UTM 9 SG230 all nic's is disabled

Hi!

I own a UTM SG230 fw 9.702-1 and in one week has already happened twice that I find the device with all the nics disabled and as soon as I reboot the device starts with the default configuration and I have to reload the license and backups.

 

2020:03:29-15:14:58 sg-230 dns-resolver[4807]: No change to REF_NetDnsHttpedirde :: httpredir.debian.org
2020:03:29-15:15:01 sg-230 /usr/sbin/cron[7312]: (root) CMD (/usr/local/bin/create_rrd_graphs.plx --mode daily)
2020:03:29-15:15:01 sg-230 /usr/sbin/cron[7314]: (root) CMD (   /usr/local/bin/reporter/system-reporter.pl)
2020:03:29-15:15:01 sg-230 /usr/sbin/cron[7317]: (root) CMD ( /usr/local/bin/rpmdb_backup )
2020:03:29-15:15:10 sg-230 ntpd[4478]: Deleting interface #11 reds1, 10.30.0.230#123, interface stats: received=0, sent=0, dropped=0, active_time=76604 secs
2020:03:29-15:15:10 sg-230 ntpd[4478]: Deleting interface #12 wlan0, 172.16.28.1#123, interface stats: received=0, sent=0, dropped=0, active_time=76604 secs
2020:03:29-15:15:13 sg-230 ntpd[4478]: Deleting interface #3 eth0, 10.25.0.230#123, interface stats: received=0, sent=0, dropped=0, active_time=76607 secs
2020:03:29-15:15:13 sg-230 ntpd[4478]: Deleting interface #4 eth1, 213.xx.xx.xx#123, interface stats: received=1934, sent=1938, dropped=0, active_time=76607 secs
2020:03:29-15:15:13 sg-230 ntpd[4478]: 193.234.225.67 local addr 213.xx.xx.xx -> <null>
2020:03:29-15:15:13 sg-230 ntpd[4478]: 162.159.200.1 local addr 213.xx.xx.xx -> <null>
2020:03:29-15:15:13 sg-230 ntpd[4478]: 162.159.200.123 local addr 213.xx.xx.xx -> <null>
2020:03:29-15:15:13 sg-230 ntpd[4478]: Deleting interface #5 eth1, 80.xx.xx.xx#123, interface stats: received=0, sent=0, dropped=0, active_time=76607 secs
2020:03:29-15:15:13 sg-230 ntpd[4478]: Deleting interface #6 eth1, 80.xx.xx.xx#123, interface stats: received=0, sent=0, dropped=0, active_time=76607 secs
2020:03:29-15:15:13 sg-230 ntpd[4478]: Deleting interface #7 eth1, 80.xx.xx.xx#123, interface stats: received=0, sent=0, dropped=0, active_time=76607 secs
2020:03:29-15:15:13 sg-230 ntpd[4478]: Deleting interface #8 eth1, 80.xx.xx.xx#123, interface stats: received=0, sent=0, dropped=0, active_time=76607 secs
2020:03:29-15:15:13 sg-230 ntpd[4478]: Deleting interface #9 eth1, 80.xx.xx.xx#123, interface stats: received=0, sent=0, dropped=0, active_time=76607 secs
2020:03:29-15:15:13 sg-230 ntpd[4478]: Deleting interface #10 eth5, 10.28.0.253#123, interface stats: received=0, sent=0, dropped=0, active_time=76607 secs
2020:03:29-15:15:16 sg-230 dns-resolver[7980]: starting...
2020:03:29-15:17:01 sg-230 /usr/sbin/cron[8249]: (root) CMD (  nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)
2020:03:29-15:20:01 sg-230 /usr/sbin/cron[8756]: (root) CMD (   /usr/local/bin/reporter/system-reporter.pl)
2020:03:29-15:20:01 sg-230 /usr/sbin/cron[8757]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2020:03:29-15:22:01 sg-230 /usr/sbin/cron[9132]: (root) CMD (/sbin/audld.plx --trigger)
2020:03:29-15:25:01 sg-230 /usr/sbin/cron[9610]: (root) CMD (   /usr/local/bin/reporter/system-reporter.pl)
2020:03:29-15:30:01 sg-230 /usr/sbin/cron[10446]: (root) CMD (   /usr/local/bin/reporter/system-reporter.pl)
2020:03:29-15:30:01 sg-230 /usr/sbin/cron[10447]: (root) CMD (/usr/local/bin/create_rrd_graphs.plx --mode daily)

  • Hi Andrea,

    What did Sophos Support say about this?

