Hello, I have a sophos XG 125 with last release 18.5.1 configured in HA (active-standby). The memory consumption is always between 85%-92% even after a restart without traffic and load. Yesterday it rebooted after reached 100% of swap usage. I started to encounter this issue of memory usage after the migration from release 17 to 18 few months ago. With release 17 memory has never gone more than 85%.
Below, some images with my situation. Snort is consuming the RAM.
Can someone help me to troubleshoot the issue?
Adding to what has been told in this thread, can you share your Case ID to see what has been done.
I would also recommend you to run the following command form the advanced shell and…
that is not good, please review the disk usage, all directories, sounds like the disk might be full and swap failing.l
Below the disk usage. Seems to be normal
XG125_XN03_SFOS 18.5.1 MR-1-Build326# df -ha
Filesystem Size Used Available Use% Mounted on
none 219.1M 2.8M 200.8M 1% /
none 1.9G 40.0K 1.9G 0% /dev
none 0 0 0 0% /proc
none 1.9G 48.2M 1.9G 2% /tmp
none 0 0 0 0% /dev/pts
none 1.9G 14.7M 1.9G 1% /dev/shm
/sys 0 0 0 0% /sys
/dev/boot 127.7M 38.5M 86.5M 31% /boot
debugfs 0 0 0 0% /sys/kernel/debug
385.4M 78.9M 302.4M 21% /conf
/dev/content 5.4G 624.1M 4.8G 11% /content
/dev/var 46.5G 34.9G 11.6G 75% /var
none 0 0 0 0% /cfs
CFS 0 0 0 0% /cfs
please raise a support case. Does the issue show in both devices of the ha?ian
I already raised a support case. Also the standby node starting to use swap memory. They suggested me to reimage primary appliance but I don't want to perform this operation without further investigation.
The Swap flushes only after a IPS restart
alessandro scuderi said:I already raised a support case. Also the standby node starting to use swap memory. They suggested me to reimage primary appliance
That's Sophos support quality. So sad. Yesterday I filed a case and wrote: I did "A" and had a HA failure. The first and until now only answer to my high priority case was 6h later: "why did you do "B"? B is not supported." I guess they did'nt even look at the logs I provided.
To your problem: did you check if you have high traffic going through IPS, and maybe have enabled too many checks?
IPS is tweakable, so for linux machines there is no need to scan for windows attack vectors.
Or maybe your server backups are running through IPS enabled firewall rules - would suggest to disable this.
Maybe you can check how the memory usage on your XG grows and find, it peaks at specific times a day?
memory consumptions started since I upgraded from rel 17 to 18 on may. You can see clearly on the following image. I can try to disable IPS on all rules to see if memory is released.
please restart IPS after you removed it from your rules and monitor it for one day.