Two-minute lock-up-ish

Had something odd happen this evening. I tried to go to a website on my laptop and nothing happened. So I tried to connect to the firewall to see what's going on, and nothing happened. Looked at the device and for about a minute the blue disk light was pretty much continuously lit. During this period, some traffic did get in and out -- I had Slack messages hit the laptop, for example.

It finally ended, and everything was back. I went to Sophos Central and had an Alert that the firewall was back up. But strangely there was no message that anything had been wrong. No email telling me things are back up. (But I might be thinking of when the gateway goes down which gives both up and down Alerts and emails.)

I checked for Pattern updates: none in that timeframe. (ATP early in the morning, AV in the early afternoon.) I checked logs in SC and there are not entries from 16:29 through 16:30. (And strangely, not log firewall up, which I though was logged, but that again might be gateway up.)

Anyhow, just reporting it. XGS87 running v19 EAP. Recently I switched to having the XGS be the local DNS server, which moved memory usage from a pretty constant 74% or so, to about 80%. (Or at least that's how it seems to me.) For a little while, that gave me a yellow indicator, but since that initial blip it's indicated green, so I've been assuming it's more memory but still within acceptable boundaries.

  • Happened again. This time I lost all connectivity and the blue (disk) light stayed continuously lit for 10 minutes before I pulled the plug. A directly-attached APX320 had a solid yellow (I think, sort of a red/green mixture) color. Could not reach the XGS87 via direct ethernet connection.

    The LAN (Port 1) and WAN (Port 2) lights were flashing, disk light solid, and as far as I can tell it would have continued like this indefinitely.

    Looking back for any data in Sophos Central, there's no data after the 25th (today is the 31st). This is an XGS87 so does not do on-box logging, but I'd sort of assumed that logs upload to Sophos Central in a real-time-ish manner. Either it uploads once-a-week or when full or it was stuck for almost a week with no uploading. So no ability to trace what went wrong at all.

    There were three Pattern updates today: ATP at 3:22 AM, GeoIP at 6:22 AM and SophosAV at 9:23 AM. The crash was at 3:49 PM.

    The only thing I'm doing differently than in the past is I have enabled the appliance as the network's DNS server. I will switch away from that to see if it fixes the problem.

    The previous glitch was 14 days ago at  4:30 PM, so roughly in the same hour. Who knows, it could be a problem every week on Mondays at roughly 4:00 PM, and I wasn't in the middle of anything last week.