This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 125 Huge memory Usage

Hello, I have a sophos XG 125 with last release 18.5.1 configured in HA (active-standby). The memory consumption is always between 85%-92% even after a restart without traffic and load. Yesterday it rebooted after reached 100% of swap usage. I started to encounter this issue of memory usage after the migration from release 17 to 18 few months ago. With release 17 memory has never gone more than 85%.

Below, some images with my situation. Snort is consuming the RAM.

Can someone help me to troubleshoot the issue?

Thank you,

Alessandro



This thread was automatically locked due to age.
Parents Reply Children
  • Since I installed latest release 18.5.1, in about 3 days. I suppose is due to IPS but it could be any component.

  • Hello Alessandro,

    Adding to what has been told in this thread, can you share your Case ID to see what has been done. 

    I would also recommend you to run the following command form the advanced shell and provide the output to Support 

    # atop -M 3600 -w /var/atop_output.raw

    You will need to reboot the device, then run the command and wait for the Memory utilization to fill out again, then restart and provide the file to Support.

    Additionally, you can run the following command that will tell you what service is occupying the SWAP memory

    # for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done| sort -k 2 -n -r | head -20

    # free

    # ls -lh /var/cores

    And more importantly how many devices are behind the Firewall and what services are you using?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    the opened support case ID is 04496415 . This week end happened again without user on place. I had to restart IPS service to flush all swap usage.

    This morning before I restarted IPS, please note uptime

    Below the output on the command 

    # for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done| sort -k 2 -n -r | head -20

    awk: /proc/22165/status: No such file or directory
    awk: /proc/22173/status: No such file or directory
    zebra 428 kB
    zebra 16348 kB
    xgs-healthmond 11444 kB
    writeback
    worker 12192 kB
    worker 12192 kB
    worker 12192 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11076 kB
    worker 11004 kB
    worker 11004 kB
    worker 11004 kB
    worker 11004 kB
    worker 11004 kB
    watchdog/3

    XG125_XN03_SFOS 18.5.1 MR-1-Build326# ls -lh /var/cores
    -rw------- 1 root 0 7.0M Oct 7 15:45 core.awarrenhttp
    -rw------- 1 root 0 45.3M May 4 16:10 core.garner

    Behind firewall there are 50 physical devices and 100-200 Virtual machines. IPS is enable only for physical devices.

    BR,

    Alessandro

  • SWAP Usage after 2 hours of IPS restarted

  • I disabled IPS on almost the rules. It remains active on few rules without traffic. I don't know which component is consuming so much swap memory.

  • Hello Alessandro,

    Thank you for the Case ID. I can see the engineer has reach out to GES to see if  there is a way to increase the SWAP memory.

    I can see you opened the Case on Oct 8 and the day before your appliance generated a core dump for the Awarrenhttp 

    -rw------- 1 root 0 7.0M Oct 7 15:45 core.awarrenhttp

    How many users are making use of the Web Filter/ DPI?

    The XG 125 without using IPS, Web Filter, it is designed to handle no more than 50 users.

    Most likely your device is undersized for this traffic, I would recommend you to check with your Sales Engineer to confirm.

    18.5.1 is more resource intense, than 17.5 so from my point of view that would explain the increase in memory. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Good morning Emmanuel,

    Behind the XG125 there are more or less 50 users, someday less someday more. The strange things is that now the 100% of swap is reached also in the weekend, without users connected. So, to answer at your question, Web Filter /DPI is active for more or less 50 users.

    Thank you for your support,

    Alessandro

  • Snort is not IPS. 

    Snort is one of the backbone modules, used for most technologies in SFOS. Therefore, if there is an issue with Snort, it does not matter, if you unload or load pattern in Firewall rules. 

    Could you check the console first? 

    console> show ips-settings
    -------------IPS Settings-------------
    stream on
    lowmem off
    maxsesbytes 0
    maxpkts 8
    enable_appsignatures on
    http_response_scan_limit 65535
    search_method hyperscan
    sip_preproc enabled
    sip_ignore_call_channel enabled
    inspect all-content

    -------------IPS Instances------------
    IPS is running on all cores

    __________________________________________________________________________________________________________________

  • console> show ips-settings
    -------------IPS Settings-------------
    stream on
    lowmem off
    maxsesbytes 10
    maxpkts 8
    enable_appsignatures on
    http_response_scan_limit 65535
    search_method ac-q
    sip_preproc enabled
    sip_ignore_call_channel enabled
    inspect untrusted-content

    -------------IPS Instances------------
    IPS CPU
    1 0
    2 1

    I changed, yesterday, only maxsesbytes value as suggested by a Sophos Engineer.

  • Is this a old installation? 

    Because i assumed, hyperscan should be enabled by most customers. But not if you use a old backup. 

    Change search_method to hyperscan. 

    __________________________________________________________________________________________________________________