Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 26 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 6347 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Home VM v20 - Snort using all CPU with some random trigger

Bryan Lucas

I've seen similar topics here, but none seem to quite work.  XG Home VM, v20, with a pretty minimal ruleset.  I'm really the only person on my home network.  At some random times the VM will go to 90-100% CPU usage and stay there.  This has happened at 2 in the morning when nothing is really being used.  Traffic through the XG will usually stop flowing when this happens.  TOP shows that snort is the top process on both CPUs when this happens, followed by conntrack.  If I drop the snort service, I regain about 50% of my CPU.  The only thing that actually fixes the issue for a time is to use the console to purge logs and reboot.

I'm about at the point where I just want to rebuild from scratch, as I can't pin down the event that causes this.  Any advice?



This thread was automatically locked due to age.
  • 0 in reply to Bryan Lucas

    Kindly switch back to the previous VM and let it run for a while. We can then verify the configuration and troubleshoot any active CPU spikes that may occur.

    Are there any configuration differences in the new VM?

  • 0 in reply to Bryan Lucas

    Did you do a backup / restore or XML Import/export? 

    __________________________________________________________________________________________________________________

  • 0 in reply to NileshPatel

    Unfortunately I can no longer switch back to the previous VM.  Good/bad news is that the new one is now doing the same thing.  Support key sent.  Will renew if needed.

  • 0 in reply to LuCar Toni

    XML import/export of FW and NAT rules with dependencies.  Figured the less data transferred the better.

  • 0 in reply to Bryan Lucas

    Thank you for the access. 

    I have checked you appliance logs and I do not find any events that can trigger CPU spike.

    Also I can see that CPU increased from Jan 5 which is related to port1 rx traffic increase.

    Can you please share graphs of CPU spike and Port1 traffic from the old VM to verify if that has any relation?

  • +1

    Looks like we've found the issue - thanks to everyone and to  for the eyes on-box and the info to track down what was causing this.

    I have a Home Assistant VM running on my network.  I also have a NAT rule in my XG that redirects all DNS / sDNS (DNS over TLS/HTTPS) requests to my internal DNS server.  The internal DNS server doesn't yet support sDNS, but the service on my XG included both 53 and 853.  The Home assistant VM includes a config with a "fallback" DNS to Cloudflare.  at random times, the VM will attempt to reach out to Cloudflare, get redirected to internal DNS, fail to connect, and then start repeating that connection  attempt multiple times a second.  Either disabling that fallback DNS entry, updating my DNS server to support sDNS, or removing the NAT rule redirecting DNS would fix the problem.  I chose the final option to start with.

    I can't post the link, as this post will get flagged.  Googling "home assistant fallback DNS improve Privacy" will bring up a post on the Home Assistant forums called "Improve Privacy, Stop using hardcoded DNS."  That article describes what was happening.

    So, once again, it was DNS.  It's always DNS.

Unfiltered HTML