This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG 105 - High RAM Utilitzation

I received a call a few days ago from a customer that claimed their Internet was sluggish and not working at times. When I logged into their Sophos SG 105, I noticed that the RAM utilization was consistently above 80%. After rebooting, the unit was still above 75%. It's my understanding that if the RAM utilization is above 75% for long periods of time that memory swapping can occur and cause throughput to suffer.

My question is: What can I do to free up some of this memory so it isn't consistently above 75%? Will restoring the unit from a backup resolve this issue?

Here is general information about how it is configured:

The WAN port is facing the internet through their ISP's modem / gateway and then connected to a gigabit switch on the LAN side.

Additionally, there is a single Sophos AP 115 connected with one SSID configured for office use only (not public).

The SG 105 is running the most current firmware (at the time of this writing); version 9.315-2. The unit has a FullGuard license.

At most, between the LAN and WLAN, there are a maximum of 20 clients connected simultaneously. It has worked fine for nearly a year without any issues. Only recently has the RAM utilization become an issue.

Up2Date is configured to check for updates every hour.

The system is configured as follows:

[Status: Enabled] 	Firewall is active with 15 rules
[Status: Enabled] 	Intrusion Prevention is active with 2082 of 24569 patterns
[Status: Enabled] 	Web Filtering is active, 4787 requests served today
[Status: Disabled] 	Network Visibility is inactive
[Status: Disabled] 	SMTP Proxy is inactive
[Status: Disabled] 	POP3 Proxy is inactive
[Status: Disabled] 	RED is inactive
[Status: Enabled] 	Wireless Protection is active, 1 APs connected
[Status: Enabled] 	Endpoint Protection is active, Sophos LiveConnect is enabled, 0 endpoints, 0 threat alerts, 0 out-of-date alerts
[Status: Enabled] 	Site-to-Site VPN is active with 0 of 1 tunnels
[Status: Enabled] 	Remote Access is active with 0 online users
[Status: Disabled] 	Web Application Firewall is inactive
[Status: Disabled] 	Sophos UTM Manager is not configured
[Status: Disabled] 	Sophos Mobile Control is inactive
[Status: Disabled] 	HA/Cluster is inactive
[Status: Enabled] 	Antivirus is active for protocols HTTP/S
[Status: Disabled] 	Antispam is inactive
[Status: Enabled] 	Antispyware is active

Here is the process list (from Support>Advanced>Process List)- notice that "/usr/sbin/named -4" and "/var/chroot-http/usr/bin/httpproxy -f -c /var/chroot-http -u httppr" account for 38.4% for RAM utilization combined:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND

