FN – 70466 – FTD High Unmanaged Disk Utilization on Firepower Appliances Due to Untracked Files

If you are running FTD code 6.1, then you already are in a bad spot. However, this notice goes from 6.1.0 through 6.4.0.7

That said, most of you probably are all running one of these codes, hopefully 6.3 at a bare minimum, however, if you’re my customer I already have you at 6.5.x.

So, if you see this

Then there is a workaround for you!

Workaround/Solution

Cisco recommends that you upgrade the Firepower software to Version 6.4.0.8 or later. Easy peasy, right? Not for a lot of you that are way down on your updates….

  1. Expert Mode in order to manually delete the affected log files and free up disk space on your Firepower appliance(s) with these commands.
  2. For Firepower Threat Defense (FTD) devices, use these commands:
    • rm -rf /ngfw/var/sf/detection_engines/<uuid>/instance-*/fileperfstats.log.*
    • rm -rf /ngfw/var/sf/detection_engines/<uuid>/instance-*/ssl-certs-unified.log.*
    • rm -rf /ngfw/var/sf/detection_engines/<uuid>/instance-*/ssl-nse-debug.log.*
    • rm -rf /ngfw/var/sf/detection_engines/<uuid>/instance-*/ssl-stats-unified.log.*

Please consider update your FMC/FTD to the latest codes so these will be easier for you in the future! :)

Cheers!

11 Comments

  1. I still get this alert in 6.5.0.4 /ngfw has 127GB Free is 61GB and used is 67GB.

    Seem like plenty free so why the constant alert? Have you seen this happen in 6.5?

  2. No, I have not seen that in 6.5
    make sure your FMC and FTD devices are all updated to the latest release, and if you still have the problem, open a ticket with TAC

    1. Hi Bob, do you have a contract for TAC? Maybe this isn’t an error and you are having disk issues because this bug was for sure fixed. I haven’t heard about this one in a while now

  3. Hi, I also have the issue with 7.0.4

    > show disk
    Filesystem Size Used Avail Use% Mounted on
    rootfs 7.5G 576M 7.0G 8% /
    devtmpfs 7.6G 1.1G 6.6G 14% /dev
    tmpfs 7.7G 500K 7.7G 1% /run
    tmpfs 7.7G 6.1M 7.7G 1% /var/volatile
    /dev/sda1 923M 247M 630M 29% /opt/cisco/config
    /dev/sda2 922M 80M 795M 10% /opt/cisco/platform/logs
    /dev/sda3 11G 202M 11G 2% /var/data/cores
    /dev/sda4 81G 23G 58G 29% /opt/cisco/csp
    /dev/sdb1 6.9G 3.4G 3.6G 49% /mnt/boot
    cgroup_root 7.7G 0 7.7G 0% /dev/cgroups
    tmpfs 7.7G 0 7.7G 0% /sys/fs/cgroup
    tmpfs 7.7G 0 7.7G 0% /sys/fs/cgroup/pm
    none 348M 17M 332M 5% /dev/shm/snort
    tmpfs 1.0M 0 1.0M 0% /var/data/cores/sysdebug/tftpd_logs

    > show version
    ——————-[ fpr1 ]——————-
    Model : Cisco Firepower 2120 Threat Defense (77) Version 7.0.4 (Build 55)
    UUID : 72e87408-b910-11e9-9d1f-f032748873b9
    Rules update version : 2022-11-22-001-vrt
    VDB version : 358
    —————————————————-

  4. 7.0.4 seeing it here too!
    Luckily there are some features I want in 7.1.x if that is the fix. But TAC it is in the first instance just to be safe :D

  5. I just have that same error on my 7.04. i have checked everything and it seems there is no enough reason for the alters to come out. All disk status is with in controllable state 50%.

  6. Also on 7.0.4 with the same issue vFTD.

    I wish cisco would release well-tested code so the end-user/customer experience was the best it can be. Because the reputation of cisco is dwindling as the product quality is poor and the experience is unfavourable. Things could be so much better.
    There is a saying often said by engineers: “friends dont let friends buy cisco firewalls”.

    Cisco is becoming the jimmy saville of network/firewall products – once well loved and respected, now hated.

    1. Had they come out with the 7.x code instead of the 6.x code in 2015 then we’d all be better off and none of this would have happened, but they set themselves back with the 6.x code. Although 7.x is superior, its hard for people to trust cisco again. I like the 7.x code and know how to make it work and work well

Comments are closed.