Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 62 replies
  • Answers 2 answers
  • Subscribers 50 subscribers
  • Views 192543 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 16.01.0 known IPS issue - Work arounds?

Darrian Churchill

Hey all,

Anyone have any other work around for the known IPS issue (NC-8238   [IPS] IPS Service drops legitimate traffic in very high load average conditions)? The IPS service seems to constantly fail to start and causes this issue from what I can see (CPU usage and memory usage spike all over the place). As my work around, I set the IPS service to Stop, performance and traffic return to normal. Obviously this isn't a great solution... Anyone have anything better? 

I'd like to know when this will be resolved too, seems to me to be a rather big problem. I may actually just roll back to 15 if this is going to be a thing for a while.

Thanks !!



This thread was automatically locked due to age.
  • 0 in reply to sachingurung

    Its not related to QoS (forgot to mention it) You need QoS when you are pushing traffic to port/wan/uplink limit.

    Traffic is 2 to 5 mbit max with, QoS turned off. I believe maxpkts 80 is the default in current firmware (ill wait for support to answer first)

  • 0 in reply to sachingurung

    Hi, 

    As requested: 

     

    -------------IPS Settings-------------                                                              
            stream on                                                                                   
            lowmem on                                                                                   
            maxsesbytes 0                                                                               
            maxpkts 80                                                                                  
            mmap on                                                                                     
            enable_appsignatures on                                                                     
            http_response_scan_limit  65535                                                             
                                                                                                        
                                                                                                        
    -------------IPS Instances------------                                                              
    IPS CPU                                                                                             
     1  0                                                               

    The issue is being experienced mainly on a PC (3GB RAM, dual core CPU @ 2.0GHz) running Sophos XG 16.1.01. The issue starts as soon as the IPS Service starts, and only 1 connection. 

                                    
  • 0 in reply to Darrian Churchill

    Hi Darrian,

    Set the lowmem attribute for IPS off. Execute,

    set ips lowmem-settings off

    This will reduce the CPU consumption.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks for that. I have given it a try and started the IPS Engine service. 

    It seems to have lowered CPU usage while the service is trying to start, but it seems to be stuck trying to start and never actually starts now: 

     

  • 0 in reply to sachingurung

     

    make sure to check that IPS engine is not eating all the resources on XG (even when the appliance is sized well for the environment).

    XG installed on SG120 for example, the IPS engine eats all the CPU resources without any rule configured (but only the ips service).

    Also a KB where you explain all the different settings of ips-setting is needed and helpful for users.

    Thanks

  • 0 in reply to Darrian Churchill

    Hi,

    Does a system reboot help in that situation?

    @Luk The IPS settings are usually not meant to be touched privately, any change must come from support officially. Which is why we do not have a KBA for the those settings for IPS.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung
    Unfortunately not. Upon reboot the service does the same for a while, eventually starts, stops again and repeats the process.
  • 0 in reply to sachingurung

    Thanks Sachin, however you need to improve ips performance. As I said try to install XG on sg 110/120 without any configuration and you will see how IPS eats the CPU and the 2 GB of ram on those systems and then reply back.

    Thanks

  • 0 in reply to Darrian Churchill

    Hi Darrian,

    If possible report it to support and provide me the case#. I will still look around if I get a catch to this issue.

    @luk - Thanks for the feedback, I agree and will raise this in the next internal team meet with the developers.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thank you for the suggestion. As far as I know, this being a home license, I am not able to report the issue to support. Is that correct? 

     

    Thank you,

    Darrian

Unfiltered HTML