Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 27 subscribers
  • Views 14488 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cluster XG 310 - Snort 100% - Firewall block all traffic and routing

SimoneMontagnani

Hi all,

 

I have an XG310 cluster, last updated last friday to v16 , hoping that something was fixed.

I experienced random firewall stop of functionality, I can access only to firewall web administration if I am on the same LAN subnet, other traffic is blocked , no routing, public web/mail sites blocked.

I have updated the XG Version all time long ( since April this year ) months that sometimes everything locks down...the only solution is a reboot of the device , after that everything is fine.

While the system is locked, I can access via SSH to the appliances and overtime the system is locked , I noticed snort process to 100% of cpu resources , if I kill that process everything restart instantaneously ...so maybe some IPS issue?  Anyone?

This is happening from the beginning of production, it's really frustrating , It's not a daily issue but at least one time every month...

Last but not least, I passed through the support with no luck months ago...

thanks in advance,

 

Simone

 



This thread was automatically locked due to age.
  • 0 in reply to Aditya Patel

    Hi,

     

    Just for the record , after firmware update to v16, and the changes you suggest this problem occurs two times already.

    I thought this could be related to an hardware problem with one Appliance but it happened with both...

     

    Last time I check the processes running with top command in the advanced shell, snort was always at 99,9% but the overall CPU percentage was lower, so maybe this process use only one core of the multiprocessor CPU in the Appliance ?

    Regards,

    Simone

  • 0 in reply to SimoneMontagnani

    Simone,

    how is the situation with the support? I mean did you send the ticket to ?

    Thanks

  • 0 in reply to lferrara

    Yes I send the ticket, but I think I will need to investigate further with support opening a new ticket...

     

    Simone

  • 0

    Hi Simone,

    In the System-Graphs check the memory usage as well as Load Average of XG. If the IPS service (snort) is the cause for high CPU usage, please check if any IPS policy is applied on the firewall rules. Check the IPS live logs and verify if any signature is detected frequently. If it is showing lots of IPS alerts with only one or two IPS signatures, please disable the same signatures from the IPS policy. 

    I would like to learn, if it was working previously and after what changes it caused High CPU?

    Take SSH to XG and go to option 4. Device console. Execute, show ips-settings. Show me the output for this command.

    Thanks