FMC Automatic LSP Updates "Failed to download new inventory"

Available Languages

Download Options

  • PDF     (47.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (104.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (99.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 15, 2026
Document ID:225728

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Issue

Automatic Lightweight Security Package (LSP) updates are failing on Cisco FMC. LSP updates no longer install automatically, while manual LSP installation continues to work properly. VDB updates and Snort rule updates are still functioning normally through automatic processes.

Example Alert

Example Alertinline_image_0.png

Environment

  • Cisco Secure Firewall Firepower Management Center 7.6.x On-Prem (applicable to all FMC models and versions 7.6+)

Resolution

To resolve the automatic LSP update failure, verify that the required network connectivity is properly configured on any upstream firewalls or network devices that could be blocking the update process.

1: Verify Current LSP Version Status

Check the current LSP version installed on the Firepower Threat Defense device:

show version

Example output showing the current LSP version:

--------------[ device ]--------------

Model : Cisco Secure Firewall 3140 Threat Defense (80) Version 7.6.2.1 (Build 3)

UUID : 5fb22700-68c8-11ee-b5a0-d2e6638aec56

LSP version : lsp-rel-20260121-2008

VDB version : 421

----------------------------------------------------

2: Verify Network Connectivity Requirements

Ensure that outbound access over port 80 is allowed on any upstream firewall or network security device for these destinations:

  • updates-dyn-talos.sco.cisco.com - Required for LSP updates

  • updates.ironport.com - Required for security content updates

These destinations are essential for the automatic update process to function properly. Any blocking of these connections prevent automatic LSP updates while still allowing manual updates to work.

Example Connection Test from FMC with Error

root@fmc:/Volume/home/user# curl -v -k http://updates.ironport.com

<h1>Web Page Blocked</h1>

 <p>The web page you are trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is an error.</p>

Example Error Logs from /var/log/sf/talos_agent.log

sf/talos_agent.log:TalosAgent:ERROR: updater.go:talosagent.cisco.com/pkg/updater.UpdateService:475 2026/02/13 04:11:05 Failed to download new inventory file: failed to download file: 204cf9af41f70cb30cfd3a7d41ab2f7366219cbfa805b4ec7443bb957f373b87630d8e4027491747102d060ed5e238ab rpc error: code = Internal desc = http error 503 Service Unavailable while downloading file 204cf9af41f70cb30cfd3a7d41ab2f7366219cbfa805b4ec7443bb957f373b87630d8e4027491747102d060ed5e238ab

sf/talos_agent.log:TalosAgent:ERROR: updater.go:talosagent.cisco.com/pkg/updater.UpdateService:475 2026/02/24 19:18:08 Failed to download new inventory file: failed to download file: 3b1e29d5b30bd9dc79f15fad7726e616d73e93ec473e383bb08086b41d3bb571b7e08d3f0fb3fc5e839415d6c3edde0b rpc error: code = Internal desc = Download of http://updates.ironport.com:80/lsp/1/lsp/default/20260223001 failed: connection error: Connection reset by peer (os error 104)

3: Verify Update Configuration

Confirm that automatic updates are properly configured in the Firewall Management Center for LSP updates. The fact that VDB and Snort rule updates continue to work automatically suggests the basic update mechanism is functional, but LSP-specific connectivity can be blocked.

4: Test Connectivity

After confirming that the required destinations are accessible through any upstream security devices, monitor the automatic update process to verify that LSP updates resume normal operation.

Example of Working Output

root@echo-ngfw-fmcv3:/Volume/home/admin# curl -v -k http://updates.ironport.com

*   Trying 208.90.58.25:80...

* Connected to updates.ironport.com (208.90.58.25) port 80 (#0)

> GET / HTTP/1.1

> Host: updates.ironport.com

> User-Agent: curl/7.79.1

> Accept: */*

>

* Mark bundle as not supporting multiuse

< HTTP/1.1 200 OK

< Server: nginx/1.20.1

< Date: Mon, 16 Mar 2026 20:22:35 GMT

< Content-Type: text/html

< Content-Length: 689

< Last-Modified: Wed, 06 Sep 2006 17:26:12 GMT

< Connection: keep-alive

< ETag: "44ff04b4-2b1"

< Expires: Tue, 17 Mar 2026 20:22:35 GMT

< Cache-Control: max-age=86400

< Accept-Ranges: bytes

<

<HTML>

  <!-- $Header: /usr/local/cvsroot/godspeed/upgrade_server/http/html/root.html,v 1.1 2004/06/25 22:43:59 brie Exp $ -->

  <HEAD>

  </HEAD>

  <BODY>

    <IMG SRC="http://ironport.com/media/logo.gif">

    <P>

      This is the IronPort Update Server.  If you are trying to download new

traffic monitor, merlin, or WBRS packages, you have reached this page in error.

  Please refer to the Update Manager Release Notes for instructions to download

the new software.

    </P>

    <P>

      If you have any questions, please feel free to contact IronPort Customer Care

      at (877)641-4766 or <A HREF="mailto:support@ironport.com">support@ironport.com</A>.

    </P>

  </BODY>

</HTML>

* Connection #0 to host updates.ironport.com left intact

Ensure that the device adheres to the necessary requirements for port and domain connectivity for other various update and download types as stated in Cisco public documentation:

Cause

The automatic LSP update failure is caused by blocked network connectivity to the required update servers. Specifically, outbound access over port 80 to updates-dyn-talos.sco.cisco.com and updates.ironport.com is being restricted by upstream firewall rules or network security policies. This prevents the FMC from automatically downloading and installing LSP updates, while manual updates can still be performed because they can use different download methods or cached content.

However, the issue can also be impacted by the ability of the FMC to download large files from the Cisco cloud site. Throttling of the FMC bandwidth, coupled with other multiple software updates (ie: SRU and VDB) within the same timeframe can setup competition for bandwidth leading to download failures. In such cases, separate the software download times to allow them enough bandwidth for downloads or resolve any upstream bandwidth issues.

Related Content

Revision History

Revision Publish Date Comments
1.0
15-Apr-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Echo Quiroz-Garcia
    Technical Consulting Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco