home screen and create a new party and have my buddy join and again I receive the message that my network settings are blocking party chat. At this point I was really frustrated. I figured why not try and join a game and see what happens so I launch the Battlefield 1 demo and attempt to join a match. To my surprise I was able to join and play a round without any issue. Now I was wondering if maybe there were issues with the Xbox Live services so I jump on my phone and went to check the Xbox Live Status. Unfortunately, everything was showing normal. So I decided to jump into the UTM WebAdmin and check the firewall logs. While watching the logs live feed I could see myself connecting to Xbox live successfully without anything being blocked. At this point it was late and I was tired so as much as it pained me to leave something not working, I had to walk away.

The next night I attempt to jump online with by friend hoping that everything was magically resolved and to my disappointment the same thing was happened. This time after I went and tested my network connection on my Xbox I noticed another test to run called “Test Multiplayer Connection”. I gave this a shot expecting it to succeed just like the network tests have been. To my surprise the multiplayer test failed and returned a message “There’s an MTU problem” and showed that I had an MTU of 576. I thought that was odd because I knew I had my MTU set at 1500 on my WAN interface within UTM. I proceeded to log into UTM to verify that this did not change for some reason. After logging into the WebAdmin I went to Interfaces & Routing > Interfaces and I take a look at the External (WAN) connection and it is showing an MTU of 1500. At this point I thought of the good ole saying “When all else fails, reboot!” So that is exactly what I did. I started by rebooting my cable modem, then my firewall and finally my Xbox. I then ran through both the network test and the multiplayer test and received the same results. The network tests passed and the multiplayer tests failed with the MTU error. At this point I figure I should start ruling out equipment so I go to the basement and unplug my cable modem and bring it up stairs and hook it directly to my Xbox. Once the modem is fully booted, I start up my Xbox and head over to the networking section to start running the tests again. I run the network test and the multiplayer tests and they both pass. I jump into a party chat and call up my friend to see if he can join really quick to test. He was able to join successfully and we were able to chat and stay connected without a problem. So at this point the problem would point to either my firewall or my switch. Well I know I hadn’t made any changes to my switch in months so left me with my firewall.

On the third night I began combing through my firewall configs. I start looking at my NAT rules and my firewall rules to make sure they are configured the way I left them. I decided to start disabling features to see if anything I had enabled would have started affecting the Xbox. (I plan on covering my favorite features of UTM in a later post.) Even though I have exceptions created for my Xbox I figured this was a good place to start. I began by disabling the Web Filtering feature. No change. Multiplayer tests are still failing. Now I disable the Advanced Threat Protection feature and test again. No change. Lastly, I disable the Intrusion Prevention feature. And again no change. The multiplayer tests continue to fail and now a new issue has cropped up. My daughter likes to stream Netflix from my Xbox after dinner for a few minutes before bed. She is now unable to stream anything from the Xbox. At this point I am thinking that I made things worse by messing around in the configs however I am puzzled as to why my other devices are able to stream Netflix just fine. I figured it was best to roll back to a previous day’s backup where I knew Netflix was working. Luckily that did fix Netflix however I did notice that it was taking a much longer time to cache the movies before they began to play. I decided to try and stream a video outside of Netflix to see how that performed. I was able to stream a movie from my Plex server without an issue so now I needed to find a way to stream a video from the internet on my Xbox. I went to the help section and found a video about the new features with from the latest Xbox update. When I went to stream this video something very interesting happened. The video would only play for 3 seconds then stop, cache, then play for another 3 secs and cache and it kept going like that. At this point I am puzzled as to how to proceed.

Prior to using UTM as my firewall I was using pfsense and had been using it successfully for years. I decided to stand up a pfsense install on a spare PC that I had laying around and put it in place of my UTM server and see what happened. Luckily nobody was home that night so I was able to take the internet down without any complaints to put the pfsense server in. After placing the pfsense server in line I went upstairs to begin testing my Xbox. I hard powered my Xbox, logged in, went to the network settings and began the same round of testing that I had been doing. To both my joy and disappointment all the tests passed. I again called up my friend to test out the party chat and so we jumped into a party and everything connected and worked just fine. I was not satisfied with this solution though. I want to use UTM for my firewall solution.

The next day at work I began to scour the internet for solutions. I did not realize that ISP’s are notorious for handing out low MTU’s and it just so happens that those low MTU’s are exactly 576. I still didn’t understand why my MTU was showing set for 1500 in the Sophos WebAdmin console but my Xbox was reporting my MTU as 576. Once I Googled “UTM 9405-5 low mtu” the search returned exactly what I was looking for. The first result linked to a forum post on Sophos’ site referencing this exact problem and within this post was a posted workaround for the problem. Apparently in version 9.405-5 Sophos made a change where if your ISP handed out an MTU when your modem requested a DHCP address then it would override the MTU that you specified and go with what the ISP handed out which just so happens to be the low MTU of 576. The workaround for this was to either reinstall your UTM to a lower version of 9.405-5 or modify a file on the server to remove the new MTU option that was introduced. Here is the process that you have to go through to modify the default.conf file and remove the changed MTU option.

First log into the UTM servers shell console using the root login.

Now change to the directory that houses the default.conf file

If you less the default.conf file you by typing:

You should see something similar to:

The important line here is the line

Now let’s modify the default.conf file and make the changes that will fix this MTU issue:

change the line to

then save the file.

At this point you could just take you WAN interface down and back up again but I always like to reboot. If you try taking the interface up and down and that doesn’t work, try giving the server a reboot.

After making this change I put Sophos back in line a lo and behold everything worked just fine.  Personally I didn’t like this as a fix for my system.  So what I did was I logged into Sophos WebAdmin and downloaded a copy of all of my config backups dating back to when I first stood up the system.  I then reinstalled Sophos UTM to the original version that I had saved which was version 9.356-3.  I then browsed to the Sophos Up2Date repository and downloaded the manual Up2Date files to get my UTM box to version 9.404-5 which was the version on my config backups right before version 9.405-5.

A few days after I had fixed my UTM server I had a coworker update his UTM server firmware to version 9.405-5 and the next day his Vonage service began failing. I pointed him to the fix above and he was able to implement it successfully and his Vonage service returned to normal.

Sophos has acknowledged the issue and began working on a fix to the issue ([NUTM-4992]: [Network] Unitymedia / KabelBW customer getting always the MTU 576).  This fix was included in version 9.407-3. I have not personally applied this firmware yet. Sophos is still defaulting to the MTU issued from the ISP however you can change the default behavior via the command shell.

I did find a very helpful post on the Sophos forum that walked you through how to disable the MTU auto discovery feature that was applied in version 9.407-3.  I have not personally tried this fix but it appears many people have had success using this so I figured it was worth sharing:

When you type cc and press enter you will enter kind of a second shell. Inside that shell you will type those command twister5800 provided. I’ll try to explain a bit further to you:

You will get and output like:

This means your are inside cc shell.

Now it gets a little tricky. Most setups which has this issue uses an ethernet type WAN, so:

Here you will have to “select” your WAN interface. To do that:

type REF_ (this is case sensitive) and press [TAB] two times. It should list all your ethernet type interfaces, like this:

On a default configuration system, it should look exactly like this, but don’t worry if it doesn’t. From that lines, look for the one that contains something like “REF_IntEthExternaWan” or the name of your WAN interface.After you locate the name for your WAN interface from the list, type the rest of the object name (case sensitive). To avoid any typos, you can copy and paste the rest of the object name after REF_.

For example, provided that your WAN interface is using the default name, you should then complete REF_ with:

That will autocomplete the name for your WAN interface. Then, press [ENTER] again.

You should get an output iike this:

If you do, you are in the right track. Then type:

You will get the same output as before, but mind the subtle change on ‘mtu_auto_discovery’ line, that should now be 0.

To save, type 

this will save your configuration.

this will return to the shell.

After that, fix the MTU in Webadmin and it should not revert to 576 anymore.

Let me know how it goes.

Regards – Giovani

Here is a link to the page that contains the post from Giovani:  https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/80641/sophos-utm-9-407-3-released#pi2132219853=2

I am undecided if I am going to apply the fix in version 9.407-3 or not.  I am leaning towards holding off until the next firmware version to see if there is any chance that this can be controlled via the WebAdmin.  Feel free to leave a comment in the comments section and let me know if you applied the solution from version 9.407-3 successfully.

Leave a Reply

Your email address will not be published. Required fields are marked *