This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connection drops during AV pattern updates

Running SFOS 18.0.1 MR-1-Build396 and have been having dropped traffic issues with VOIP calls and software VPN connections to outside devices at about the same time the AV patterns are updating. Has anyone else noticed this?



This thread was automatically locked due to age.
  • I've also noticed this too, It's also happening with pattern updates for the IPS Engine, sometimes it drops (a lot) of packets.

    Also, It happens way more often if your doing SSL/TLS Decryption. Or if your connected through remote ipsec,

    Thanks!


    If a post solves your question use the 'Verify Answer' link.

  • Hello Keith,

    Thank you for contacting Sophos Support. 

    Could you please let me know which IPS and Application signature and which Sophos AV pattern update is currently installed in your XG?

    If you SSH in to the XG and run from the console (5>4)

    console> drop-packet-capture 'host x.x.x.x' (x.x.x.x any of the computer's IP that is having the issue) 

    regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Since the issue only happens when the signatures update I don't have anything that I can send from the capture

  • Hello Keith,

    Thank you for the follow-up.

    Can you run this command in your XG from the back end, just provide the lines from Sep 17 Sep 16 and Sep 15 and confirm if this dates you also noticed the same.

    grep "Initialization Complete" /log/ips.log

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • That filter produces no results

    If if filter for "initialization" only I get this.

    [Sep 15 14:29:31 :24908]:daq_multi_initialize:Loading and initialization of DAQs
    done
    [Sep 15 14:29:31 :24907]:daq_multi_initialize:Loading and initialization of DAQs
    done
    [Sep 15 14:29:31 :24909]:daq_multi_initialize:Loading and initialization of DAQs
    done
    [Sep 15 14:29:31 :24910]:daq_multi_initialize:Loading and initialization of DAQs
    done
    [Sep 16 12:29:29 :17679]:daq_multi_initialize:Loading and initialization of DAQs
    done
    [Sep 16 12:29:29 :17678]:daq_multi_initialize:Loading and initialization of DAQs
    done
    [Sep 16 12:29:29 :17680]:daq_multi_initialize:Loading and initialization of DAQs
    done
    [Sep 16 12:29:29 :17681]:daq_multi_initialize:Loading and initialization of DAQs
    done
    [Sep 17 14:29:28 :17991]:daq_multi_initialize:Loading and initialization of DAQs
    done
    [Sep 17 14:29:28 :17993]:daq_multi_initialize:Loading and initialization of DAQs
    done
    [Sep 17 14:29:28 :17992]:daq_multi_initialize:Loading and initialization of DAQs
    done
    [Sep 17 14:29:28 :17994]:daq_multi_initialize:Loading and initialization of DAQs
    done

  • Since when is this happening to you?

    I believe we face a similar issue since 11.09.2020. It was working fine until that date.

    XG 330

  • Hello Gianni,

    Thank you for contacting the Sophos Community!

    How did you notice this happened when the AV updated, how were you able to correlate the AV updates with the traffic being dropped?

    I am just trying to collect some info.

    This might be related to an issue that is fixed in MR3 about failed pattern updates. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello Keith,

    Thank you for the follow-up!

    I got confused and the command I send was for the IPS actually not the pattern updates.

    There is a fix coming related to pattern updates coming on MR3 so it might be probably that this will help on this issue.

    Since we talked on Friday has this issue happened again?

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • The time reported in the log for the update was the same time that the Anyconnect client on one of my machines reported disconecting on several consecutive days. I did not notice the issue today though so it might not end up being the cause. I will continue to monitor. 

  • Just happened again. The pattern updates don't fail, but traffic is being dropped when they are applied. Any insight on when MR3 will be released?