Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 62 replies
  • Answers 2 answers
  • Subscribers 50 subscribers
  • Views 192551 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 16.01.0 known IPS issue - Work arounds?

Darrian Churchill

Hey all,

Anyone have any other work around for the known IPS issue (NC-8238   [IPS] IPS Service drops legitimate traffic in very high load average conditions)? The IPS service seems to constantly fail to start and causes this issue from what I can see (CPU usage and memory usage spike all over the place). As my work around, I set the IPS service to Stop, performance and traffic return to normal. Obviously this isn't a great solution... Anyone have anything better? 

I'd like to know when this will be resolved too, seems to me to be a rather big problem. I may actually just roll back to 15 if this is going to be a thing for a while.

Thanks !!



This thread was automatically locked due to age.
Parents
  • +1

    HI All

    I may have a Work aournd  by changing the IPS settings , As this is a Workaround

    Default IPS settings

    stream on
    lowmem off
    maxsesbytes 0
    maxpkts 100
    enable_appsignatures on
    http_response_scan_limit 65535

    Run Commands on Console 

    set ips maxsesbytes-settings update 8192
    set ips maxpkts 8

    IPS settings after changes 

    -------------IPS Settings-------------
    stream on
    lowmem off
    maxsesbytes 8192
    maxpkts 8
    enable_appsignatures on
    http_response_scan_limit 65535

     This should help..

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    I'm running these IPS settings following the update to 16.05.1 MR1

    -------------IPS Settings-------------                                                              
            stream on                                                                                   
            lowmem off                                                                                  
            maxsesbytes 8192                                                                            
            maxpkts 8                                                                                   
            mmap on                                                                                     
            enable_appsignatures on                                                                     
            http_response_scan_limit  65535                                                             
                                                                                                        
                                                                                                        
    -------------IPS Instances------------                                                              
    IPS CPU                                                                                             
     1  0

    I still get the service stop, start, stop, start etc. forever behavior.


     

    As you can see, each time the service stops and restarts, I get a dip and spike in CPU usage as well as RAM usage. The only behavior that seems to have changed is the firewall no longer drops packets when this is going on. I can ping my router on the other end of the firewall with no interruptions. 

    Edit - Reading above -  Intel(R) Atom(TM) CPU E3826 @ 1.46GHz is one CPU having this issue, a low clocked and low performance dual core. Mine is an older AMD Athlon64 3800+ X2 dual core, low performance by today's standards too. Perhaps this is a CPU performance issue? Somehow it either needs higher performance per core or 4 cores as opposed to 2? I am tempted to move my SFOS to a Core2Quad Q6600 instead and test. 

  • 0 in reply to Darrian Churchill

    Do you or anyone else have any feedback about the issues in this new version? I've loaded it on my home appliance, but I never had this issue on my home one (XG105).

    I've also loaded it onto a XG125, but this was a fresh install, so I have no benchmark on whether it was an issue or not.

Reply
  • 0 in reply to Darrian Churchill

    Do you or anyone else have any feedback about the issues in this new version? I've loaded it on my home appliance, but I never had this issue on my home one (XG105).

    I've also loaded it onto a XG125, but this was a fresh install, so I have no benchmark on whether it was an issue or not.

Children
No Data
Unfiltered HTML