Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 780 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG stops routing

Tom Sparrow

I've got a ticket open for this, but have no idea how much effort is being put into it. Any extra help gratefully received or our office is going to be offline for most of the weekend.

Our XG135 suddenly stopped passing almost all traffic the other day - down from an peaks of around 100Mb/s during the day to a few 100kb. The session count went up by a factor of 4 at the same time, from 1.5-2k to 8k. Nothing inside the firewall could get out, or the other way around. The XG itself was still responsive, provided you went direct to the external address, no way to route through the VPN.

I connected the SophosSSL VPN (retired in the last 6 months, but not removed) and it connected fine, but again no traffic passing through.

Eventually, I found that stopping and restarting the IPS service brought it back to life.Since then, it's been doing the same every 3-4 hours. Overnight it will do the same for hours if left until the router or the IPS service is restarted. Yesterday I watched the session count climb very slowly over half an hour , then in the space of 3 minutes shot up to 9.5k and stayed there while the traffic dropped and all our internal services were cut off.

CPU (20-50%) and memory (60%) graphs all as flat as normal, though CPU does work harder when IPS is starting up

Over the weekend, there's not going to be anyone to do this - anyone who's experienced this, or can tell me how to restart the IPS service every 2-3 hours?



This thread was automatically locked due to age.
  • 0

    Hi,

    please try editing the external interface, make no changes and save,

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Done, just have to wait a few hours to see if it helps. Is there a reason behind that, or just something that's worked in a similar situation?

  • 0 in reply to rfcat_vk

    Unfortunately, that doesn't seem to have made any difference. At least I've got it down to a couple of web calls to reset it now, thanks to the API. Hopefully I can get that working as a cron job for the weekend.

    [Sorry, I tried to post how I did this, but it'the forum editor won't let me for some reason]



    untrim code that editor mangled.
    [edited by: Tom Sparrow at 1:32 PM (GMT -7) on 27 May 2022]
  • 0

    Hello Tom,

    Thank you for contacting the Sophos Community.

    I was checking on this case, did this issue started happening after a power outage or just out of nowhere?

    How many IPs/Users are behind the Firewall and how many rules have the IPS service enable?

    If you check the ips.log when the issue is happening or if you correlated with the graphs do you see anything in the logs?

    Also is there any recent coredump under /var/cores related to the IPs service?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emma,

    I let it fail again overnight to gather more logs. There's a core.snort file in /var/cores but it's dated from years ago.

    The ips.log seem to just stop when the issue occurs, until the service is restarted -

    2022-05-31T04:10:59.222163Z [ 5407]:DAQ:INFO:daq_lwp.c:2143(transmit_pkts_for_session)--> [S:4795.23682]Unable to inject packet, pkt len 1476, dir 0, eof 0. Sending notification to Snort
    2022-05-31T05:18:39.000000Z [cleanup_capture_files.sh] completed

    No power cuts that I know of - the unit is on a UPS and doesn't restart itself, so I'd have noticed. There are probably around 200 devices behind the router currently, though it varies a lot, and about 35 rules with IPS enabled.

  • 0 in reply to Tom Sparrow

    Hello Tom,

    Thank you for the log.

    My recommendation was going to be to set the atop log to monitor the usage see if the IPS process might be hanging causing this but I do see in the case that it has already been recommended, anyway I am leaving the command here:

    https://support.sophos.com/support/s/article/KB-000043639?language=en_US

    nohup atop -w /log/atop.log 300 &

    Also, I would suggest you to run the following commands to confirm the number of users and connections when the issue happens:

    # ipset -L lusers | wc -l

    # arp -a | wc -l

    All of them are to be run from the Advanced Shell.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?