DO NOT INSTALL 9.703-2!!!

Hmmm Sophos is still rolling this update to the firewalls, just got mails from several UTM's that the fw is ready for install....

Today, I can report ugly behaviour from 9.703 UTMs, high CPU usage (before during normal activities 7-15%, now always up to 55% with our SG210.

Sluggish internet access, sometimes minutes with no DNS / Web like something is "stuck"

What about system-log and fallback-logs?! ;)

You mean me looking at that?

Yes :-)

I have upgraded the devices i have in my lab, no issues at all, but I can see that others are seeing the same, I just wonder what could be wrong.

Often the system log and fallback logs are good places.

Coud you post how they look maybe?

Think many people hear are curious on what the h... is wrong with the update.

Here they are, these are from the SG210 that jumped to unusual 55% percent CPU usage, while being in lox 7%-15% range normally.
I see strange ntpd things, why is this creating interfaces all the day?

system-logfiles_20200416125538.zipfallback-logfiles_20200416125737.zip

Here they are, these are from the SG210 that jumped to unusual 55% percent CPU usage, while being in lox 7%-15% range normally.
I see strange ntpd things, why is this creating interfaces all the day?

system-logfiles_20200416125538.zipfallback-logfiles_20200416125737.zip

Definately something going on with your interfaces, mine does not have all theese:

2020:04:16-00:15:29 fw ntpd[5124]: Listen normally on 69 eth3 xxx.xxx.xxx.xxx:123
2020:04:16-00:15:29 fw ntpd[5124]: Deleting interface #68 eth3, xxx.xxx.xxx.xxx#123, interface stats: received=0, sent=0, dropped=0, active_time=32 secs
2020:04:16-00:15:29 fw ntpd[5124]: new interface(s) found: waking up resolver

What does Self monitoring show?

Selfmonitoring as of  today (complete log)

2020:04:16-10:34:39 fw selfmonng[4722]: I check Failed increment afc_running counter 1 - 3
2020:04:16-14:24:35 fw selfmonng[4722]: T Global skip state now 'ON'
2020:04:16-14:26:15 fw selfmonng[4561]: T Selfmonitor Daemon successfully started
2020:04:16-14:26:15 fw selfmonng[4561]: T Loading Selfmonitoring Checks complete  new=93 failed=0 retained=0 dropped=0
2020:04:16-14:26:30 fw selfmonng[4561]: I check Failed increment dnsresolver_running counter 1 - 3
2020:04:16-14:26:45 fw selfmonng[4561]: T read config file '/etc/selfmonng.conf'
2020:04:16-14:26:45 fw selfmonng[4561]: I check Failed increment service_monitor_running counter 1 - 3
2020:04:16-14:26:50 fw selfmonng[4561]: I check Failed increment pluto_running counter 1 - 15
2020:04:16-14:26:50 fw selfmonng[4561]: I check Failed increment starter_running counter 1 - 3

The 198.19.250.x/24 network range is linked to HA, are you using HA? if not try disable this. By default I think it is set to zeroconf.  If you could post the high availability logs it may have more details there

2020:04:16-00:00:27 fw ntpd[5124]: Listen normally on 41 eth3 198.19.250.x:123
2020:04:16-00:00:27 fw ntpd[5124]: Deleting interface #40 eth3, 198.19.250.x#123, interface stats: received=0, sent=0, dropped=0, active_time=64 secs
2020:04:16-00:00:27 fw ntpd[5124]: new interface(s) found: waking up resolver

if you cannot get to the web admin but have serial/shell access as root you can run this command to check the status and disable

cc get ha status

cc set ha status off

Hello Draco,

I know, but neither is there something configured for HA, nor is something connected to port eth3.

HA was set to "automatic", I turned to "OFF" now and watch what happens.