Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 1283 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEngine stoped/dead XGW Home (SFOS 18.0.5 MR-5-Build586)

aiborin

I logged into the web console and noticed the IPS Service was red in the Control Center. I attempted to restart from the web interface but I received a "failed to start" message each time I tried.  I also tried rebooting and went to manually update patterns via the backup and firmware web interface.  The last successful automatic update is listed as August 5th.

I am hoping a seasoned XGW user can point me to a process that can isolate and resolve the root cause.  I have searched this Community Forum and Google but have not found anything concrete.

Thanks in advance,

Adam



This thread was automatically locked due to age.
Parents
  • 0

    ;

    Since when are you facing this issue?

    Please capture following logs from the


    service -S | grep ips

    service ips:start -ds nosync

    tail -f /log/ips.log

    tail -f /log/syslog.log

    tail -f /log/sysinit.log

    Perform HDD tests & capture the logs in text format.

    • Sophos Firewall: Testing the hard disk drive kba-125039

    In addition, you can re-image the appliance kba-126906.

     /content or /var partitions have enough space to store the downloaded files ,

    • SFOS firmware version, cat /etc/version
    • df -kh (from advanced shell )
    • u2d.log while a pattern update is triggered , 
    • csc.log in debug mode (When trying to upload a firmware)
      • csc custom debug (to enable the debug , same command to disable )
  • +1 in reply to NM_1987

    Thank you for this post!

    In short: The root cause appears to have resulted in a conflict between the Snort Hyperscan feature and my XGW CPU type.  I discovered this when viewing the ips.log as you suggested then investigating the following error:

    ERROR: hs_compile_multi() failed: Unsupported architecture (expression: -1)

    I run my XGW as a VM hosted on a ProxMox server.  This has been stable for over a year with the CPU type set to "default" for the virtual XGW.  Googling this helped me to resolve the issue as I found a ProxMox forum post related to a different security appliance but the symptoms were identical. The fix was to shut down my XGW, change the CPU type from "default" to "host" so the hosting hardware CPU parameters would be passed to the guest VM, then restart my XGW.

    Afterward I logged into the XGW web console and noted IPS as green in the Control Center. I then went to Patterns Update and saw the latest IPS pattern already downloading then successfully update.  Problem solved!

Reply
  • +1 in reply to NM_1987

    Thank you for this post!

    In short: The root cause appears to have resulted in a conflict between the Snort Hyperscan feature and my XGW CPU type.  I discovered this when viewing the ips.log as you suggested then investigating the following error:

    ERROR: hs_compile_multi() failed: Unsupported architecture (expression: -1)

    I run my XGW as a VM hosted on a ProxMox server.  This has been stable for over a year with the CPU type set to "default" for the virtual XGW.  Googling this helped me to resolve the issue as I found a ProxMox forum post related to a different security appliance but the symptoms were identical. The fix was to shut down my XGW, change the CPU type from "default" to "host" so the hosting hardware CPU parameters would be passed to the guest VM, then restart my XGW.

    Afterward I logged into the XGW web console and noted IPS as green in the Control Center. I then went to Patterns Update and saw the latest IPS pattern already downloading then successfully update.  Problem solved!

Children
No Data