XG125 100% CPU USAGE

Hello,

I have an issue on an XG125. Every morning between 9h00 AM and 10H00 AM the CPU usage goes to 100%. I connected to the appliance from SSH to check with the "top" command to see which process was using 100% of the CPU and this is the AVD process. Then, when I restart the Anti-Virus service from the appliance, the CPU usage come back at a normal usage.

The problem is happening every morning and it's very critical because when the CPU usage is at 100%, the IPSec VPN between this XG125 and another XG210 is not stable and 60 people could not work properly.

 

I openned a support case (here is the number: 8451452) and they asked me to backup the appliance and reset to factory defaults... But I cannot accept this answer because this is a production Firewall and the Firewall is at a remote site at 500Km, so I could not go on site just to test if a factory reset will do something, the boss won't accept to spend money for a 500Km travel just to do a factory reset because the ~$2000 firewall he bought needs a reset...

 

Actually I have totally disabled the "SCAN HTTP" feature on the rules to test if tomorrow morning the CPU will reach 100% again or not.

 

If anynone has an idea...

Thank you for your help.

  • Hi  

    Apologies for this negative experience, I will follow up with your support case accordingly.

    Regards,

  • In reply to FloSupport:

    Hi  

    Thank you.

     

    In additional information, this morning the CPU usage is normal (in my opinion this is because I disabled SCAN HTTP in the firewall rules).

     

    Regards.

  • In reply to VikenNajarian:

    Hi Viken,

    What are your configured settings for Malware and Content Scanning? (Protect > Web > General Settings)

    Would it be possible to please share a screenshot of these settings (along with expanding the advanced settings tab).

    Thanks,

  • In reply to FloSupport:

    Hi

     Here is the screenshot :

     

    The settings are the same on the 10 others XG I manage and the issue is happening only on the XG125.

     

    Thank you for your help.

  • In reply to VikenNajarian:

    Hi Viken,

    Thanks for following up.

    For troubleshooting, could you try switching your scan engine to Avira and then re-enabling Scan HTTP on your firewall rule to test if the issue still occurs?

    Regards,

  • In reply to FloSupport:

    Hi  

    Sorry I didn't mention it, but I already tried to switch the engine to Avira and then re-enabled Scan HTTP during 24 hours, but the problem was still the same at the next morning.

    This is why I totally disabled Scan HTTP on the firewall rules.

     

    Thank you

     

    Regards,

  • In reply to VikenNajarian:

    Hello,

    Just an update, I obtained a RMA replacement unit from Sophos Support to replace  the deffective XG125.

    I will replace it soon and I hope it will resolve my issue.

     

    Thank you for your help.

  • In reply to VikenNajarian:

    Hello,

     

    does that replacement unit fixed your problem?

    Or you found another solution?

     

    Regards Philipp

  • In reply to PhilippD:

    Hello

    I received the replacement unit, I reconfigured it, and i sent it back to the custommer, they did not receive it yet.

    They should receive it today or tomorrow, then I could tell if the replacement unit resolved the problem.

     

    Regards,

  • In reply to VikenNajarian:

    Hi VikenNajarian , have you fixed the issue replacing the unit?

  • In reply to PaulSof:

    Hi  

    Yes the replacement of the unit fixed the issue.

  • In reply to VikenNajarian:

    Question anyway - even if the replacement solved your issue. Is there a reason, why you are using realtime scan instead of batch scan ?

     

    Realtime scan is less capable for malware analysis than batch mode (where AV sees the whole file in one pice) and you also don't get block messages on malicious events, no sandboxing possible in realtime mode etc.. Even if this mode might lower delays at loading webpages/web content slightly, I personally never would recommend that setting and therefor disagree with Sophos KBA to that matter:

    Sophos XG Firewall: What is Batch Mode and Real Mode in Malware Scanning?

     

    (My personal) recommendation: Prefer batch in every scenario, unless you really get in performance troubles due web proxy av scanning laggyness, or if it's a uncritical network, where very basic pure signature AV capabilities are sufficient.

    In every other case ==> Batch Scanning Mode

  • In reply to SaschaParis:

    Hello,

     

    100% of the Sophos XG units i'm managing (~25) are configured in Batch mode.

    On the screenshot provided in this post, we can see realtime because it was for testing purpose, to test if the CPU was less used.

    But once the replacement unit switched on, I set Batch mode back :)

  • We have this across the board with AVD. 105's, 135's, doesn't seem to matter.

  • In reply to HaydenKirk:

    Hi  

    Apologies to hear about this issue, have you already opened a support case with our team for further investigation? If so, please PM me with your details so I can follow up accordingly.

    Regards,