Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 131676 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 16.01.2 snort high cpu even with None in policy

CyberA

Not sure if this is related to 16.01.2, or some pattern update, but shortly after I updated on 11/29 my CPU usage has more than doubled with no changes to configuration other than the 16.01.2 update (and probably some behind-the-scenes pattern updates).

 

 

I didn't even know the CPU was under load until the effects yesterday 12/7 when my traffic was screeching slow. When I logged onto the console snort was taking 100% CPU!

I checked a few links from the board and found my maxpxts was 80 so I adjusted that to 8 which has helped a lot keeping snort to around 60-70% CPU but the system is definitely running hotter than usual (compare to the previous SFOS 16.01.1).

It also seems like vlan routing (zone-to-zone) policies influence snort (some sort of pre-filtering?) even though IPS policy for that rule is set to None. Is there a way to exclude pre-filter snort traffic if the rule defines it as none?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi!

     

    I thought we were the only one in this dumb situation.

    All symptoms exactly as yours but in our situation this problem is critical(maybe in yours to)  We cant use "real-time" traffic  (voip/video) because of IPS engine enabled on sophos XG115 > High latency spikes lead to VOIP traffic degradation.

    Sophos support is a joke - we have opened this case more than a month ago and they just throwing us from L1 to L2 support without any solution.

    In the end we are stuck with quite expensive box (bought all the additional licenses) which is working only as a dumb router/firewall

    Now I understand that firewall is not where you should save money and we will swap this nonsense with Palo Alto asap

     

  • 0 in reply to AleksandrIvanov

    Alek,

    Did you create a qos policy for the voip traffic? Also ips should not be used to scan voip traffic but only to protect pbx, management server, etc.

Reply Children
  • 0 in reply to lferrara

    IPS enabled only as service, it is NOT enabled on any firewall rules.

    Also QoS is not needed when you are not reaching wan and/or port limit. (our traffic is about 2-3mbit max on our XG115)

    Everything else is by default.

    Im sorry but i think you too are not reading or seeing whole picture:

    everyone already wrote that simply enabled IPS service (just as service and not as configuration on firewall rule) is causing latency spikes, and those latency spikes causing real-time traffic degradation.

    p.s. why when someone talk about VOIP every support gets horny and try to ask about QoS? :)

  • 0 in reply to AleksandrIvanov

    Alek,

    My reply was to make sure that proper settings were into place and the problem was with "ips service".

    , can you take a look at this thread and come back here with a proper solution/answer?

    Ipservice is creating performance issues on some installations (even on hw appliance) . We expect to see a fix asap otherwise customers move away from XG.

  • 0 in reply to lferrara

    CaseID 6697114 (if you need one of course)

  • 0 in reply to AleksandrIvanov

    HI AleksandrIvanov, 

    We have checked the issue and would suggest you to Upgrade the SFOS to latest  HW-SFOS_16.01.2.SF300-222.

  • 0 in reply to Aditya Patel

    Ok, will do tomorrow and report back here and in ticket.

  • 0 in reply to Aditya Patel

    Noup, still high latency but now snort is not using 99% of cpu but only 10-20% and latency spikes happens every 10-15 minutes instead of 2-5minutes

  • 0 in reply to AleksandrIvanov

    Hi,

    i am running CR50iNG (SFOS 16.05.1 MR-1) and i am not facing any issues with SNORT or high CPU currently. We also have voip and video calls. 

    I had issue before month or two with snort and high CPU, but it was coming from WEB policies. I noticed the issue after our cron runs apt-get upgrade, on the linux box apt-get will  loop trying to download its updates, because one of the  WEB policies (i think it was heavy bandwidth browsing), which affected the host, stopping it from downloading the update file (at the end of the download), and caused download loop on the linux server and high load on XG device, snort was hitting 100%. But after fixing the web policies, this problem was gone.

    I also can confirm those PING latency spikes from time to time (each 5-10 min), coming from behind the XG, but with DSCP there isnt any noticeable issues with voip. And i dont have IPS on the RTP traffic, only for SIP.

  • 0 in reply to Bonch Merdzh

    Hi,

    Could you please let us know how many concurrent devices and how much bandwidth is passing through?

    Thanks,

    R.

  • 0 in reply to Remigio Lam

    Hi,

    I am using 3 different ISP providers. 40 voip stations, 40 win boxes, 20 linux. Bandwidth showing for voip interface on the XG, min - 0.2 Mbps, avg- 0.5 mbps, max 1 Mbps (but is 1 Mbps because i still have some servers coming out from this port). I have shaping on everything, on the apt-get itself for example. 

    And i dont see any CPU spikes. Sorry but my bandwidth graphs on XG are not currently showing.

  • 0 in reply to Bonch Merdzh

    Thanks.

    In my case, 3K+ devices and > 1.2 Gbps., the XG-430 works fine with < 250 Mbps, used exclusively for IPS in bridge mode, after that it just starts dropping packets (yes, that is what I see in the logs). We bought the XG-430s (yes, more than one) and the very expensive 10Gbps OEM SFPs and were told that they could push around 9Gbps (not that I believed that, but seriously, less than 250 Mbps...!, with the IPS rules disabled)

    R.