IPS Service dies on XG v18 MR-1

Question

IPS Service is dying after the update for XG v18 MR-1; 
 WAF is also probably dying because IPS is being applied on it. Here's the beginning of "/log/ips.log" after all connections has being killed.

1586902886.845310582 [ 9137/0x0] [nsg_web_config_reload.c:88:process_sig_event] [4081] signal: Real-time signal 21 1586902886.845310293 [ 9121/0x0] [nsg_web_config_reload.c:88:process_sig_event] [4081] signal: Real-time signal 21 1586902886.845316596 [ 9138/0x0] [nsg_web_config_reload.c:88:process_sig_event] [4081] signal: Real-time signal 21 1586902886.845320241 [ 9126/0x0] [nsg_web_config_reload.c:88:process_sig_event] [4081] signal: Real-time signal 21 1586903047.082146178 [ 9090/0x890600000041] [nsg_tcphold.c:308:process_event] Could not find session for key and unique_id. 1586903047.346668302 [ 9092/0x41810000018c] [nsg.c:1176:parser_context_resp_begin_cb] Response came before request was completed. 1586903230.759421809 [ 9092/0x0] [nsg_nse_policy.c:1350:__nsg_error] 10.0.10.10:57002 to ##.##.###.###:443: Error from nse: NSE:Handshake [0xba00057a;code:122;sub:5] Unknown session 1586903843.823450387 [ 9092/0x60e00000016c] [nsg_tcphold.c:308:process_event] Could not find session for key and unique_id. 1586903843.846625245 [ 9091/0x61080000016f] [nsg_tcphold.c:308:process_event] Could not find session for key and unique_id. 1586903845.196061403 [ 9092/0x48e80000037d] [nsg_tcphold.c:308:process_event] Could not find session for key and unique_id. 1586903869.914184083 [ 9091/0x48f600000375] [nsg_tcphold.c:308:process_event] Could not find session for key and unique_id. 1586903901.459425907 [ 9092/0x0] [nsg_nse_policy.c:1350:__nsg_error] 10.0.10.10:57412 to ##.##.###.###:443: Error from nse: NSE:Handshake [0xba00057a;code:122;sub:5] Unknown session 1586903959.142346989 [ 9093/0x0] [nsg_nse_policy.c:1350:__nsg_error] 10.0.10.10:57466 to ##.##.###.###:443: Error from nse: NSE:Handshake [0xba00057a;code:122;sub:5] Unknown session 1586904068.400227064 [ 9091/0x41ab0000018e] [nsg_tcphold.c:308:process_event] Could not find session for key and unique_id. 1586904068.407805989 [ 9092/0x41af00000184] [nsg_tcphold.c:308:process_event] Could not find session for key and unique_id. 1586904080.828629767 [ 9090/0x62ae00000343] [nsg_tcphold.c:308:process_event] Could not find session for key and unique_id. 1586904265.239423372 [ 9092/0x0] [nsg_nse_policy.c:1350:__nsg_error] 10.0.10.10:57890 to ##.##.###.###:443: Error from nse: NSE:Handshake [0xba00057a;code:122;sub:5] Unknown session 1586904312.659039913 [ 9092/0x0] [nsg_nse_policy.c:1350:__nsg_error] 10.0.10.10:33984 to ###.###.##.###:443: Error from nse: NSE:Stream [0xbe00683e;code:62;sub:104] Flow reset 1586904312.659240759 [ 9092/0x0] [nsg_tcphold.c:1482:tcp_hold_process_control] Failed to get tcp_hold_session ssnptr 0x17518c90 (hold_state: 3). 1586904535.511781119 [ 9090/0x0] [nsg_nse_policy.c:1350:__nsg_error] 10.0.10.10:58230 to ##.##.###.###:443: Error from nse: NSE:Handshake [0xba00057a;code:122;sub:5] Unknown session 1586904707.701313271 [ 9092/0x0] [nsg_nse_policy.c:1330:__nsg_error] 10.0.1.201:42570 to ##.###.###.##:443: Error from nse: NSE:Internal [0xb0000582;code:130;sub:5] Flow timeout [Apr 14 19:51:47 :9092]:Error reading session data,status -1 [Apr 14 19:51:47 :9092]:failed to get sessiontbl data for session id 771 rev 60623 pkt_len 0 datalink_type 228 direction 0 daq_source 2 is_tcp 0 nseid 0 is_ssl_non_app_appdata 0, dropping packet [Apr 14 19:51:47 :9092]:Error reading session data,status -1 [Apr 14 19:51:47 :9092]:failed to get sessiontbl data for session id 771 rev 60623 pkt_len 0 datalink_type 228 direction 0 daq_source 2 is_tcp 0 nseid 0 is_ssl_non_app_appdata 0, dropping packet 1586904899.400748638 [ 9091/0x0] [nsg_nse_policy.c:1350:__nsg_error] 10.0.10.10:58590 to ##.