Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 62 replies
  • Answers 2 answers
  • Subscribers 37 subscribers
  • Views 191061 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 16.01.0 known IPS issue - Work arounds?

Darrian Churchill

Hey all,

Anyone have any other work around for the known IPS issue (NC-8238   [IPS] IPS Service drops legitimate traffic in very high load average conditions)? The IPS service seems to constantly fail to start and causes this issue from what I can see (CPU usage and memory usage spike all over the place). As my work around, I set the IPS service to Stop, performance and traffic return to normal. Obviously this isn't a great solution... Anyone have anything better? 

I'd like to know when this will be resolved too, seems to me to be a rather big problem. I may actually just roll back to 15 if this is going to be a thing for a while.

Thanks !!



This thread was automatically locked due to age.
Parents
  • 0

    Hi Darrian,

    To get a broader view on this, take SSH to XG and go to option 4. Device console and execute the command, show ips-settings. Post the output.

    Which XG hardware model do you use and what is the number of concurrent active connection on XG when this issue is live? If there are some legitimate traffic being dropped through IPS, check in the Log Viewer>IPS page and allow the signature in the IPS policy.

    Thanks

  • 0 in reply to sachingurung

    Hi, 

    As requested: 

     

    -------------IPS Settings-------------                                                              
            stream on                                                                                   
            lowmem on                                                                                   
            maxsesbytes 0                                                                               
            maxpkts 80                                                                                  
            mmap on                                                                                     
            enable_appsignatures on                                                                     
            http_response_scan_limit  65535                                                             
                                                                                                        
                                                                                                        
    -------------IPS Instances------------                                                              
    IPS CPU                                                                                             
     1  0                                                               

    The issue is being experienced mainly on a PC (3GB RAM, dual core CPU @ 2.0GHz) running Sophos XG 16.1.01. The issue starts as soon as the IPS Service starts, and only 1 connection. 

                                    
  • 0 in reply to Jared Mathis

    Hi Jared,

    Any HA deployment in the scenario? Such issue is seen with appliances deployed in HA there is a fix to this but that comes from support which needs a back-end tweak. We are improving on the IPS section in our upcoming release meanwhile, if appliances are in HA, can you rebuild HA and let us know if that fixes the issue.

    Thanks

  • 0 in reply to sachingurung

    Hi Sachingurung, 

    I cant speak for Jared, but my home config is definitely not configured for HA. 

    I assume best course for us will be to wait for the next release again and see if the issue is resolved, as I know I have for the last 2 releases. 

    Thank you,

    Darrian

  • 0 in reply to sachingurung

    Sachingurung,

    No, just a simple stand-alone home firewall, freshly installed last week with little config on it, except what was needed to get to the internet.  I re-installed the firewall thinking that the upgrade between 15 and 16 messed something up.  However, upon booting up from the install, I still had the same problem.

    Another release?  How often are updates released?

    Thanks,

    Jared

  • 0 in reply to sachingurung

    users here are saying that IPS was working fine on v15 and not well anymore on v16.

    I think that you should check if under some circunstances, the IPS is consuming all the RAM resouces.

    In my case IPS is working fine at home and on some customers (for example XG 210), but on some sytems here it is causing a problem.

    You could contact users here and get logs to improve the code or compatibility with other system that are not XG appliances.

    Thanks.

  • 0 in reply to lferrara

    Hi All,

    In such cases please DM me your instances, I am sure if that is common then a JIRA is present and being worked upon. IPS services are affected as to what I see over the forum and many of the issues related to IPS seems to be resolved in the next version. Awaiting its release.

    Thanks

  • 0 in reply to lferrara

    HI GillesEthier, 

    AFIK, if you use the latest OS with an old Processor you may experience insufficient processing power and would not perform as per our expectation. 

    For Example , We use Intel E3805 for XG/SG 85 @ 1.33Ghz and Atom E3826 2 cores for XG/SG 105/W. So you may compare the performance based on -going Processor build.

  • 0 in reply to lferrara

    YOu do not know sophos that well do you?...:)  2 gigs of ram is not enough for ips to run along with web security whether it is SG or XG.  4 gigs is not really enough anymore either.  Get a minimum of 8 gigs into your machine and try again.

  • 0 in reply to William Warren

    I agree with William. Small XG appliances come with only 2 GB of RAM and they as soon you enable all feature, RAM is at 90%, without any user connected.

    XG210 suffers to. 8 GB of RAM should be the minimum as suggested by William. On page 2:

    https://community.sophos.com/products/xg-firewall/f/intrusion-prevention/80907/sfos-16-01-0-known-ips-issue---work-arounds/312027#312027

    I already wrote it to Saching but nothing changed or even an "honest" reply.

    RAM is not expensive anymore.

  • 0 in reply to lferrara

    Hi Luk,

    If you don't know XG210 already comes along with 8GB of RAM. Refer: https://www.sophos.com/en-us/medialibrary/pdfs/factsheets/sophos-xg-series-appliances-brna.pdf?la=en

    Giving 8GB RAM in the small XG appliance is not just about the RAM installations but also, maximum memory capacity supported by the processor. 

    As suggested earlier, we are improving IPS and our quality team is behind the testing and you may get to see a new IPS engine and signature sets. Again, there are tweaks associated to IPS from the console side and it differs with every customer environment.

    Thanks for the patience.

  • 0 in reply to Aditya Patel

    Hi,

     

    I purchased a refurbished Lenovo M82 I5 3.2G with 4G RAM.  As soon as I installed the XG firewall CD, IPS was up and running.  I actually started getting network attached and blocked-app reports (on my old system, for two months is showed N/A).  

     

    On the older refurbished system, my sophos XG is working perfectly, even with 4G ram.  

     

     

Reply
  • 0 in reply to Aditya Patel

    Hi,

     

    I purchased a refurbished Lenovo M82 I5 3.2G with 4G RAM.  As soon as I installed the XG firewall CD, IPS was up and running.  I actually started getting network attached and blocked-app reports (on my old system, for two months is showed N/A).  

     

    On the older refurbished system, my sophos XG is working perfectly, even with 4G ram.  

     

     

Children
  • 0 in reply to GillesEthier

    I finally got around to shifting some stuff and freed up a "new" PC for the XG. 

    IPS is now working 100%, on a Core2Quad Q6600 with only 2GB RAM. This confirms that anything of the Athlon64 X2 or Pentium D/ P4 era will not be able to handle XG with IPS running. Core2 or newer should be a listed minimum requirement.