Solved: Re: High unmanaged disk usage on /ngfw/var on 7.0.4 FTD - Page 4

Herald Sison · ‎12-05-2022

anyone experienced this weird error. i dont find any reason for the disk to be full since it is still running at 45%.

tried clearing some log files on these directories but still the error still present

/var/sf/detection_engines/<some GUID>/backup/
/var/sf/detection_engines/<some GUID>/instance-1/backup/
/var/sf/detection_engines/<some GUID>/instance-2/backup/
/var/sf/detection_engines/<some GUID>/instance-3/backup/

and also tried from these forum.

https://www.lammle.com/post/fn-70466-ftd-high-unmanaged-disk-utilization-on-firepower-appliances-due-to-untracked-files/?unapproved=223398&moderation-hash=5b9456c268d5ce0ddbf2b6f63d3e882e#comment-223398

despite all of those actions the error still present.

derek.small · ‎01-26-2023

What about if you are getting this error in FMC, but the firewalls don't show any signs of what I would consider excessive disk use, nor do I find any deleted files when I run the command everyone refers to "lsof | grep deleted". I don't see anything that would merit an alert about disk space or disk usage in the output below.

admin@firepower:/$ df
Filesystem 1K-blocks Used Available Use% Mounted on
rootfs 7862912 589412 7273500 8% /
devtmpfs 7966776 649188 7317588 9% /dev
tmpfs 8056044 496 8055548 1% /run
tmpfs 8056044 4548 8051496 1% /var/volatile
/dev/sda1 945144 272712 623588 31% /opt/cisco/config
/dev/sda2 944120 49568 845760 6% /opt/cisco/platform/logs
/dev/sda3 11403544 28764 10788848 1% /var/data/cores
/dev/sda4 83948496 26830936 57117560 32% /opt/cisco/csp
/dev/sdb1 7676252 2199012 5477240 29% /mnt/boot
cgroup_root 8056044 0 8056044 0% /dev/cgroups
tmpfs 8056044 0 8056044 0% /sys/fs/cgroup
tmpfs 8056044 0 8056044 0% /sys/fs/cgroup/pm
none 363520 12 363508 1% /dev/shm/snort
tmpfs 1024 0 1024 0% /var/data/cores/sysdebug/tftpd_logs
admin@firepower:/$

Herald Sison · ‎01-28-2023

Hi Sir,

Try checking the log files from these directories below and if you find something that is defined below then you can delete it then run the "lsof | grep deleted" command again.

/var/sf/detection_engines/<uuid>/instance-*/fileperfstats.log.*
/var/sf/detection_engines/<uuid>/instance-*/ssl-certs-unified.log.*
/var/sf/detection_engines/<uuid>/instance-*/ssl-nse-debug.log.*
/var/sf/detection_engines/<uuid>/instance-*/ssl-stats-unified.log.*
/var/sf/detection_engines/<some GUID>/backup/
/var/sf/detection_engines/<some GUID>/instance-1/backup/
/var/sf/detection_engines/<some GUID>/instance-2/backup/

after deleting you need to run the restart diskmanager "pmtool restartbyid diskmanager"

then run the "lsof | grep deleted" command

Marvin Rhoads · ‎01-29-2023

@derek.small it's the /ngfw folder that the alert is triggering on. So check it with "df -k /ngfw".

gsalcedo · ‎01-30-2023

Having the same issue but i don't have output for lsof | grep deleted

bpnfw04:~$ df -k /ngfw
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda6 41943040 41660476 282564 100% /ngfw
bpnfw04:~$ lsof | grep deleted
bpnfw04:~$

Herald Sison · ‎02-01-2023

Hi Sir, it seems that you have not entered sudo su - after entering expert mode.

You need to enter "sudo su -" and it will ask for you password then thats the time you can run the lsof | grep deleted.

derek.small · ‎01-30-2023

admin@firepower:/$ df -k /ngfw
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda4 52491216 17354612 35136604 34% /ngfw

Still not seeing a problem...... FMC seems to think 34% used is a problem but that seems pretty rediculous.

Marvin Rhoads · ‎01-31-2023

@derek.small please check your diskmanager.conf file.

root@firepower:~# cat /etc/sf/diskmanager.conf
diskmanager
{
    version 1;
    warnings
    {
        percent_exceeded 19;
    }
<snip>

Some use cases result in the "percent exceeded" value to be incorrect, resulting in false positive errors.

navtom · ‎04-06-2023

What is the correct value? 19% seems a bit low.

Chess Norris · ‎11-13-2023

Anyone know if there are any new "high unamaged disk"bugs related to version 7.0.5?

This particalur bug was suposed to be fixed in 7.0.5, but I just heard from another customer reporting the same error with 7.0.5.

I haven't had any time yet to investigate the device yet, so just wanted to check if someone still having this error with 7.0.5?

Thanks

/Chess

Marius Gunnerud · ‎11-13-2023

the only version I have actually seen with this fixed so far is 7.2.x

--
Please remember to select a correct answer and rate helpful posts

Herald Sison · ‎11-13-2023

So far after upgrading my ftd to 7.0.5 until now 7.0.6 i havent encountered the same problem anymore, fingers crossed! However, i have this other bug related to CPU which is still ongoing. What happened to Cisco? Their system is so buggy lately! Made me think of switching to other brands. So frustrating. One bug got fixed bug a new release but another new bug comes up! What in the world!