    Cheers - Bob

  • In reply to BAlfson:

    to look at the system logs since I have basic support with Sophos

     

     

    into notifer log i see this

     

    2020:03:29-14:07:35 sg-230 notifier[509]: mail notifications for INFO-154 are disabled
    2020:03:29-14:07:35 sg-230 notifier[509]: successfully processed request for notification
    2020:03:29-14:08:53 sg-230 notifier[3992]: loading config version 4487
    2020:03:29-14:10:57 sg-230 notifier[3992]: loading config version 4488
    2020:03:29-14:14:02 sg-230 notifier[3992]: loading config version 4489
    2020:03:29-14:14:03 sg-230 notifier[3992]: loading config version 4490
    2020:03:29-14:19:11 sg-230 notifier[3992]: loading config version 4491
    2020:03:29-14:20:16 sg-230 notifier[3992]: loading config version 4492
    2020:03:29-14:22:19 sg-230 notifier[3992]: loading config version 4493
    2020:03:29-14:23:20 sg-230 notifier[3992]: loading config version 4494
    2020:03:29-14:25:23 sg-230 notifier[3992]: loading config version 4495
    2020:03:29-14:25:26 sg-230 notifier[3992]: loading config version 4496
    2020:03:29-14:28:30 sg-230 notifier[3992]: loading config version 4497
    2020:03:29-14:29:32 sg-230 notifier[3992]: loading config version 4498
    2020:03:29-14:29:35 sg-230 notifier[3992]: loading config version 4499
    2020:03:29-14:31:39 sg-230 notifier[3992]: loading config version 4500
    2020:03:29-14:35:46 sg-230 notifier[3992]: loading config version 4501
    2020:03:29-14:37:49 sg-230 notifier[3992]: loading config version 4502
    2020:03:29-14:39:51 sg-230 notifier[3992]: loading config version 4503
    2020:03:29-14:39:54 sg-230 notifier[3992]: loading config version 4504
    2020:03:29-14:42:58 sg-230 notifier[3992]: loading config version 4505
    2020:03:29-14:45:01 sg-230 notifier[3992]: loading config version 4506
    2020:03:29-14:49:08 sg-230 notifier[3992]: loading config version 4508
    2020:03:29-14:53:19 sg-230 notifier[3992]: loading config version 4511
    2020:03:29-14:54:21 sg-230 notifier[3992]: loading config version 4512
    2020:03:29-14:55:24 sg-230 notifier[3992]: loading config version 4513
    2020:03:29-14:59:29 sg-230 notifier[3992]: loading config version 4514
    2020:03:29-15:01:35 sg-230 notifier[5974]: processing notification request for INFO-154
    2020:03:29-15:01:35 sg-230 notifier[5974]: mail notifications for INFO-154 are disabled
    2020:03:29-15:01:35 sg-230 notifier[5974]: successfully processed request for notification
    2020:03:29-15:03:35 sg-230 notifier[3992]: loading config version 4515
    2020:03:29-15:05:41 sg-230 notifier[3992]: loading config version 4516
    2020:03:29-15:08:45 sg-230 notifier[3992]: loading config version 4518
    2020:03:29-15:10:48 sg-230 notifier[3992]: loading config version 4519
    2020:03:29-15:12:53 sg-230 notifier[3992]: loading config version 4520
    2020:03:29-15:13:54 sg-230 notifier[3992]: loading config version 4522
    2020:03:29-15:13:56 sg-230 notifier[3992]: loading config version 4523
    2020:03:29-15:15:11 sg-230 notifier[7862]: listening on /var/run/notifier_socket
    2020:03:29-15:15:11 sg-230 notifier[7862]: listening on /var/sec/chroot-dhcpc/var/run/notifier_socket
    2020:03:29-15:15:42 sg-230 notifier[8092]: listening on /var/run/notifier_socket
    2020:03:29-15:15:42 sg-230 notifier[8092]: listening on /var/sec/chroot-dhcpc/var/run/notifier_socket
    2020:03:29-15:16:12 sg-230 notifier[8144]: listening on /var/run/notifier_socket
    2020:03:29-15:16:12 sg-230 notifier[8144]: listening on /var/sec/chroot-dhcpc/var/run/notifier_socket
    2020:03:29-15:16:42 sg-230 notifier[8214]: listening on /var/run/notifier_socket
    2020:03:29-15:16:42 sg-230 notifier[8214]: listening on /var/sec/chroot-dhcpc/var/run/notifier_socket

  • In reply to Andrea V:

    INFO-154 => "Data disk is filling up"

    What result do you get from df -h at the command line?

    Also du -shx /var/storage/* | sort -rh | head -10

    Cheers - Bob

  • In reply to BAlfson:

    HI Bob,

     

    with DF- h

    sg-230:/root # df -h
    Filesystem                        Size  Used Avail Use% Mounted on
    /dev/sda6                         5.2G  3.1G  1.9G  62% /
    udev                              3.9G  104K  3.9G   1% /dev
    tmpfs                             3.9G   92K  3.9G   1% /dev/shm
    /dev/sda1                         331M   16M  295M   5% /boot
    /dev/sda5                          41G   31G  7.7G  81% /var/storage
    /dev/sda7                          54G   12G   40G  23% /var/log
    /dev/sda8                         2.5G   21M  2.3G   1% /tmp
    /dev                              3.9G  104K  3.9G   1% /var/storage/chroot-clientlessvpn/dev
    tmpfs                             3.9G     0  3.9G   0% /var/sec/chroot-httpd/dev/shm
    /dev                              3.9G  104K  3.9G   1% /var/sec/chroot-openvpn/dev
    /dev                              3.9G  104K  3.9G   1% /var/sec/chroot-ppp/dev
    /dev                              3.9G  104K  3.9G   1% /var/sec/chroot-pppoe/dev
    /dev                              3.9G  104K  3.9G   1% /var/sec/chroot-pptp/dev
    /dev                              3.9G  104K  3.9G   1% /var/sec/chroot-pptpc/dev
    /dev                              3.9G  104K  3.9G   1% /var/sec/chroot-restd/dev
    tmpfs                             3.9G     0  3.9G   0% /var/storage/chroot-reverseproxy/dev/shm
    /var/storage/chroot-smtp/spool     41G   31G  7.7G  81% /var/sec/chroot-httpd/var/spx/spool
    /var/storage/chroot-smtp/spx       41G   31G  7.7G  81% /var/sec/chroot-httpd/var/spx/public/images/spx
    tmpfs                             3.9G   96K  3.9G   1% /var/storage/chroot-smtp/tmp/ram
    /etc/nwd.d/route                  5.2G  3.1G  1.9G  62% /var/sec/chroot-ipsec/etc/nwd.d/route
    tmpfs                             3.9G     0  3.9G   0% /var/storage/chroot-http/tmp
    /var/sec/chroot-afc/var/run/navl  5.2G  3.1G  1.9G  62% /var/storage/chroot-http/var/run/navl

     


    with  du -shx /var/storage/* | sort -rh | head -10


    24G     /var/storage/cores
    3.3G    /var/storage/pgsql92
    3.1G    /var/storage/swapfile
    715M    /var/storage/chroot-http
    168M    /var/storage/chroot-clientlessvpn
    77M     /var/storage/chroot-smtp
    32M     /var/storage/chroot-reverseproxy
    18M     /var/storage/chroot-pop3
    4.0M    /var/storage/chroot-ftp
    36K     /var/storage/pgsql

     

    Thanks

     

    Andrea

  • In reply to Andrea V:

    Try cleaning up the core dumps, if not needed for support, there have been issues with bad patterns, use this article to read more about how to find and delete them :-)

     

    https://martinsblog.dk/sophos-utm-data-disk-filling-up-due-to-coredumps/

  • In reply to twister5800:

    Hi Martin

     

    thanks, after do this "/var/storage/cores and issue a “ll” command:" the spces is moved from 80% to 55%

    Now the folder core is:

