Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SASI high CPU usage

Hi there!

I'm currently running on SFVH (SFOS 19.5.0 GA-Build197) and notice a very high CPU usage caused by the SASI service. I tried to turn off Anti-Spam in my E-Mail profile, but it didn't change. 

TOP:

Control Center:

The only thing I could find was a periodic error while trying to download some Checksums (?) in the sasi.log:

Any ideas? Did anyone observe anything similar? Maybe even a fix?

Regards,

Patrick



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Patrick, 

    You can share it with  , he can help take a look at this issue. 

  • Hi,

    Patrick's system fails to access SASI DB checksum files on sasi.sophosupd.com. When this happens, the system's CPU starts to spin until reaching a timeout, but then (after 140 seconds) it tries again.

    I've asked Patrick to check whether a firewall rule or another network device blocks that.

  • Hi,

    your answer does cause me some concern. A user firewall rule is capable of blocking traffic that is not recorded in any report and would not not show up in the log viewer review of that firewall rule.

    The traffic does not show up in daily WAN usage so how is a user supposed to identify a failure?

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi there

    I replied to Janos yesterday. My Sophos firewall is directly connected to my ISP without any active network device in between. I noticed however that trying to download the SASI DB checksum via terminal (curl command) and force it to use IPv4 (curl -ipv4), it works fine every time. If I force it to use IPv6 (curl -ipv6) it fails most of the time (curl gets stuck and has t obe aborted). Ping and Traceroute to the SASI server however work for both IPv4 and IPv6 directly from the firewall's terminal. 

    Regards, Patrick