Automatic Lightweight Security Package (LSP) updates are failing on Cisco FMC. LSP updates no longer install automatically, while manual LSP installation continues to work properly. VDB updates and Snort rule updates are still functioning normally through automatic processes.
inline_image_0.png
To resolve the automatic LSP update failure, verify that the required network connectivity is properly configured on any upstream firewalls or network devices that could be blocking the update process.
Check the current LSP version installed on the Firepower Threat Defense device:
show version
Example output showing the current LSP version:
--------------[ device ]--------------
Model : Cisco Secure Firewall 3140 Threat Defense (80) Version 7.6.2.1 (Build 3)
UUID : 5fb22700-68c8-11ee-b5a0-d2e6638aec56
LSP version : lsp-rel-20260121-2008
VDB version : 421
----------------------------------------------------
Ensure that outbound access over port 80 is allowed on any upstream firewall or network security device for these destinations:
updates-dyn-talos.sco.cisco.com - Required for LSP updates
updates.ironport.com - Required for security content updates
These destinations are essential for the automatic update process to function properly. Any blocking of these connections prevent automatic LSP updates while still allowing manual updates to work.
root@fmc:/Volume/home/user# curl -v -k http://updates.ironport.com
<h1>Web Page Blocked</h1>
<p>The web page you are trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is an error.</p>
sf/talos_agent.log:TalosAgent:ERROR: updater.go:talosagent.cisco.com/pkg/updater.UpdateService:475 2026/02/13 04:11:05 Failed to download new inventory file: failed to download file: 204cf9af41f70cb30cfd3a7d41ab2f7366219cbfa805b4ec7443bb957f373b87630d8e4027491747102d060ed5e238ab rpc error: code = Internal desc = http error 503 Service Unavailable while downloading file 204cf9af41f70cb30cfd3a7d41ab2f7366219cbfa805b4ec7443bb957f373b87630d8e4027491747102d060ed5e238ab
sf/talos_agent.log:TalosAgent:ERROR: updater.go:talosagent.cisco.com/pkg/updater.UpdateService:475 2026/02/24 19:18:08 Failed to download new inventory file: failed to download file: 3b1e29d5b30bd9dc79f15fad7726e616d73e93ec473e383bb08086b41d3bb571b7e08d3f0fb3fc5e839415d6c3edde0b rpc error: code = Internal desc = Download of http://updates.ironport.com:80/lsp/1/lsp/default/20260223001 failed: connection error: Connection reset by peer (os error 104)
Confirm that automatic updates are properly configured in the Firewall Management Center for LSP updates. The fact that VDB and Snort rule updates continue to work automatically suggests the basic update mechanism is functional, but LSP-specific connectivity can be blocked.
After confirming that the required destinations are accessible through any upstream security devices, monitor the automatic update process to verify that LSP updates resume normal operation.
root@echo-ngfw-fmcv3:/Volume/home/admin# curl -v -k http://updates.ironport.com
* Trying 208.90.58.25:80...
* Connected to updates.ironport.com (208.90.58.25) port 80 (#0)
> GET / HTTP/1.1
> Host: updates.ironport.com
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.20.1
< Date: Mon, 16 Mar 2026 20:22:35 GMT
< Content-Type: text/html
< Content-Length: 689
< Last-Modified: Wed, 06 Sep 2006 17:26:12 GMT
< Connection: keep-alive
< ETag: "44ff04b4-2b1"
< Expires: Tue, 17 Mar 2026 20:22:35 GMT
< Cache-Control: max-age=86400
< Accept-Ranges: bytes
<
<HTML>
<!-- $Header: /usr/local/cvsroot/godspeed/upgrade_server/http/html/root.html,v 1.1 2004/06/25 22:43:59 brie Exp $ -->
<HEAD>
</HEAD>
<BODY>
<IMG SRC="http://ironport.com/media/logo.gif">
<P>
This is the IronPort Update Server. If you are trying to download new
traffic monitor, merlin, or WBRS packages, you have reached this page in error.
Please refer to the Update Manager Release Notes for instructions to download
the new software.
</P>
<P>
If you have any questions, please feel free to contact IronPort Customer Care
at (877)641-4766 or <A HREF="mailto:support@ironport.com">support@ironport.com</A>.
</P>
</BODY>
</HTML>
* Connection #0 to host updates.ironport.com left intact
Ensure that the device adheres to the necessary requirements for port and domain connectivity for other various update and download types as stated in Cisco public documentation:
The automatic LSP update failure is caused by blocked network connectivity to the required update servers. Specifically, outbound access over port 80 to updates-dyn-talos.sco.cisco.com and updates.ironport.com is being restricted by upstream firewall rules or network security policies. This prevents the FMC from automatically downloading and installing LSP updates, while manual updates can still be performed because they can use different download methods or cached content.
However, the issue can also be impacted by the ability of the FMC to download large files from the Cisco cloud site. Throttling of the FMC bandwidth, coupled with other multiple software updates (ie: SRU and VDB) within the same timeframe can setup competition for bandwidth leading to download failures. In such cases, separate the software download times to allow them enough bandwidth for downloads or resolve any upstream bandwidth issues.
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
15-Apr-2026
|
Initial Release |