This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

dhcpd_eve+ ??

Hi all

I have performance problems with the xg86w, the cpu sometimes reaches 100%
the top command gives the following result:
Thanks you.

This thread was automatically locked due to age.

Top Replies

Raphael Alganes 4 months ago in reply to Sofos network +2

Hello, It should be dhcpd_events . If you would expand the terminal UI you should be able to see the whole text of dhcpd_eve+

Parents

0 Raphael Alganes 4 months ago

Hello,

Thanks for reaching out to Sophos Community.

Regret to hear about the issue you encountered.

I may recommend you open a support case for this to be further investigated: https://support.sophos.com/support/s/?language=en_US#t=AllTab&sort=relevancy

Kindly share with us the caseID generated once you have it.

Many thanks for your time and patience and thank you for choosing Sophos.

Regards,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sofos network 4 months ago in reply to Raphael Alganes

Thanks Raphael Alganes

But what is this dhcpd_eve+ ??
Cancel
Vote Up 0 Vote Down

Cancel
0 Raphael Alganes 4 months ago in reply to Sofos network

Hello,

It should be dhcpd_events. If you would expand the terminal UI you should be able to see the whole text of dhcpd_eve+

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +2 Vote Down

Cancel
0 Vivek Jagad 4 months ago in reply to Raphael Alganes

Additionally, Sofos network can you check Can you check if DHCP setting has low lease time or DHCP flooding seen ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vivek Jagad 4 months ago in reply to Raphael Alganes

Additionally, Sofos network can you check Can you check if DHCP setting has low lease time or DHCP flooding seen ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Sofos network 4 months ago in reply to Vivek Jagad

Hi Vivek Jagad

lease time 1440 min

How to check if there is DHCP flooding ?
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 4 months ago in reply to Sofos network

check for the drop-packet-capture for the port 67 or port 68 and look for the DoS category in the drop logs
> drop-packet-capture
> How to troubleshoot dropped packets

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sofos network 4 months ago in reply to Vivek Jagad

is't DHCP flooding ?
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 4 months ago in reply to Sofos network

could be, try increasing your maximum lease time, you can set between 1-43200 mins...

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sofos network 4 months ago in reply to Vivek Jagad

I changed it this morning to be 7 days

How to stop this?

does sophos xg86w have dhcp flood attack protection?
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 4 months ago in reply to Sofos network

can Create a DoS bypass rule.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

0 Sofos network 4 months ago in reply to Vivek Jagad

 ok, 
and I think that it is the firewall that is renewing the IP, 
since I disconnected the network cable from the PC concerned, but the firewall continues to renew the IP for the same PC
so Dos bupass rule can stop the renewing from FW?
Thanks & Regards,

0 Vivek Jagad 4 months ago in reply to Sofos network

but first need to validate if there is a flooding happening on the port 68,

ref:

Packet capture using KBA: https://support.sophos.com/support/s/article/KB-000037007?language=en_US

Collect the drop packet using KBA: https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/index.html#drop-packet-capture

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vishal_R 4 months ago in reply to Sofos network

Hi Sofos network It looks like there is a DHCP flood from a specific machine and it seems the network device is continuously producing lease requests because of a malfunction. After disconnecting the network cable of the concerned PC you may reboot the firewall once (at your most convenient time) which will clear pending DHCP operations and the CPU will be back to normal. Regarding the scenario of DHCP request flood, scaling or improving SF OS DHCP service handling with such DHCP flood is currently a backlog work at Product Management.

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +1 Vote Down

Cancel