Internet becomes unresponsive after several days?

This is the second time this has occurred since using v18 EAP. I've also had this issue occur a couple times when running v17 but it wasn't as frequent. With v18 EAP, after Sophos XG has been running for several days (over a week), sometimes the internet becomes unresponsive as in I can't access anything. For example, if I try to access a website, it just continues trying to load and eventually times out. At first, I thought it was an ISP issue so I would reset my cable modem but that didn't fix the issue. I can still access devices on my local network just fine, such as the Sophos XG web UI. What I did notice in the web UI is the "Sessions" count under System in the Control Center indicates a very high number when I'm having these issues. It seems to fluctuate from ~800 up to 2.5k. I have about 30-40 devices on my network (one computer, mobile devices, smart home devices, etc.). Typically, my Sessions count is somewhere around 20-50. After restarting Sophos XG, the count goes back down to what I normally see and everything works fine.

Anyone else experiencing similar issues? Is there any specific log I can save when this issue occurs? Unfortunately, I'm running this on my home network so I can't just leave it in an unusable state.

  • I’m located in USA. It’s a Motorola MB8600 cable modem and the WAN interface is the default configuration. The only addition I made was adding an IPv6 interface.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Hi,

    In Australia we use HFC cable and Arrias Cable Modems. Several ISP's will use PPPOE Authentication for their connections.

    I found that I would get a lockup of the interface for a while when the WAN port was configured at a 1500MTU size. Dropping it to a 1492MTU size to allow for the 8 byte pppoe Header.

     

    When I moved to another carrier who also uses PPPOE over a Vlan connection, I needed to reduce the MTU size to 1460.

    Which is also where I added the forum request to make the MTU size of an unconfigured WAN port adjustable. As configuring the hardware port as WAN or DMZ with a static IP was a waste,

    Regards,

    Gavin Daniels. DipIT(Networking)

     

     
  • Ah, I see. My ISP is Cox which does not use PPoE.

    , The issue started occurring again last night. Same issue and symptoms. I left everything alone to see if the problem would still be there in the morning and sure enough, it was. I left everything as is for about an hour while I was digging around to see if I could see anything abnormal, but nothing appeared out of ordinary other than the increasing/decreasing session counts that I also see associated with this issue. Instead of restarting the entire thing, I tried restarting just the ips service from the advanced shell and after doing so, it appears the issue is resolved. Session counts are back down to “normal” levels and I also noticed the memory usage dropped from ~50% to ~38%. I did take a Consolidated Troubleshooting Report when the issue was occurring.

    So, as far as I can tell, the issue appears to be caused by the ips service that is resolved with an ips service restart. Here are my ips settings: 

    Sophos Firmware Version SFOS 18.0.0 EAP3-Refresh1

    console> show ips-settings
    -------------IPS Settings-------------
    stream on
    lowmem off
    maxsesbytes 0
    maxpkts 8
    enable_appsignatures on
    http_response_scan_limit 65535
    search_method hyperscan
    sip_preproc enabled
    sip_ignore_call_channel enabled
    inspect untrusted-content

    -------------IPS Instances------------
    IPS CPU
    1 0
    2 1
    3 2
    4 3

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Well, restarting the ips service seemed to have fixed it for about an hour. Unfortunately, the issue is back.

    Edit: So I restarted the ips service again and everything has been working fine for the past two hours.

    I’m wondering if the issue is with ATP. Before I was having the issue last night, I enabled ATP and the issue started occurring shortly after. I notice when I enable ATP, the memory usage jumps up quite a bit. Even after disabling ATP, the issue remained and the memory usage remained as well. This morning when I restarted the ips service to see if it fixed the issue, I did the same thing of enabling ATP and shortly after the issue started occurring. Same symptoms after disabling ATP (increased memory usage remained, issue still existed). I restarted the ips service this last time but left ATP enabled and so far, everything seems to be working fine.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Seems like I experienced the exact same issues after activating ATP on EAP3 and I have left ATP offline since then. Gonna try it again now if it still persists. I notice it that my internet connected IoT devices like Tado heating and so on are suddenly offline. This gets fixed turning off the ATP. If I don‘t do that sooner or later normal browsing gets affected as well.
  • Hi,

    there is a bug in the ATP which will be fixed in the V18 GA I am advised. You will need to restart your XG if you disable ATP and re-enable it.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • There is a known issue, fixed in GA, with ATP that may be related.  I think shred is experiencing this but I don't know if it is the cause of the connection/unresponsive.

     

    Take a look at /log/ips.log.  If you see a lot of "failed to get sessiontbl data for session id" then you may be experiencing the issue.

    Workaround:

    Advanced Threat > Enable Advanced Threat protection : Off

    System Services >  Services > IPS :  Stop and then Start

  • I think I may be having some other issues as well based on some information from Michael Dunn via PM but it also looks like I have the "failed to get sessiontbl data for session id" in my ips logs. Example:

    [Feb 03 16:47:37 :29704]:failed to get sessiontbl data for session id 528 rev 64837,dropping packet

    [Feb 03 16:47:37 :29704]:failed to get sessiontbl data for session id 528 rev 64837,dropping packet

    [Feb 03 17:23:12 :29703]:failed to get sessiontbl data for session id 574 rev 36762,dropping packet

    [Feb 03 17:23:12 :29703]:failed to get sessiontbl data for session id 574 rev 36762,dropping packet

    [Feb 03 17:23:12 :29703]:failed to get sessiontbl data for session id 574 rev 36762,dropping packet

    [Feb 03 17:23:42 :29704]:failed to get sessiontbl data for session id 350 rev 3155,dropping packet

    [Feb 03 17:25:49 :29701]:failed to get sessiontbl data for session id 146 rev 36239,dropping packet

    [Feb 03 17:25:49 :29701]:failed to get sessiontbl data for session id 462 rev 38120,dropping packet

    However, I've had ATP off for the past couple days (and restarted the IPS service after turning it off). I haven't had any issues with the internet being unresponsive since then.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Assuming that shred does not get this again with ATP off, we can assume that is the cause.  Tracked in NC-55333 and already fixed in GA.

  • Hi together,

    thanks to this thread I noticed, that switching off ATP significantly improves loading speed of websites. Generally I'm more interested in improving latencies and response times than the deeply discussed bandwidth tests - which are always fine anyway with XG :-).

     

    Is this noticeable performance drop an expected behavior when using ATP or is this related to the known bug? (I have "sessionntbl" log entries in the ips.log as well.)

    And a second question: What exactly is "untrusted content" (seems to be a new ATP setting) and when will this be relevant?

     

    Thanks and Best Regards

    Dom