    sg-230:/var/storage/cores # ls -l  /var/storage/cores
    total 14698484
    -rw-r--r-- 1 root root   13987840 Jan 24  2019 admin-reporter..14491
    -rw-r--r-- 1 root root   12529664 Aug  5  2019 admin-reporter..15412
    -rw-r--r-- 1 root root   11796480 Mar 30 01:22 admin-reporter..776
    -rw-r--r-- 1 root root  638963712 Sep 21  2019 afcd.afcd!256.19098
    -rw-r--r-- 1 root root   55123968 Mar 17 01:58 afcd.afcd!256.5734
    -rw-r--r-- 1 root root   14901248 Sep 12  2019 aua.bin.16355
    -rw-r--r-- 1 root root   18432000 Apr 11  2019 aua.bin.21245
    -rw-r--r-- 1 root root   18206720 Mar 15  2019 aua.bin.28581
    -rw-r--r-- 1 root root   18210816 Apr  3  2019 aua.bin.3399
    -rw-r--r-- 1 root root   18087936 Aug 11  2019 aua.bin.6980
    -rw-r--r-- 1 root root   11276288 Aug 29  2018 aua_edirsync.pl.3309
    -rw-r--r-- 1 root root   18599936 Mar 30  2017 audld.plx.12066
    -rw-r--r-- 1 root root   20766720 Apr 30  2019 audld.plx.1683
    -rw-r--r-- 1 root root   20758528 Apr  3  2018 audld.plx.22678
    -rw-r--r-- 1 root root   20766720 Jan 12 16:05 audld.plx.25331
    -rw-r--r-- 1 root root   20766720 May 26  2019 audld.plx.323
    -rw-r--r-- 1 root root   26198016 Mar 20 08:44 awed.24913
    -rw-r--r-- 1 root root   30228480 Oct  2  2019 awed.5118
    -rw-r--r-- 1 root root   30261248 Mar 17 18:41 awed.5233
    -rw-r--r-- 1 root root   30109696 Mar 10 18:35 awed.5245
    -rw-r--r-- 1 root root   30109696 Apr 16 14:10 awed.7815
    -rw-r--r-- 1 root root   68423680 Apr  9 09:01 confd.plx.18390
    -rw-r--r-- 1 root root   68423680 Apr  6 12:51 confd.plx.21072
    -rw-r--r-- 1 root root   74559488 Apr  4 19:45 confd.plx.21581
    -rw-r--r-- 1 root root   68423680 Apr  1 01:44 confd.plx.5521
    -rw-r--r-- 1 root root   68423680 Apr  2 19:11 confd.plx.9671
    -rw-r--r-- 1 root root   10125312 Nov  7 16:05 create_rrd_grap.9271
    -rw-r--r-- 1 root root  246755328 Jan  1 14:20 cssd.6984
    -rw-r--r-- 1 root root  249028608 Feb 11 21:38 cssd.7498
    -rw-r--r-- 1 root root    4980736 Mar 20  2018 ftphelper.22652
    -rw-r--r-- 1 root root    4980736 Oct 23  2017 ftphelper.23686
    -rw-r--r-- 1 root root    1482752 Jul 11  2017 httpd.10866
    -rw-r--r-- 1 root root    1536000 Jun  5  2017 httpd.19993
    -rw-r--r-- 1 root root    3575808 Aug 11  2017 httpd.24148
    -rw-r--r-- 1 root root    1327104 Sep 12  2016 httpd.28146
    -rw-r--r-- 1 root root    3575808 Sep 15  2017 httpd.31669
    -rw-r--r-- 1 root root 2010050560 Mar 18 23:38 mdw.plx.19683
    -rw-r--r-- 1 root root  179195904 Mar 20 08:43 mdw.plx.23684
    -rw-r--r-- 1 root root  179212288 Mar 24 11:53 mdw.plx.28080
    -rw-r--r-- 1 root root  221007872 Apr 16 14:09 mdw.plx.4152
    -rw-r--r-- 1 root root  217612288 Mar 17 18:40 mdw.plx.4218
    -rw-r--r-- 1 root root 1130811392 Apr 16 06:40 postgres.10225
    -rw-r--r-- 1 root root 2204020736 Apr 16 11:57 postgres.17466
    -rw-r--r-- 1 root root 2204020736 Apr 16 03:42 postgres.24288
    -rw-r--r-- 1 root root 2204020736 Apr 16 10:11 postgres.4012
    -rw-r--r-- 1 root root 2204012544 Apr 16 13:48 postgres.500
    -rw-r--r-- 1 root root   12075008 Feb  6 11:36 red_server.plc.1268
    -rw-r--r-- 1 root root   12075008 Feb  6 11:36 red_server.plc.1292
    -rw-r--r-- 1 root root   12075008 Feb  6 11:42 red_server.plc.1780
    -rw-r--r-- 1 root root   12075008 Feb  6 11:24 red_server.plc.32095
    -rw-r--r-- 1 root root   12075008 Feb  6 11:25 red_server.plc.32212
    -rw-r--r-- 1 root root  146272256 Sep 20  2018 snort.2787
    -rw-r--r-- 1 root root   53133312 Sep 17  2014 ulogd.4684
    -rw-r--r-- 1 root root   81731584 May  6  2019 webadmin.plx.28068

     

     

     

    Thanks

     

    Andrea

  • In reply to Andrea V:

    You are welcome! - Hope this fixes something, please note not to install 9.703-2 as this is known to cause interface issues - for now ;)

  • In reply to Andrea V:

    Now, Andrea, try ls -l -t  /var/storage/cores and then delete anything over a month old.

