Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 125 Huge memory Usage

Hello, I have a sophos XG 125 with last release 18.5.1 configured in HA (active-standby). The memory consumption is always between 85%-92% even after a restart without traffic and load. Yesterday it rebooted after reached 100% of swap usage. I started to encounter this issue of memory usage after the migration from release 17 to 18 few months ago. With release 17 memory has never gone more than 85%.

Below, some images with my situation. Snort is consuming the RAM.

Can someone help me to troubleshoot the issue?

Thank you,

Alessandro



This thread was automatically locked due to age.
Parents Reply Children
  • I already raised a support case. Also the standby node starting to use swap memory. They suggested me to reimage primary appliance but I don't want to perform this operation without further investigation.

    Alessandro

  • The Swap flushes only after a IPS restart

  • I already raised a support case. Also the standby node starting to use swap memory. They suggested me to reimage primary appliance

    That's Sophos support quality. So sad. Yesterday I filed a case and wrote: I did "A" and had a HA failure. The first and until now only answer to my high priority case was 6h later: "why did you do "B"? B is not supported." I guess they did'nt even look at the logs I provided.

  • To your problem: did you check if you have high traffic going through IPS, and maybe have enabled too many checks?

    IPS is tweakable, so for linux machines there is no need to scan for windows attack vectors.

    Or maybe your server backups are running through IPS enabled firewall rules - would suggest to disable this.

    Maybe you can check how the memory usage on your XG grows and find, it peaks at specific times a day?

  • Hi LHerzon,

    memory consumptions started since I upgraded from rel 17 to 18 on may. You can see clearly on the following image. I can try to disable IPS on all rules to see if memory is released.

  • please restart IPS after you removed it from your rules and monitor it for one day.

  • Yes, I restarted it and I will monitor in the next hours. I noticed 5 httpd processes consuming RAM. Is it normal?

  • I guess this is Webadmin, Userportal etc. - Web services on the XG.

    snort processes are again using much memory. Is this screenshot after you restarted IPS?

    Looks like much to much reserved RAM is used by them. They consume 1.2GB Our SNORT processes use 750MB after days of work.


    Mem:  16315952k total, 15745324k used,   570628k free,   693288k buffers
    Swap: 16305852k total,        0k used, 16305852k free,  9880132k cached

      PID  PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
     2314  20   0 5152m 751m  24m S 59.1  4.7  65:48.10 snort
     3198  20   0  162m  75m  12m S  4.0  0.5 374:15.26 garner
     2313  20   0 5153m 753m  24m S  3.7  4.7  49:38.89 snort
     2312  20   0 5152m 750m  24m S  2.3  4.7  61:28.67 snort
     2311  20   0 5156m 755m  24m R  2.0  4.7  42:16.61 snort
     4830  20   0 19484  13m 5432 S  2.0  0.1  40:34.56 sslvpn
     5875  20   0 25552 6544 2720 S  1.7  0.0  29:20.25 fqdnd

    Note, this is a XG430 with 16GBRAM.

  • Yes, this image has been taken after IPS restart. Consider that I am working on a XG125 with 4GB Ram.

  • if you stop IPS service, do the snort processes disappear completely?


    XG430_WP02_SFOS 18.0.5 MR-5-Build586# top | grep snort
     2314  20   0 5152m 751m  24m R 94.1  4.7  68:46.16 snort
     2312  20   0 5152m 750m  24m S  5.9  4.7  61:39.24 snort
     2311  20   0 5156m 755m  24m S  3.9  4.7  42:27.61 snort
     2313  20   0 5153m 753m  24m R  3.9  4.7  49:51.43 snort