Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

heartbeat log: Cannot create ID for application, because appId range is exhausted. Application will be ignored.

is that something to worry about in the heartbeatd.log?

This is logged quite frequently on our SFOS 19.0.1 box

[2023-03-16 14:18:04.039Z] INFO EndpointStorage.cpp[32722]:110 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxxxxxxxxx>: <3> -> <4>
[2023-03-16 14:18:05.597Z] ERROR SacProcessor.cpp[32722]:100 handleApp - Cannot create ID for application, because appId range is exhausted. Application will be ignored.
[2023-03-16 14:18:05.599Z] ERROR SacProcessor.cpp[32722]:100 handleApp - Cannot create ID for application, because appId range is exhausted. Application will be ignored.
[2023-03-16 14:18:05.601Z] ERROR SacProcessor.cpp[32722]:100 handleApp - Cannot create ID for application, because appId range is exhausted. Application will be ignored.
[2023-03-16 14:18:07.919Z] ERROR SacProcessor.cpp[32722]:100 handleApp - Cannot create ID for application, because appId range is exhausted. Application will be ignored.
[2023-03-16 14:18:07.921Z] ERROR SacProcessor.cpp[32722]:100 handleApp - Cannot create ID for application, because appId range is exhausted. Application will be ignored.
[2023-03-16 14:18:07.923Z] ERROR SacProcessor.cpp[32722]:100 handleApp - Cannot create ID for application, because appId range is exhausted. Application will be ignored.
[2023-03-16 14:18:07.924Z] ERROR SacProcessor.cpp[32722]:100 handleApp - Cannot create ID for application, because appId range is exhausted. Application will be ignored.
[2023-03-16 14:18:07.925Z] ERROR SacProcessor.cpp[32722]:100 handleApp - Cannot create ID for application, because appId range is exhausted. Application will be ignored.
[2023-03-16 14:18:07.926Z] ERROR SacProcessor.cpp[32722]:100 handleApp - Cannot create ID for application, because appId range is exhausted. Application will be ignored.
[2023-03-16 14:18:07.927Z] ERROR SacProcessor.cpp[32722]:100 handleApp - Cannot create ID for application, because appId range is exhausted. Application will be ignored.
[2023-03-16 14:18:07.927Z] ERROR SacProcessor.cpp[32722]:100 handleApp - Cannot create ID for application, because appId range is exhausted. Application will be ignored.
[2023-03-16 14:18:08.568Z] INFO HBSessionHandler.cpp[32722]:125 removeDirtySessions - Number of sessions: 14
[2023-03-16 14:18:08.582Z] INFO HBSessionHandler.cpp[32722]:152 findPinnedEndpointIdentity - Number of sessions: 15

asking because of  RE: Sophos Firewall reported computer not sending heartbeat signals 

we'll re-image that machine soon from iso and re-build HA then. Just wantred to know if we need to get something fixed on heartbeat before.



This thread was automatically locked due to age.
Parents Reply Children
  • Probably someday someone will look here for the resolution on the full appID range, so I write some more words:

    There may be some problems with the automatic cleanup. in theory, it probably does what is written in the documentation.

    But this has been discussed during our support case (06348145) and it could not be ruled out, that the cleanup really makes old, deleted  appID's usable. During our manual deletion, we found out, that deleted appID's are no used by heartbeat for new apps, because it simply wants to use the highest appID number. In the end, we need to flush multiple db tables now completely - so delete all ever learned apps and start from scratch. Not that we've used the apps for something, but other customers may. Anyway it is some kind of rough handling of an expectable issue.

    Case notes:

    Can you please confirm the automatic cleanup will work as intended and does not have the issues we're dealing with in this case?

     

    From help: "Clean up application database: Sophos Firewall can automatically clear applications detected before a certain time period. It then runs a daily check for these applications and deletes them in batches of 100 every five minutes. Applications are also deleted from application filter policies if they were added individually."

    To me that reads like exactly what we were doing, except removal from app filter policies.

     So let's imagine: we have a blank table tbleacapplications now. After 1 Year we have 1000 app id's in the table. Then we have automatic cleanup enabled to delete all older than 6 month. To make it simple, let's say it finds only 10 app id's older than 6 months. They are the app id's 100-105 and 200-205. They get deleted. Fine.

