Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1285 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connections time out when IPS enabled (sporadically)

Team S Net

We have noticed that connections are sometimes interrupted for a period of 5 minutes. It is then not possible to establish new connections (external / internal) via Sophos.

This happens 1-2 times per day and always at a different time.

I went through most of the logs and found the following log entry (ips.log) at a time of failure:

2022-09-14T10:03:42.631942Z [20093] No timedout sessions, Total 8192,dropping current packet. memory in use: 19333493

Does someone know what this means?

We have now disabled IPS & App Classification, to see whether the issue is related to IPS.

SFV6C8 (SFOS 19.0.0 GA-Build317)

Are there other logs for App Classification and IPS I should look at?



This thread was automatically locked due to age.
  • 0

    Please review your internet connection.

    which ips feature causes the failure?

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I don't think it's related to internet connection as also internal connections are affected. Sophos is still available during this time. I just can't get through it.

    which ips feature causes the failure?
    How do I know or what do you mean by this question? 

  • 0 in reply to Team S Net

    What ips do you have enabled when the failures occur. Depending on your internet connection type, if it fails it can cause the XG to be unresponsive.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    We use different IPS policies but also traffic which has no IPS policy applied is not getting through.
    As I wrote above, the Sophos itself is responsive during this time, some traffic can also pass it.

    Since we have turned off IPS, this doesn't happen anymore.

    So would be interesting to know, what the error in the IPS log means:
    2022-09-14T10:03:42.631942Z [20093] No timedout sessions, Total 8192,dropping current packet. memory in use: 19333493

  • 0 in reply to Team S Net

    Sorry, I can't help with the error message.

    Would you please provide the model XG you are using and approximately how many users are connected?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    It's an Azure VM - SFV6C8 (SFOS 19.0.0 GA-Build317)

    There are no users behind it.

  • +1

    This message means IPS has reached its maximum concurrent connection limit of 8192, and will start dropping connections. 

    This limit is based on how much memory SFOS has, and 8192 is for 2GB. Did you deploy SFOS with only 2GB of memory? If so, you should increase the amount of memory. 

    By default IPS is also not configured to fail close when it reaches this limit, did you set this yourself? 

    You can turn off fail close through CLI: 

    console> set ips failclose off

  • 0 in reply to bobbylam

    Thanks for your answer.

    No, the the system has 8GB memory available. 

    Strange, as I also can see following error with a higher limit:
    2022-09-07T03:50:59.085960Z [16155] No timedout sessions, Total 16384,dropping current packet. memory in use: 5874651 

    We also have not set the failclose.
    Is there a documentation somewhere?

    Do you think it all could be related to memory?

  • 0 in reply to Team S Net

    It does seem like there are a lot of persistent connections on your network which is staying open/not closing. The limit of concurrent connections IPS can handle is determined by memory, so you can try increasing that further. 

    You can turn off failclose with the command I gave you in the console above. 

  • 0 in reply to bobbylam

    Thanks for your input. I will add it to the support case as well

Unfiltered HTML