Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1286 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connections time out when IPS enabled (sporadically)

Team S Net

We have noticed that connections are sometimes interrupted for a period of 5 minutes. It is then not possible to establish new connections (external / internal) via Sophos.

This happens 1-2 times per day and always at a different time.

I went through most of the logs and found the following log entry (ips.log) at a time of failure:

2022-09-14T10:03:42.631942Z [20093] No timedout sessions, Total 8192,dropping current packet. memory in use: 19333493

Does someone know what this means?

We have now disabled IPS & App Classification, to see whether the issue is related to IPS.

SFV6C8 (SFOS 19.0.0 GA-Build317)

Are there other logs for App Classification and IPS I should look at?



This thread was automatically locked due to age.
Parents
  • +1

    This message means IPS has reached its maximum concurrent connection limit of 8192, and will start dropping connections. 

    This limit is based on how much memory SFOS has, and 8192 is for 2GB. Did you deploy SFOS with only 2GB of memory? If so, you should increase the amount of memory. 

    By default IPS is also not configured to fail close when it reaches this limit, did you set this yourself? 

    You can turn off fail close through CLI: 

    console> set ips failclose off

  • 0 in reply to bobbylam

    Thanks for your answer.

    No, the the system has 8GB memory available. 

    Strange, as I also can see following error with a higher limit:
    2022-09-07T03:50:59.085960Z [16155] No timedout sessions, Total 16384,dropping current packet. memory in use: 5874651 

    We also have not set the failclose.
    Is there a documentation somewhere?

    Do you think it all could be related to memory?

  • 0 in reply to Team S Net

    It does seem like there are a lot of persistent connections on your network which is staying open/not closing. The limit of concurrent connections IPS can handle is determined by memory, so you can try increasing that further. 

    You can turn off failclose with the command I gave you in the console above. 

  • 0 in reply to bobbylam

    Thanks for your input. I will add it to the support case as well

Reply Children
No Data
Unfiltered HTML