[9.060][CLOSED] High RAM/SWAP Usage

Hi there,

i see verry high RAM/SWAP Usage on my UTM after 6 Day's of uptime.
Anyone any ideas that could be the Problem?

My UTM is running on VMWare with 6GB of RAM / 1GB Swap (which is full now)

Have a look at RSIZE:


ATOP - firewall                                                      2013/01/25  16:08:49                                                      ---------                                                       10s elapsed
PRC | sys    0.36s | user   0.85s |               |              | #proc    226 | #trun      1 | #tslpi   468 |               | #tslpu     0 | #zombie    2 | clones    59 |               |              | no  procacct |
CPU | sys       3% | user      7% |               | irq       0% |              | idle    388% | wait      1% |               |              | steal     0% | guest     0% |               | curf 2.27GHz | curscal   ?% |
CPL | avg1    0.17 |              |  avg5    5.98 |              | avg15   9.08 |              |              |  csw    47636 |              | intr   26798 |              |               |              | numcpu     4 |
MEM | tot     5.8G | free  353.3M |  cache 330.3M |              | dirty   0.3M | buff    9.4M | slab  114.9M |  slrec  28.7M |              | shmem  75.0M |              | shrss  69.7M  | shswp  34.9M |              |
SWP | tot     1.0G | free    0.1M |               |              |              |              |              |               |              |              |              |               | vmcom   7.1G | vmlim   3.9G |
PAG | scan       0 | steal      0 |               | stall      0 |              |              |              |               |              |              |              |               | swin       8 | swout      0 |
DSK |          sda | busy      3% |               | read       1 | write     77 |              | KiB/r     32 |  KiB/w     12 |              | MBr/s   0.00 | MBw/s   0.09 |               | avq     2.30 | avio 3.38 ms |
NET | transport    | tcpi     400 |  tcpo     414 |              | udpi     142 | udpo     310 | tcpao      1 |  tcppo      6 | tcprs      0 | tcpie      0 |              | tcpor      1  | udpnp      0 | udpip      0 |
NET | network      | ipi      986 |               | ipo     1148 | ipfrw    425 |              | deliv    546 |               |              |              |              |               | icmpi      4 | icmpo      4 |
NET | eth3      0% | pcki     142 |               | pcko     358 | si   12 Kbps | so   51 Kbps | coll       0 |               | mlti       0 | erri       0 | erro       0 |               | drpi       0 | drpo       0 |
NET | eth1      0% | pcki     349 |               | pcko     313 | si   39 Kbps | so   39 Kbps | coll       0 |               | mlti       0 | erri       0 | erro       0 |               | drpi       0 | drpo       0 |
NET | eth0      0% | pcki      74 |               | pcko      87 | si    9 Kbps | so   30 Kbps | coll       0 |               | mlti       0 | erri       0 | erro       0 |               | drpi       0 | drpo       0 |

  PID        TID       MINFLT       MAJFLT       VSTEXT      VSLIBS        VDATA       VSTACK        VSIZE       RSIZE        VGROW        RGROW       SWAPSZ      RUID           EUID            MEM       CMD        1/2
31008          -            2            1        1376K       3544K         1.3G         308K         1.3G      814.6M           0K           0K       312.3M      snort          snort           14%       snort_inline
30880          -            1            0        1376K       3544K         1.1G         136K         1.1G      599.4M           0K           0K       275.3M      snort          snort           10%       snort_inline
30444          -            0            0        1376K       3544K       847.7M         136K       861.0M      574.4M           0K           0K       44776K      snort          snort           10%       snort_inline
 8355          -            0            0          32K      19588K       376.7M         136K       396.8M      316.9M           0K           0K         356K      root           root             5%       cssd
14735          -            1            0         384K      15432K         1.2G         136K         1.2G      211.8M           0K           0K           0K      httpprox       httpprox         4%       httpproxy
 9648          -            0            0        1996K       2500K       75940K         136K       132.2M      65964K           0K           0K       11512K      httpprox       httpprox         1%       urid
 6347          -            0            0          72K       4452K       48624K         136K       58636K      50280K           0K           0K           0K      wwwrun         wwwrun           1%       webadmin.plx
30405          -            0            0        5172K       1940K        2024K         136K         1.1G      37820K           0K           0K         480K      postgres       postgres         1%       postgres
 4839          -            0            0        5172K       2084K        2524K         136K         1.1G      34320K           0K           0K         540K      postgres       postgres         1%       postgres

Parents

0 Robert Tausend over 12 years ago

i will do this later on, but if a developer will have a look on it, i will let it run for now [[:)]]

I'm verry shure that what you statet will help [[:)]]=

Robert
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Billybob over 12 years ago in reply to Robert Tausend

hi robert, how many cores are you using and how many instances of snort are running. I don't have memory problems at the moment but I am not using IDS in my testing since no changes were mentioned but maybe I need to turn it on.

Its still strange that 6GB of ram is consumed and your swap is maxing out. Good find.

Regards
Bill
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Billybob over 12 years ago in reply to Robert Tausend

hi robert, how many cores are you using and how many instances of snort are running. I don't have memory problems at the moment but I am not using IDS in my testing since no changes were mentioned but maybe I need to turn it on.

Its still strange that 6GB of ram is consumed and your swap is maxing out. Good find.

Regards
Bill
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 William Warren over 12 years ago in reply to Billybob

hi robert, how many cores are you using and how many instances of snort are running. I don't have memory problems at the moment but I am not using IDS in my testing since no changes were mentioned but maybe I need to turn it on.

Its still strange that 6GB of ram is consumed and your swap is maxing out. Good find.

Regards
Bill

not since the leaks havn't been addressed yet..the next beta version is set to address memory leaks IIRC.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 utm_kid over 12 years ago in reply to William Warren

strange just on one day change view !

https://community.sophos.com/products/unified-threat-management/astaroorg/f/80/t/64845
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Billybob over 12 years ago in reply to William Warren

@William, I know that the search method went from lowmem to ac-bnfa a while back. I am sure astaro has done benchmark testing but I am wondering if the recommended search method ac-split would help instead of running multiple instances of snort. I know that ac-split uses more ram but I am not sure if the performance gain is significant on a multicore cpu like Robert's where you could run two instances instead of three using ac-split as detection method.

Regards
Bill
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 William Warren over 12 years ago in reply to Billybob

@William, I know that the search method went from lowmem to ac-bnfa a while back. I am sure astaro has done benchmark testing but I am wondering if the recommended search method ac-split would help instead of running multiple instances of snort. I know that ac-split uses more ram but I am not sure if the performance gain is significant on a multicore cpu like Robert's where you could run two instances instead of three using ac-split as detection method.

Regards
Bill

the problem with snort is it is a single threaded process....once snort decides to go to a multi-threaded model at least cpu usage problems will be mitigated. The memory leaks are another issue though...i'm not seeing a widespread issue with snort leaking ram everywhere..it seems to plauge utm....not to mention their ongoing issues with the http proxy that have been present since the switch a bit back..[:)]

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 eganders_01 over 12 years ago in reply to William Warren

If you had a 4 or 6 core system, how much RAM would it take to not have to deal with these low-or-out-of-RAM issues (IPS, swap, etc.). For some business environments, RAM isn't all that expensive compared to the potential cost of a problem. Could you have enough RAM that you could avoid the issue altogether, or at least for a significant amount of time? 12Gb, 16Gb, 32Gb, etc. - obviously a software load. Or would it use it up quickly no matter what?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

[9.060][CLOSED] High RAM/SWAP Usage

Submitted a Tech Support Case lately from the Support Portal?