root         2  0.0  0.0      0     0 ?        S    Sep04   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    Sep04   0:24  \_ [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S
root     32738  8.2  0.0      0     0 ?        Z    14:22   0:00      \_ [confd.plx] 
root     32740  8.5  1.3  68584 27060 ?        S    14:22   0:00      \_ confd [worker[:P]rpc:system]
root      3325  0.0  0.0   1908    48 ?        Ss   Sep04   0:00 /usr/local/bin/confd-queuer
root      3337  0.0  0.1   8076  2716 ?        Ss   Sep04   0:36 confd-qrunner.pl
root      3354  0.0  0.1   7816  2580 ?        S    Sep04   3:47 /usr/local/bin/sysmond
root      3440  0.0  0.2  16972  4364 ?        S    Sep04   0:00 /var/aua/aua.bin
root      3442  0.0  0.0   1908     0 ?        S    Sep04   0:00  \_ logger -p daemon.debug -t aua[3440]
root     28291  0.0  0.0      0     0 ?        Z    14:04   0:00  \_ [aua.bin] 
rrdcache  3624  0.0  0.0 117096   628 ?        Ssl  Sep04   1:58 /usr/bin/rrdcached -l unix:/var/run/rrdcached/socket -m 777 -b /var
at        3655  0.0  0.0   2356    16 ?        Ss   Sep04   0:00 /usr/sbin/atd
root      3676  0.0  0.1  14028  2960 ?        S    Sep04   0:01 /usr/local/bin/notifier.plx -d
postgres  3731  0.0  0.1 573660  2032 ?        S    Sep04   0:27 /usr/pgsql92/bin/postgres -D /var/storage/pgsql92/data
postgres  3735  0.0  0.5 574028 10628 ?        Ss   Sep04   0:16  \_ postgres: checkpointer process                        
postgres  3736  0.0  0.0 573920   444 ?        Ss   Sep04   0:03  \_ postgres: writer process                              
postgres  3737  0.0  0.7 573920 15200 ?        Ss   Sep04   1:24  \_ postgres: wal writer process                          
postgres  3738  0.0  0.0 574660  1300 ?        Ss   Sep04   0:45  \_ postgres: autovacuum launcher process                 
postgres  3739  0.0  0.0   7964   340 ?        Ss   Sep04   0:02  \_ postgres: archiver process   last was 0000000100000011000000B2
postgres  3740  0.0  0.0   8248   656 ?        Ss   Sep04   1:47  \_ postgres: stats collector process                     
postgres  4503  0.0  0.1 576416  3220 ?        Ss   Sep04   0:39  \_ postgres: hotspot hotspot 127.0.0.1(41145) idle       
postgres  4929  0.0  0.0 576368  1512 ?        Ss   Sep04   0:00  \_ postgres: smtp smtp 127.0.0.1(41170) idle             
postgres  5347  0.2  0.1 576440  3660 ?        Ss   00:15   2:08  \_ postgres: smtp smtp 127.0.0.1(47052) idle             
postgres 20203  0.0  0.1 576456  3172 ?        Ss   05:41   0:00  \_ postgres: epp epp 127.0.0.1(48790) idle               
postgres 22437  0.0  0.5 577844 11200 ?        Ss   13:23   0:00  \_ postgres: reporting reporting [local] idle            
postgres 22438  0.0  0.1 576328  3428 ?        Ss   13:23   0:00  \_ postgres: reporting reporting [local] idle            
postgres 22491  0.1  0.5 576860 10884 ?        Ss   13:23   0:04  \_ postgres: reporting reporting [local] idle            
postgres 22508  0.0  0.2 576352  4248 ?        Ss   13:23   0:00  \_ postgres: hotspot hotspot [local] idle                
postgres 22563  0.0  0.2 576352  4248 ?        Ss   13:23   0:00  \_ postgres: hotspot hotspot [local] idle                
root      3810  1.0 11.3 260152 220976 ?       S    Sep04  93:35 /var/mdw/mdw.plx
root      3838  0.0  0.0   1908   204 ?        S    Sep04   0:00  \_ logger -p daemon.debug -t middleware[3810]
root      3832  0.0  0.0   1932    20 ?        Ss   Sep04   0:04 runsvdir -P /etc/service log: .....................................
root      3839  0.0  0.0   1788   104 ?        Ss   Sep04   0:00  \_ runsv snort-00
snort     7114  0.1  6.1 385032 120836 ?       S

Any help resolving this issue would be greatly appreciated.
Thanks.

Sam

This thread was automatically locked due to age.

Parents

0 Dlabun over 9 years ago

I'm seeing similar high memory usage on my SG 105w, also on 9.315-2. The only difference for me is that I am not running Web Filtering and my memory usage is still 70% or higher. Up until last week I was 50% or lower.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Dlabun over 9 years ago

I'm seeing similar high memory usage on my SG 105w, also on 9.315-2. The only difference for me is that I am not running Web Filtering and my memory usage is still 70% or higher. Up until last week I was 50% or lower.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 William Warren over 9 years ago in reply to Dlabun

I'm seeing similar high memory usage on my SG 105w, also on 9.315-2. The only difference for me is that I am not running Web Filtering and my memory usage is still 70% or higher. Up until last week I was 50% or lower.

are you running snort(aka ips or anti-port scanning$ you also have to disable ATP for http proxy and ips to be fully disabled. you also have to disable application control to further make sure web filtering id "dead"...then if it is still high it's your reporting settings. But honestly? new hardware with no less than 4 gigs of ram.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel