This is the second time this has occurred since using v18 EAP. I've also had this issue occur a couple times when running v17 but it wasn't as frequent. With v18 EAP, after Sophos XG has been running for several days (over a week), sometimes the internet becomes unresponsive as in I can't access anything. For example, if I try to access a website, it just continues trying to load and eventually times out. At first, I thought it was an ISP issue so I would reset my cable modem but that didn't fix the issue. I can still access devices on my local network just fine, such as the Sophos XG web UI. What I did notice in the web UI is the "Sessions" count under System in the Control Center indicates a very high number when I'm having these issues. It seems to fluctuate from ~800 up to 2.5k. I have about 30-40 devices on my network (one computer, mobile devices, smart home devices, etc.). Typically, my Sessions count is somewhere around 20-50. After restarting Sophos XG, the count goes back down to what I normally see and everything works fine.
Anyone else experiencing similar issues? Is there any specific log I can save when this issue occurs? Unfortunately, I'm running this on my home network so I can't just leave it in an unusable state.
What country are you in?
What is the model of the cable modem?
How is the WAN interface in the Sophos configured?
Gavin Daniels. DipIT(Networking)
I’m located in USA. It’s a Motorola MB8600 cable modem and the WAN interface is the default configuration. The only addition I made was adding an IPv6 interface.
Sophos XG guides for home users: https://shred086.wordpress.com/
In Australia we use HFC cable and Arrias Cable Modems. Several ISP's will use PPPOE Authentication for their connections.
I found that I would get a lockup of the interface for a while when the WAN port was configured at a 1500MTU size. Dropping it to a 1492MTU size to allow for the 8 byte pppoe Header.
When I moved to another carrier who also uses PPPOE over a Vlan connection, I needed to reduce the MTU size to 1460.
Which is also where I added the forum request to make the MTU size of an unconfigured WAN port adjustable. As configuring the hardware port as WAN or DMZ with a static IP was a waste,
Ah, I see. My ISP is Cox which does not use PPoE.
Rana Sharma, The issue started occurring again last night. Same issue and symptoms. I left everything alone to see if the problem would still be there in the morning and sure enough, it was. I left everything as is for about an hour while I was digging around to see if I could see anything abnormal, but nothing appeared out of ordinary other than the increasing/decreasing session counts that I also see associated with this issue. Instead of restarting the entire thing, I tried restarting just the ips service from the advanced shell and after doing so, it appears the issue is resolved. Session counts are back down to “normal” levels and I also noticed the memory usage dropped from ~50% to ~38%. I did take a Consolidated Troubleshooting Report when the issue was occurring.
So, as far as I can tell, the issue appears to be caused by the ips service that is resolved with an ips service restart. Here are my ips settings:
Sophos Firmware Version SFOS 18.0.0 EAP3-Refresh1
console> show ips-settings-------------IPS Settings------------- stream on lowmem off maxsesbytes 0 maxpkts 8 enable_appsignatures on http_response_scan_limit 65535 search_method hyperscan sip_preproc enabled sip_ignore_call_channel enabled inspect untrusted-content
console> show ips-settings
-------------IPS Instances------------IPS CPU 1 0 2 1 3 2 4 3
Well, restarting the ips service seemed to have fixed it for about an hour. Unfortunately, the issue is back.
Edit: So I restarted the ips service again and everything has been working fine for the past two hours.
I’m wondering if the issue is with ATP. Before I was having the issue last night, I enabled ATP and the issue started occurring shortly after. I notice when I enable ATP, the memory usage jumps up quite a bit. Even after disabling ATP, the issue remained and the memory usage remained as well. This morning when I restarted the ips service to see if it fixed the issue, I did the same thing of enabling ATP and shortly after the issue started occurring. Same symptoms after disabling ATP (increased memory usage remained, issue still existed). I restarted the ips service this last time but left ATP enabled and so far, everything seems to be working fine.
there is a bug in the ATP which will be fixed in the V18 GA I am advised. You will need to restart your XG if you disable ATP and re-enable it.
XG115W - v19.5 GA - Home
Test machine - Asus P10S-i E3-1225v5, 6gb, 4 intel NICs, v19.5 GA
If a post solves your question please use the 'Verify Answer' button.
There is a known issue, fixed in GA, with ATP that may be related. I think shred is experiencing this but I don't know if it is the cause of the connection/unresponsive.
Take a look at /log/ips.log. If you see a lot of "failed to get sessiontbl data for session id" then you may be experiencing the issue.
Advanced Threat > Enable Advanced Threat protection : Off
System Services > Services > IPS : Stop and then Start
I think I may be having some other issues as well based on some information from Michael Dunn via PM but it also looks like I have the "failed to get sessiontbl data for session id" in my ips logs. Example:
[Feb 03 16:47:37 :29704]:failed to get sessiontbl data for session id 528 rev 64837,dropping packet
[Feb 03 17:23:12 :29703]:failed to get sessiontbl data for session id 574 rev 36762,dropping packet
[Feb 03 17:23:42 :29704]:failed to get sessiontbl data for session id 350 rev 3155,dropping packet
[Feb 03 17:25:49 :29701]:failed to get sessiontbl data for session id 146 rev 36239,dropping packet
[Feb 03 17:25:49 :29701]:failed to get sessiontbl data for session id 462 rev 38120,dropping packet
However, I've had ATP off for the past couple days (and restarted the IPS service after turning it off). I haven't had any issues with the internet being unresponsive since then.
Assuming that shred does not get this again with ATP off, we can assume that is the cause. Tracked in NC-55333 and already fixed in GA.