    From your mails* I would now think, the next new application seen by the firewall will get id 1001, not 100 (which is free now)

    *= The current design / code implementation simply checks what is the latest appid which is in use and created new appid entries after this until it reaches the max appid which is 19999.

  • Hi  ,

    We have planned to solve the appid exhaustion issue in our upcoming v20 release. The solution will start reusing the deleted appids once the max appid is already used. This solution will also include actual deletion of the appids.

    Currently as a part of auto-clean, we are deleting all application related data to free up storage but not deleting the appids. This was done to ensure we reuse the same appid for the same application that gets detected in future. This delays the appid ranges to get exhausted. However once the appid range is exhausted, we have a problem that is getting solved in v20 release. 

  • Hi thank you for your description of the current status and the great news, that this is to be improved in v20. Sounds promising - looking forward to the new version.

    Thanks again!

  • today I flushed the synced app id table and it worked. Starting now only with new applications.

    AUXILIARY
    1. heartbeat service status  should NOT be "RUNNING"
    XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Auxiliary# service -S | grep heartbeat
    fwcm-heartbeatd      RUNNING
    heartbeat            UNREGISTERED

    2.
    psql -U pgroot -d corporate -c "DELETE FROM tbleacapplications"
    psql -U pgroot -d corporate -c "DELETE FROM tbleacappcache"
    psql -U pgroot -d corporate -c "DELETE FROM tblappstoeps"
    psql -U pgroot -d corporate -c "DELETE FROM tbleacendpoints"
    NOTE: "tbleacappcache" and "tblappstoeps" can give "DELETE 0" as result which is OK.


    PRIMARY
    1. heartbeat service status should be "RUNNING"
    XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# service -S | grep heartbeat
    fwcm-heartbeatd      RUNNING
    heartbeat            RUNNING

    2.
    psql -U pgroot -d corporate -c "DELETE FROM tbleacapplications"
    psql -U pgroot -d corporate -c "DELETE FROM tbleacappcache"
    psql -U pgroot -d corporate -c "DELETE FROM tblappstoeps"
    psql -U pgroot -d corporate -c "DELETE FROM tbleacendpoints"
    NOTE: "tbleacappcache" and "tblappstoeps" can give "DELETE 0" as result which is OK.

    3.) restart heartbeat on PRIMARY or reboot machine
    XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# service -ds nosync heartbeat:restart
    200 OK

    PS: this was the output from the table deletions:

    XG430_WP02_SFOS 19.5.1 MR-1-Build278 HA-Auxiliary# psql -U pgroot -d corporate -c "DELETE FROM tbleacapplications"
    DELETE 450
    XG430_WP02_SFOS 19.5.1 MR-1-Build278 HA-Auxiliary# psql -U pgroot -d corporate -c "DELETE FROM tbleacappcache"
    DELETE 0
    XG430_WP02_SFOS 19.5.1 MR-1-Build278 HA-Auxiliary# psql -U pgroot -d corporate -c "DELETE FROM tblappstoeps"
    DELETE 0
    XG430_WP02_SFOS 19.5.1 MR-1-Build278 HA-Auxiliary# psql -U pgroot -d corporate -c "DELETE FROM tbleacendpoints"
    DELETE 599
    XG430_WP02_SFOS 19.5.1 MR-1-Build278 HA-Auxiliary# exit
    
    
    XG430_WP02_SFOS 19.5.1 MR-1-Build278 HA-Primary# service heartbeatdpsql -U pgroot -d corporate -c "DELETE FROM tbleacapplications"
    DELETE 450
    XG430_WP02_SFOS 19.5.1 MR-1-Build278 HA-Primary# psql -U pgroot -d corporate -c "DELETE FROM tbleacappcache"
    DELETE 0
    XG430_WP02_SFOS 19.5.1 MR-1-Build278 HA-Primary# psql -U pgroot -d corporate -c "DELETE FROM tblappstoeps"
    DELETE 0
    XG430_WP02_SFOS 19.5.1 MR-1-Build278 HA-Primary# psql -U pgroot -d corporate -c "DELETE FROM tbleacendpoints"
    DELETE 599