    I'm concerned that you're presently getting lots of cores from PostgreSQL.  If you can't get a case open with Sophos Support, I would consider re-initializing these databases.  To re-initialize all PostgreSQL databases (deletes all graphs and data, but does not affect the logs): /etc/init.d/postgresql92 rebuild

    Please let us know your results.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

     

    ls -l -t  /var/storage/cores  is this

     

    -rw-r--r-- 1 root root   30109696 Mar 10 18:35 awed.5245
    -rw-r--r-- 1 root root  249028608 Feb 11 21:38 cssd.7498
    -rw-r--r-- 1 root root   12075008 Feb  6 11:42 red_server.plc.1780
    -rw-r--r-- 1 root root   12075008 Feb  6 11:36 red_server.plc.1292
    -rw-r--r-- 1 root root   12075008 Feb  6 11:36 red_server.plc.1268
    -rw-r--r-- 1 root root   12075008 Feb  6 11:25 red_server.plc.32212
    -rw-r--r-- 1 root root   12075008 Feb  6 11:24 red_server.plc.32095
    -rw-r--r-- 1 root root   20766720 Jan 12 16:05 audld.plx.25331
    -rw-r--r-- 1 root root  246755328 Jan  1 14:20 cssd.6984
    -rw-r--r-- 1 root root   10125312 Nov  7 16:05 create_rrd_grap.9271
    -rw-r--r-- 1 root root   30228480 Oct  2  2019 awed.5118
    -rw-r--r-- 1 root root  638963712 Sep 21  2019 afcd.afcd!256.19098
    -rw-r--r-- 1 root root   14901248 Sep 12  2019 aua.bin.16355
    -rw-r--r-- 1 root root   18087936 Aug 11  2019 aua.bin.6980
    -rw-r--r-- 1 root root   12529664 Aug  5  2019 admin-reporter..15412
    -rw-r--r-- 1 root root   20766720 May 26  2019 audld.plx.323
    -rw-r--r-- 1 root root   81731584 May  6  2019 webadmin.plx.28068
    -rw-r--r-- 1 root root   20766720 Apr 30  2019 audld.plx.1683
    -rw-r--r-- 1 root root   18432000 Apr 11  2019 aua.bin.21245
    -rw-r--r-- 1 root root   18210816 Apr  3  2019 aua.bin.3399
    -rw-r--r-- 1 root root   18206720 Mar 15  2019 aua.bin.28581
    -rw-r--r-- 1 root root   13987840 Jan 24  2019 admin-reporter..14491
    -rw-r--r-- 1 root root  146272256 Sep 20  2018 snort.2787
    -rw-r--r-- 1 root root   11276288 Aug 29  2018 aua_edirsync.pl.3309
    -rw-r--r-- 1 root root   20758528 Apr  3  2018 audld.plx.22678
    -rw-r--r-- 1 root root    4980736 Mar 20  2018 ftphelper.22652
    -rw-r--r-- 1 root root    4980736 Oct 23  2017 ftphelper.23686
    -rw-r--r-- 1 root root    3575808 Sep 15  2017 httpd.31669
    -rw-r--r-- 1 root root    3575808 Aug 11  2017 httpd.24148
    -rw-r--r-- 1 root root    1482752 Jul 11  2017 httpd.10866
    -rw-r--r-- 1 root root    1536000 Jun  5  2017 httpd.19993
    -rw-r--r-- 1 root root   18599936 Mar 30  2017 audld.plx.12066
    -rw-r--r-- 1 root root    1327104 Sep 12  2016 httpd.28146
    -rw-r--r-- 1 root root   53133312 Sep 17  2014 ulogd.4684

     

    so can I delete all these files?

     

    with this command  /etc/init.d/postgresql92 rebuild the configuration remains? I am not interested in historical data

    Thanks

     

    Andrea

     

  • In reply to Andrea V:

    Yes, Adrea, I would delete all of those since you don't have a case open with Sophos Support relative to any of them.

    The rebuild only affects the PostgreSQL databases and affects neither the logs nor the configuration.

    Cheers - Bob