Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 37 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 12822 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 125 Huge memory Usage

alessandro scuderi

Hello, I have a sophos XG 125 with last release 18.5.1 configured in HA (active-standby). The memory consumption is always between 85%-92% even after a restart without traffic and load. Yesterday it rebooted after reached 100% of swap usage. I started to encounter this issue of memory usage after the migration from release 17 to 18 few months ago. With release 17 memory has never gone more than 85%.

Below, some images with my situation. Snort is consuming the RAM.

Can someone help me to troubleshoot the issue?

Thank you,

Alessandro



This thread was automatically locked due to age.
  • 0

    Hi,

    that is not good, please review the disk usage, all directories, sounds like the disk might be full and swap failing.l

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Below the disk usage. Seems to be normal

    XG125_XN03_SFOS 18.5.1 MR-1-Build326# df -ha

    Filesystem                Size      Used Available Use% Mounted on

    none                    219.1M      2.8M    200.8M   1% /

    none                      1.9G     40.0K      1.9G   0% /dev

    none                         0         0         0   0% /proc

    none                      1.9G     48.2M      1.9G   2% /tmp

    none                         0         0         0   0% /dev/pts

    none                      1.9G     14.7M      1.9G   1% /dev/shm

    /sys                         0         0         0   0% /sys

    /dev/boot               127.7M     38.5M     86.5M  31% /boot

    debugfs                      0         0         0   0% /sys/kernel/debug

    /dev/mapper/mountconf

                            385.4M     78.9M    302.4M  21% /conf

    /dev/content              5.4G    624.1M      4.8G  11% /content

    /dev/var                 46.5G     34.9G     11.6G  75% /var

    none                         0         0         0   0% /cfs

    CFS                          0         0         0   0% /cfs

  • 0 in reply to alessandro scuderi

    Hi,

    please raise a support case. Does the issue show in both devices of the ha?
    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I already raised a support case. Also the standby node starting to use swap memory. They suggested me to reimage primary appliance but I don't want to perform this operation without further investigation.

    Alessandro

  • 0 in reply to rfcat_vk

    The Swap flushes only after a IPS restart

  • 0 in reply to alessandro scuderi
    alessandro scuderi said:
    I already raised a support case. Also the standby node starting to use swap memory. They suggested me to reimage primary appliance

    That's Sophos support quality. So sad. Yesterday I filed a case and wrote: I did "A" and had a HA failure. The first and until now only answer to my high priority case was 6h later: "why did you do "B"? B is not supported." I guess they did'nt even look at the logs I provided.

  • 0 in reply to LHerzog

    To your problem: did you check if you have high traffic going through IPS, and maybe have enabled too many checks?

    IPS is tweakable, so for linux machines there is no need to scan for windows attack vectors.

    Or maybe your server backups are running through IPS enabled firewall rules - would suggest to disable this.

    Maybe you can check how the memory usage on your XG grows and find, it peaks at specific times a day?

  • 0 in reply to LHerzog

    Hi LHerzon,

    memory consumptions started since I upgraded from rel 17 to 18 on may. You can see clearly on the following image. I can try to disable IPS on all rules to see if memory is released.

  • 0 in reply to alessandro scuderi

    please restart IPS after you removed it from your rules and monitor it for one day.

Unfiltered HTML