Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 62 replies
  • Answers 2 answers
  • Subscribers 37 subscribers
  • Views 191100 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 16.01.0 known IPS issue - Work arounds?

Darrian Churchill

Hey all,

Anyone have any other work around for the known IPS issue (NC-8238   [IPS] IPS Service drops legitimate traffic in very high load average conditions)? The IPS service seems to constantly fail to start and causes this issue from what I can see (CPU usage and memory usage spike all over the place). As my work around, I set the IPS service to Stop, performance and traffic return to normal. Obviously this isn't a great solution... Anyone have anything better? 

I'd like to know when this will be resolved too, seems to me to be a rather big problem. I may actually just roll back to 15 if this is going to be a thing for a while.

Thanks !!



This thread was automatically locked due to age.
  • +1 in reply to DaveHamer

    Dave,

    first download and apply the 16.05 gpg package and then move to MR1. You can download the gpg from community or from your Sophos Account.

  • 0 in reply to lferrara

    I admit, I couldn't find the 16.05 download, but I was able to install 16.05.01 MR1 straight from my previous 16.01.2 installation. I'm not saying that will work all around, but did for me. 

    I note - while the IPS service was more stable earlier, it seems to have reverted to its flapping unable to keep running behavior. I'm going to fiddle with the IPS config, and will report back. 

  • 0 in reply to Aditya Patel

    I'm running these IPS settings following the update to 16.05.1 MR1

    -------------IPS Settings-------------                                                              
            stream on                                                                                   
            lowmem off                                                                                  
            maxsesbytes 8192                                                                            
            maxpkts 8                                                                                   
            mmap on                                                                                     
            enable_appsignatures on                                                                     
            http_response_scan_limit  65535                                                             
                                                                                                        
                                                                                                        
    -------------IPS Instances------------                                                              
    IPS CPU                                                                                             
     1  0

    I still get the service stop, start, stop, start etc. forever behavior.


     

    As you can see, each time the service stops and restarts, I get a dip and spike in CPU usage as well as RAM usage. The only behavior that seems to have changed is the firewall no longer drops packets when this is going on. I can ping my router on the other end of the firewall with no interruptions. 

    Edit - Reading above -  Intel(R) Atom(TM) CPU E3826 @ 1.46GHz is one CPU having this issue, a low clocked and low performance dual core. Mine is an older AMD Athlon64 3800+ X2 dual core, low performance by today's standards too. Perhaps this is a CPU performance issue? Somehow it either needs higher performance per core or 4 cores as opposed to 2? I am tempted to move my SFOS to a Core2Quad Q6600 instead and test. 

  • 0 in reply to Darrian Churchill

    Do you or anyone else have any feedback about the issues in this new version? I've loaded it on my home appliance, but I never had this issue on my home one (XG105).

    I've also loaded it onto a XG125, but this was a fresh install, so I have no benchmark on whether it was an issue or not.

  • 0 in reply to Darrian Churchill

    Hi,

     

    I've been experiencing the same issue with IPS as you've noted above.  This has been going on since last October / November.  I currently have the latest firmware installed on an older AMD dual core system (about 15 years old).  Prior, I had my home XG installed on a new Intel I5 and experienced no issues at all (same firmware versions).  I have 8Gigs of RAM on my current older AMD system and 6 GIGS of RAM on my I5.  I'm begging to suspect that it may be a CPU issue, potentially AMD related (but someone noted that their I5 was having the same issue in this thread).  

     

    I'm thinking about purchasing another used I3 / I5 to test it out.  Let's keep each other posted.  

     

  • 0 in reply to lferrara

    HI GillesEthier, 

    AFIK, if you use the latest OS with an old Processor you may experience insufficient processing power and would not perform as per our expectation. 

    For Example , We use Intel E3805 for XG/SG 85 @ 1.33Ghz and Atom E3826 2 cores for XG/SG 105/W. So you may compare the performance based on -going Processor build.

  • 0 in reply to lferrara

    YOu do not know sophos that well do you?...:)  2 gigs of ram is not enough for ips to run along with web security whether it is SG or XG.  4 gigs is not really enough anymore either.  Get a minimum of 8 gigs into your machine and try again.

  • 0 in reply to William Warren

    I agree with William. Small XG appliances come with only 2 GB of RAM and they as soon you enable all feature, RAM is at 90%, without any user connected.

    XG210 suffers to. 8 GB of RAM should be the minimum as suggested by William. On page 2:

    https://community.sophos.com/products/xg-firewall/f/intrusion-prevention/80907/sfos-16-01-0-known-ips-issue---work-arounds/312027#312027

    I already wrote it to Saching but nothing changed or even an "honest" reply.

    RAM is not expensive anymore.

  • 0 in reply to lferrara

    Hi Luk,

    If you don't know XG210 already comes along with 8GB of RAM. Refer: https://www.sophos.com/en-us/medialibrary/pdfs/factsheets/sophos-xg-series-appliances-brna.pdf?la=en

    Giving 8GB RAM in the small XG appliance is not just about the RAM installations but also, maximum memory capacity supported by the processor. 

    As suggested earlier, we are improving IPS and our quality team is behind the testing and you may get to see a new IPS engine and signature sets. Again, there are tweaks associated to IPS from the console side and it differs with every customer environment.

    Thanks for the patience.

  • 0 in reply to Aditya Patel

    Hi,

     

    I purchased a refurbished Lenovo M82 I5 3.2G with 4G RAM.  As soon as I installed the XG firewall CD, IPS was up and running.  I actually started getting network attached and blocked-app reports (on my old system, for two months is showed N/A).  

     

    On the older refurbished system, my sophos XG is working perfectly, even with 4G ram.