Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 125 Huge memory Usage

Hello, I have a sophos XG 125 with last release 18.5.1 configured in HA (active-standby). The memory consumption is always between 85%-92% even after a restart without traffic and load. Yesterday it rebooted after reached 100% of swap usage. I started to encounter this issue of memory usage after the migration from release 17 to 18 few months ago. With release 17 memory has never gone more than 85%.

Below, some images with my situation. Snort is consuming the RAM.

Can someone help me to troubleshoot the issue?

Thank you,

Alessandro



This thread was automatically locked due to age.
Parents Reply
  • if you stop IPS service, do the snort processes disappear completely?


    XG430_WP02_SFOS 18.0.5 MR-5-Build586# top | grep snort
     2314  20   0 5152m 751m  24m R 94.1  4.7  68:46.16 snort
     2312  20   0 5152m 750m  24m S  5.9  4.7  61:39.24 snort
     2311  20   0 5156m 755m  24m S  3.9  4.7  42:27.61 snort
     2313  20   0 5153m 753m  24m R  3.9  4.7  49:51.43 snort

Children
  • we're at this IPS version.

    IPS and Application signatures
    18.18.61
    -
    16:32:55, Oct 12 2021
    Success

    but our XG is on Firmware 18.0 MR5

    maybe some other 18.5.1 User can post a top on snort.

  • Same IPS signature for me. I don't really know what to do Disappointed

  • I think you may have an answer to that as you replying to many IPS threads here.

  • Wrote something in the German Community about this: 

    The question is, is that a problem?
    
    Basically behind this is a Linux-based operating system that can handle RAM differently than a Windows. See: https://www.linuxatemyram.com/
    
    In my opinion it is a waste not to use the RAM resources that are available.
    
    With version V18, Snort was more integrated into the architecture of the operating system. That means SFOS uses more Snort for all possible areas. And since the RAM is there and not in use, Snort takes what it can get.
    
    As long as there is no overflow or MAX Out, I see no problem.
    
    You should watch how the RAM behaves, if it stays constantly on this line, that's fine in my eyes.

    __________________________________________________________________________________________________________________

  • My problem is that XG125 consumes all SWAP as well, becoming unusable after it reaches 100%

  • How long does it take to consume the memory? And can you identify the process, taking more and more RAM? 

    __________________________________________________________________________________________________________________

  • Since I installed latest release 18.5.1, in about 3 days. I suppose is due to IPS but it could be any component.

  • Hello Alessandro,

    Adding to what has been told in this thread, can you share your Case ID to see what has been done. 

    I would also recommend you to run the following command form the advanced shell and provide the output to Support 

    # atop -M 3600 -w /var/atop_output.raw

    You will need to reboot the device, then run the command and wait for the Memory utilization to fill out again, then restart and provide the file to Support.

    Additionally, you can run the following command that will tell you what service is occupying the SWAP memory

    # for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done| sort -k 2 -n -r | head -20

    # free

    # ls -lh /var/cores

    And more importantly how many devices are behind the Firewall and what services are you using?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    the opened support case ID is 04496415 . This week end happened again without user on place. I had to restart IPS service to flush all swap usage.

    This morning before I restarted IPS, please note uptime

    Below the output on the command 

    # for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done| sort -k 2 -n -r | head -20

    awk: /proc/22165/status: No such file or directory
    awk: /proc/22173/status: No such file or directory
    zebra 428 kB
    zebra 16348 kB
    xgs-healthmond 11444 kB
    writeback
    worker 12192 kB
    worker 12192 kB
    worker 12192 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11004 kB
    worker 11004 kB
    worker 11004 kB
    worker 11004 kB
    worker 11004 kB
    watchdog/3

    XG125_XN03_SFOS 18.5.1 MR-1-Build326# ls -lh /var/cores
    -rw------- 1 root 0 7.0M Oct 7 15:45 core.awarrenhttp
    -rw------- 1 root 0 45.3M May 4 16:10 core.garner

    Behind firewall there are 50 physical devices and 100-200 Virtual machines. IPS is enable only for physical devices.

    BR,

    Alessandro