##.###.###:443: Error from nse: NSE:Handshake [0xba00057a;code:122;sub:5] Unknown session 1586905055.892352305 [ 9093/0x0] [nsg_nse_policy.c:1350:__nsg_error] 10.0.10.10:58664 to ##.##.###.###:443: Error from nse: NSE:Handshake [0xba00057a;code:122;sub:5] Unknown session 1586905343.199420885 [ 9092/0x0] [nsg_nse_policy.c:1350:__nsg_error] 10.0.10.10:58828 to ##.##.###.###:443: Error from nse: NSE:Handshake [0xba00057a;code:122;sub:5] Unknown session 
 [Apr 14 20:03:37 :9092]:Error reading session data,status -1 [Apr 14 20:03:37 :9092]:failed to get sessiontbl data for session id 388 rev 16861 pkt_len 0 datalink_type 228 direction 0 daq_source 2 is_tcp 0 nseid 0 is_ssl_non_app_appdata 0, dropping packet [Apr 14 20:03:37 :9092]:Error reading session data,status -1 [Apr 14 20:03:37 :9092]:failed to get sessiontbl data for session id 388 rev 16861 pkt_len 0 datalink_type 228 direction 0 daq_source 2 is_tcp 0 nseid 0 is_ssl_non_app_appdata 0, dropping packet [Apr 14 20:03:37 :9092]:Error reading session data,status -1 [Apr 14 20:03:37 :9092]:failed to get sessiontbl data for session id 388 rev 16861 pkt_len 0 datalink_type 228 direction 0 daq_source 2 is_tcp 0 nseid 0 is_ssl_non_app_appdata 0, dropping packet 1586905440.641864934 [ 9091/0xa79b000003da] [nsg_tcphold.c:308:process_event] Could not find session for key and unique_id. 1586905532.080744244 [ 9091/0x0] [nsg_nse_policy.c:1350:__nsg_error] 10.0.1.202:40707 to ###.##.###.##:443: Error from nse: NSE:Handshake [0xba00057a;code:122;sub:5] Unknown session 1586905873.879418946 [ 9092/0x0] [nsg_nse_policy.c:1350:__nsg_error] 10.0.10.10:59152 to ##.##.###.###:443: Error from nse: NSE:Handshake [0xba00057a;code:122;sub:5] Unknown session 1586906119.956790541 [ 9093/0x534d00000496] [nsg_tcphold.c:308:process_event] Could not find session for key and unique_id. 1586906187.325982381 [ 9091/0x242b000004da] [nsg_tcphold.c:308:process_event] Could not find session for key and unique_id. 1586906207.651781842 [ 9090/0x0] [nsg_nse_policy.c:1350:__nsg_error] 10.0.10.10:59540 to ##.##.###.###:443: Error from nse: NSE:Handshake [0xba00057a;code:122;sub:5] Unknown session 1586906486.943838013 [ 9093/0x495200000375] [nsg.c:1323:parser_context_resp_eoh_cb] request_fsm_response_begin failed. 1586906487.049387651 [ 9090/0x495800000380] [nsg.c:1323:parser_context_resp_eoh_cb] request_fsm_response_begin failed. 1586906487.149707032 [ 9091/0x495e0000037f] [nsg.c:1323:parser_context_resp_eoh_cb] request_fsm_response_begin failed.

Information asked by LuCar Toni : 
 Software Version (on Bare Metal.) 
 Processor: Intel G5400 
 RAM: 8GB DDR4 
 NIC's: Intel 82576 "Kernel driver in use: igb_nm" 
 
 Restarting the service through SSH doesn't work, a system reboot is necessary to come back to normal. 
 
 Thanks!

Rana Sharma · Accepted Answer

Hi, 
 Yes we have applied probable fix and monitoring the device now. 
 Thanks Prism for your prompt and active support. 
 
 Thanks, 
 Rana Sharma

Prism · Answer

I'll be updating this comment with the results; 
 
 - After 8 hours later, there's no traffic being dropped at all, SSL/TLS Inspection is also working flawless with decryption. 
 
 Here's a small test I've made to be sure IPS has working, It indeed is.

Thanks for all the Devs and Rana Sharma for the fix!