This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 125 Huge memory Usage

Hello, I have a sophos XG 125 with last release 18.5.1 configured in HA (active-standby). The memory consumption is always between 85%-92% even after a restart without traffic and load. Yesterday it rebooted after reached 100% of swap usage. I started to encounter this issue of memory usage after the migration from release 17 to 18 few months ago. With release 17 memory has never gone more than 85%.

Below, some images with my situation. Snort is consuming the RAM.

Can someone help me to troubleshoot the issue?

Thank you,

Alessandro



This thread was automatically locked due to age.
Parents Reply Children
  • Same IPS signature for me. I don't really know what to do Disappointed

  • I think you may have an answer to that as you replying to many IPS threads here.

  • Wrote something in the German Community about this: 

    The question is, is that a problem?
    
    Basically behind this is a Linux-based operating system that can handle RAM differently than a Windows. See: https://www.linuxatemyram.com/
    
    In my opinion it is a waste not to use the RAM resources that are available.
    
    With version V18, Snort was more integrated into the architecture of the operating system. That means SFOS uses more Snort for all possible areas. And since the RAM is there and not in use, Snort takes what it can get.
    
    As long as there is no overflow or MAX Out, I see no problem.
    
    You should watch how the RAM behaves, if it stays constantly on this line, that's fine in my eyes.

    __________________________________________________________________________________________________________________

  • My problem is that XG125 consumes all SWAP as well, becoming unusable after it reaches 100%

  • How long does it take to consume the memory? And can you identify the process, taking more and more RAM? 

    __________________________________________________________________________________________________________________

  • Since I installed latest release 18.5.1, in about 3 days. I suppose is due to IPS but it could be any component.

  • Hello Alessandro,

    Adding to what has been told in this thread, can you share your Case ID to see what has been done. 

    I would also recommend you to run the following command form the advanced shell and provide the output to Support 

    # atop -M 3600 -w /var/atop_output.raw

    You will need to reboot the device, then run the command and wait for the Memory utilization to fill out again, then restart and provide the file to Support.

    Additionally, you can run the following command that will tell you what service is occupying the SWAP memory

    # for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done| sort -k 2 -n -r | head -20

    # free

    # ls -lh /var/cores

    And more importantly how many devices are behind the Firewall and what services are you using?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    the opened support case ID is 04496415 . This week end happened again without user on place. I had to restart IPS service to flush all swap usage.

    This morning before I restarted IPS, please note uptime

    Below the output on the command 

    # for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done| sort -k 2 -n -r | head -20

    awk: /proc/22165/status: No such file or directory
    awk: /proc/22173/status: No such file or directory
    zebra 428 kB
    zebra 16348 kB
    xgs-healthmond 11444 kB
    writeback
    worker 12192 kB
    worker 12192 kB
    worker 12192 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11004 kB
    worker 11004 kB
    worker 11004 kB
    worker 11004 kB
    worker 11004 kB
    watchdog/3

    XG125_XN03_SFOS 18.5.1 MR-1-Build326# ls -lh /var/cores
    -rw------- 1 root 0 7.0M Oct 7 15:45 core.awarrenhttp
    -rw------- 1 root 0 45.3M May 4 16:10 core.garner

    Behind firewall there are 50 physical devices and 100-200 Virtual machines. IPS is enable only for physical devices.

    BR,

    Alessandro

  • SWAP Usage after 2 hours of IPS restarted

  • I disabled IPS on almost the rules. It remains active on few rules without traffic. I don't know which component is consuming so much swap memory.