Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Subscribers 32 subscribers
  • Views 16513 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG125 100% CPU USAGE

VikenNajarian

Hello,

I have an issue on an XG125. Every morning between 9h00 AM and 10H00 AM the CPU usage goes to 100%. I connected to the appliance from SSH to check with the "top" command to see which process was using 100% of the CPU and this is the AVD process. Then, when I restart the Anti-Virus service from the appliance, the CPU usage come back at a normal usage.

The problem is happening every morning and it's very critical because when the CPU usage is at 100%, the IPSec VPN between this XG125 and another XG210 is not stable and 60 people could not work properly.

 

I openned a support case (here is the number: 8451452) and they asked me to backup the appliance and reset to factory defaults... But I cannot accept this answer because this is a production Firewall and the Firewall is at a remote site at 500Km, so I could not go on site just to test if a factory reset will do something, the boss won't accept to spend money for a 500Km travel just to do a factory reset because the ~$2000 firewall he bought needs a reset...

 

Actually I have totally disabled the "SCAN HTTP" feature on the rules to test if tomorrow morning the CPU will reach 100% again or not.

 

If anynone has an idea...

Thank you for your help.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to PaulSof

    Hi  

    Yes the replacement of the unit fixed the issue.

  • +1 in reply to VikenNajarian

    Question anyway - even if the replacement solved your issue. Is there a reason, why you are using realtime scan instead of batch scan ?

     

    Realtime scan is less capable for malware analysis than batch mode (where AV sees the whole file in one pice) and you also don't get block messages on malicious events, no sandboxing possible in realtime mode etc.. Even if this mode might lower delays at loading webpages/web content slightly, I personally never would recommend that setting and therefor disagree with Sophos KBA to that matter:

    Sophos XG Firewall: What is Batch Mode and Real Mode in Malware Scanning?

     

    (My personal) recommendation: Prefer batch in every scenario, unless you really get in performance troubles due web proxy av scanning laggyness, or if it's a uncritical network, where very basic pure signature AV capabilities are sufficient.

    In every other case ==> Batch Scanning Mode

  • 0 in reply to SaschaParis

    Hello,

     

    100% of the Sophos XG units i'm managing (~25) are configured in Batch mode.

    On the screenshot provided in this post, we can see realtime because it was for testing purpose, to test if the CPU was less used.

    But once the replacement unit switched on, I set Batch mode back :)