High CPU usage and unable to connect to the internet

Hi, Thanks for reaching out to Sophos Community.

How often does it happen? 

When the issue exhibits, Take the SSH Access, Navigate to Option 5 > Option 3 Advanced shell.

• Run the command --> top (It will list the process monitor)
• After running the command, hit Shift+P to sort by higher CPU utilization.

Check which process is taking the most amount of CPU and accordingly we can dig further in. 

I just got some new info. It's a process called "awarrenhttp".

So I followed this post, and got some logs from "/log/awarrenhttp.log".

awarrenhttp.log

The system info is as follow,

console> system diagnostics show version-info

Serial Number:            C1501D72YKH3777
Device-Id:            8c35ebf3107b279a976a09931ee4032cfa7b
Appliance Model:        XG115w
Firmware Version:        SFOS 18.5.1 MR-1-Build318
Firmware Build:            318
Firmware Loader version:
HW version:            XN02
Config DB version:        18.506
Signature DB version:        18.506
Report DB version:                18.506
Webcat Signature version:    Not Available
Web Proxy version:        compiled
SMTP Proxy version:        1.0
POP/IMAP Proxy version:        1.0.0.3.4
Logging Daemon version:        0.0.0.17
AP Firmware:            11.0.015
ATP:                1.0.0372
Avira AV:            1.0.417395
Authentication Clients:        1.0.0019
Geoip ip2country DB:        2.0.006
IPS and Application signatures: 18.18.50
Sophos Connect Clients:        2.1.001
odt:        -
RED Firmware:            3.0.006
Sophos AV:            1.0.17081
SSLVPN Clients:            1.0.009
Hot Fix version:        N.A

I wonder what is the issue ?

The second highest CPU load is snort. Maybe you have some devices in your network that bother your IPS with packets that are discarded? Try to switch of IPS and look whether this helps.

You might also look whether you are attacked from the WAN and the IPS is overloaded in some way.

What kind of VPN are you using RED, IPSec, SSL-VPN, RED Tunnel? Is it possible that you are trying to transfer more bandwidth than your firewall can handle?

How loaded are your interfaces? Is all bandwidth used on the WAN, LAN or DMZ?

Regards,

BeEF

I enabled ICMP flood sometimes ago and realized there are around 1000 packets dropped. I will try to disable it and see how it goes.

Yesterday, we were trying to download around 20 huge files, around 20GB each, from Google Cloud Storage bucket to one of the devices in LAN. We were downloading 2 files at a time. Sometimes we would have around 300Mbps bandwidth when the network is in a good condition.

We are having IPSec setup but no one was using it yesterday.

There is another huge transfers today and the network is greatly affected. It didn't reach 100% this time for most of the time it seems, but the network is super slow.

The load average goes from 1.5 to 4 and CPU usage sometimes rose to 60% and 70%.

I wonder anything else I could try ?

1) Maybe an attack from the outside - check this:



2) On which firewall rules have you enabled the ips. Switch it off for outgoing traffic an internal traffic (only for testing):



3) Your firewall might be to small for a lot of packets that bother the IPS.

4) Define an explicit deny rule and look at the packets that are dropped. Do you see unexpected and high volume traffic at one of your interfaces (e.g. public addresses in the lan or private addresse on the wan).

1) One of the known traffics are packets from Google Cloud Storage to the local, as I'm downloading files from the GCS from time to time.

2) The Lan to Wan policy is already been like this since sometimes ago. I wonder if I should change anything in here ?

4) I will try that later.