Field Notice: FN - 70466 - Firepower Software - High Unmanaged Disk Utilization on Firepower Appliances Due to Untracked Files - Software Upgrade Recommended

Available Languages

Updated:March 3, 2020
Document ID:FN70466

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
1.0
12-Dec-19
Initial Release
1.1
03-Mar-20
Updated the Products Affected and Workaround/Solution Sections

Products Affected

Affected OS Type Affected Software Product Affected Release Affected Release Number Comments
NON-IOS
Firepower Threat Defense (FTD) Software
6.1
6.1.0, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6, 6.1.0.7
NON-IOS
Firepower Threat Defense (FTD) Software
6.2
6.2.0, 6.2.0.1, 6.2.0.2, 6.2.0.3, 6.2.0.4, 6.2.0.5, 6.2.0.6, 6.2.1, 6.2.2, 6.2.2.1, 6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.10, 6.2.3.11, 6.2.3.12, 6.2.3.13, 6.2.3.14, 6.2.3.15, 6.2.3.2, 6.2.3.3, 6.2.3.4, 6.2.3.5, 6.2.3.6, 6.2.3.7, 6.2.3.8, 6.2.3.9
NON-IOS
Firepower Threat Defense (FTD) Software
6.3
6.3.0, 6.3.0.1, 6.3.0.2, 6.3.0.3, 6.3.0.4, 6.3.0.5
NON-IOS
Firepower Threat Defense (FTD) Software
6.4
6.4.0, 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.6, 6.4.0.7
NON-IOS
FirePOWER Services Software for ASA
6.1
6.1.0, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6, 6.1.0.7
NON-IOS
FirePOWER Services Software for ASA
6.2
6.2.0, 6.2.0.1, 6.2.0.2, 6.2.0.3, 6.2.0.4, 6.2.0.5, 6.2.0.6, 6.2.2, 6.2.2.1, 6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.10, 6.2.3.11, 6.2.3.12, 6.2.3.13, 6.2.3.14, 6.2.3.15, 6.2.3.2, 6.2.3.3, 6.2.3.4, 6.2.3.5, 6.2.3.6, 6.2.3.7, 6.2.3.8, 6.2.3.9
NON-IOS
FirePOWER Services Software for ASA
6.3
6.3.0, 6.3.0.1, 6.3.0.2, 6.3.0.3, 6.3.0.4, 6.3.0.5
NON-IOS
FirePOWER Services Software for ASA
6.4
6.4.0, 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.6, 6.4.0.7

Defect Information

Defect ID Headline
CSCvo74833 High unmanaged disk space on Firepower devices due to untracked files

Problem Description

Some versions of Cisco Firepower software might experience high unmanaged disk utilization on Firepower appliances due to untracked files.

Background

The Firepower system logs provide information to monitor and troubleshoot the Firepower appliance. These logs are useful both in routine troubleshooting and in incident handling.

Some versions of Firepower software might cause the diskmanager to not properly manage certain log files and might result in excessive disk space consumption on the Firepower appliance. This issue affects log files in the (/ngfw/)/var/sf/detection_engines/<uuid>/instance-*/ directories.

These files are commonly attributed to the issue:

  • fileperfstats.log.*
  • ssl-certs-unified.log.*
  • ssl-nse-debug.log.*
  • ssl-stats-unified.log.*

It is possible to configure email alerts for high disk space usage with the Firepower Management Center (FMC) health monitoring feature. Refer to the FMC Configuration Guide for additional information.

Problem Symptom

FMC will display a high unmanaged disk space health alert for the Firepower appliance(s) that experiencies this issue. An example of the FMC health alert for high disk space usage is shown here.

Workaround/Solution

Cisco recommends that you upgrade the Firepower software to Version 6.4.0.8 or later.

Alternatively, enter Expert Mode in order to manually delete the affected log files and free up disk space on your Firepower appliance(s) with these commands. Customers that require a certified release should consider this solution until a release subsequent to Firepower Version 6.4.0.8 completes certification.

For Firepower Threat Defense (FTD) devices, use these commands:

  • rm -rf /ngfw/var/sf/detection_engines/<uuid>/instance-*/fileperfstats.log.*
  • rm -rf /ngfw/var/sf/detection_engines/<uuid>/instance-*/ssl-certs-unified.log.*
  • rm -rf /ngfw/var/sf/detection_engines/<uuid>/instance-*/ssl-nse-debug.log.*
  • rm -rf /ngfw/var/sf/detection_engines/<uuid>/instance-*/ssl-stats-unified.log.*

For non-FTD devices, use these commands:

  • rm -rf /var/sf/detection_engines/<uuid>/instance-*/fileperfstats.log.*
  • rm -rf /var/sf/detection_engines/<uuid>/instance-*/ssl-certs-unified.log.*
  • rm -rf /var/sf/detection_engines/<uuid>/instance-*/ssl-nse-debug.log.*
  • rm -rf /var/sf/detection_engines/<uuid>/instance-*/ssl-stats-unified.log.*

Note: Replace the <uuid> placeholder with the Universally Unique Identifier (UUID) that is assigned on your particular appliance.

Refer to the Cisco Firepower Threat Defense Command Reference for additional information on how to use Expert Mode and how to determine the UUID.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco