Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 62 replies
  • Answers 2 answers
  • Subscribers 50 subscribers
  • Views 192538 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 16.01.0 known IPS issue - Work arounds?

Darrian Churchill

Hey all,

Anyone have any other work around for the known IPS issue (NC-8238   [IPS] IPS Service drops legitimate traffic in very high load average conditions)? The IPS service seems to constantly fail to start and causes this issue from what I can see (CPU usage and memory usage spike all over the place). As my work around, I set the IPS service to Stop, performance and traffic return to normal. Obviously this isn't a great solution... Anyone have anything better? 

I'd like to know when this will be resolved too, seems to me to be a rather big problem. I may actually just roll back to 15 if this is going to be a thing for a while.

Thanks !!



This thread was automatically locked due to age.
Parents
  • 0

    We have similar problem - with IPS service turned ON and even if its not configured on any of firewalls rules its constantly eating 1 cpu core (on XG115) and causing latency spikes with real-time traffic degradation (VOIP)

    Already opened a case about this issue, waiting for an answer.

    p.s. is it really a "known" issue? Where I can find it?

Reply
  • 0

    We have similar problem - with IPS service turned ON and even if its not configured on any of firewalls rules its constantly eating 1 cpu core (on XG115) and causing latency spikes with real-time traffic degradation (VOIP)

    Already opened a case about this issue, waiting for an answer.

    p.s. is it really a "known" issue? Where I can find it?

Children
  • 0 in reply to AleksandrIvanov

    Hi, It is a known issue - release notes: https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-01-1-released

    "NC-8238   [IPS]              IPS Service drops legitimate traffic in very high load average conditions"

    To me its pretty awful that its taken so long to get a fix out. I had to disable the IPS service on one installation. It seems fin on my Cyberoam Cr300 ing XP though, which is production so I am happy its not causing issues there.

    I'm interested to hear the answer you are given :)

  • 0 in reply to Darrian Churchill

    Our situation is nowhere near "in very high load average conditions" ))

    We have XG115 and 2-5mbit of traffic with no spikes (+1-2 SSL VPN clients)

    Im sorry to say that but im starting to understand why palo-alto cost x5-10 times more (because they have separate management and traffic boards in one box + FPGA, and of course better quality control)

  • 0 in reply to AleksandrIvanov

    Hi AleksandrIvanov, 

    The Issue on this BUG is resolved with V16.01.1 , check if the issue persist

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    I think you are mistaken, as the issue is definately not resolved on 16.01.1 for me. I still have to disable IPS, or it drops all packets. 

    It's still listed under "Known Issues" here: 

    https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-01-1-released

    Known Issues

    NC-6315 [Clientless Access(HTTP/HTTPS)] Script based web forms of Web Server is not accessible with Clientless VPN

    NC-12079 [Galileo Heartbeat] No heartbeat status displayed on control center with MAC End point

    NC-13480 [Galileo Heartbeat] Heartbeat service taking High CPU due to same multiple UUID of End Point

    NC-8238 [IPS] IPS Service drops legitimate traffic in very high load average conditions

    NC-13538 [UI] Control center page is not properly displayed with IE 11

    NC-13282 [Wireless] AP Deployment over IPsec VPN is not working

  • 0 in reply to Aditya Patel

    We are using SFOS 16.01.1 since it was released. Issue still here.

  • 0 in reply to AleksandrIvanov

    Same issue with VOIP/SIP/RTP traffic drop outs on a XG-105 (Possibly, on two of them)

    Absolutely fine in v15. Then we got call quality degredation and drop outs of about 1-2 seconds.

    We had to do a packet trace either side of the Firewall - and we could see that the Sophos was "holding on" to a bunch of packets for around 5 seconds before passing them on to the network - presumably due to the "IPS" function.

    Note: Service was turned ON, but not configured on any rules, just like Aleksandr.

     

    We stopped the IPS service and the problems have gone away.

    The XG105 is still reporting a load average of 1.13, 1.19, 1.21 which could be considered 'high', but it's much better than it was.

     

    One big question: Is there a way that we can make sure the IPS service stays stopped? Sophos support - is there something we can do in the advanced shell to disable it for now until this is fixed?

     

  • 0 in reply to DaveHamer

    The real issue is being able to disable the various IPS rules for each firewall rule, rather than all or nothing.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML