Re: Cisco SFR /var disk space 100%

chmbown · ‎06-26-2021

I have an ASA running sourcefire. Recently I noticed that the sourcefire module is showing as unresponsive and not functioning properly. After logging into the system I noticed that /var is 100% full. However if I run the following command "sudo du -shc /var/*" I am shown only 38G in use. I performed a reload of the ASA but am still showing the same discrepancy of disk usage. Anyone know where I can locate the other 22G of files so I can cleanup the system and get SFR running again?

> show disk
Filesystem Size Used Avail Use% Mounted on
/dev/root 3.7G 971M 2.5G 28% /
devtmpfs 1.7G 80K 1.7G 1% /dev
/dev/sda1 88M 21M 62M 26% /boot
/dev/vda7 65G 62G 0 100% /var
none 1.8G 5.7M 1.7G 1% /dev/shm
tmpfs 1.8G 0 1.8G 0% /dev/cgroups

sudo du -shc /var/*
0 /var/adm
1.3G /var/cisco
2.3G /var/common
4.0K /var/data
32K /var/db
4.0K /var/empty
0 /var/home
105M /var/jre
3.6G /var/lib
4.0M /var/locatedb
8.0K /var/lock
1.7G /var/log
0 /var/mail
4.0K /var/net-snmp
7.2M /var/opt
129M /var/perl5
76K /var/run
28G /var/sf
12K /var/spool
450M /var/tmp
38G total

balaji.bandi · ‎06-26-2021

28G /var/sf

here is most space used follow below thread :

https://community.cisco.com/t5/network-security/problem-with-disk-free-space/td-p/2925596

Troubleshoot :

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118719-technote-firesight-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

chmbown · ‎06-28-2021

I wasn't able to find any files that I could remove in the directories linked above. However the folder /var/sf/SRU/ shows up as being 21G and contains files like: Cisco_Firepower_SRU-2018-09-20-002-vrt.sh.REL.tar. These files range from 09/2018 to 06/2021 and are roughly 100M to 150M each.

Can I remove all of these files except for the latest one or are they all needed?

Marius Gunnerud · ‎06-28-2021

the SRU are Sourcefire Rule Updates. I would assume that these files are safe to remove as they are .tar and .sh which are typically used to install the updates. But I would recommend checking with Cisco / TAC before removing them to be sure that they aren't in use.

--
Please remember to select a correct answer and rate helpful posts

chmbown · ‎06-28-2021

After clearing the files (20G worth) our sourcefire module is now showing as up, however isn't fully working. After logging back in I am getting this message: The cisco 6.6.4 upgrade has halted, status: [22%] Fatal error: error running script 300_os/070_setup_Partition.sh. For more details see /var/log/sf/Cisco_Network_Sensor_Upgrade-6.6.4/300_os/070_Setup_partition.sh.log on the device being upgraded. If log files indicate upgrade failure and failure condition has been fixed, upgrade can be resume by running 'upgrade_resume.sh'.

I don't seem to be able to locate the upgrade_resume.sh script. Can anyone point me where this would exist?

chmbown · ‎06-29-2021

Not sure what happened but logged into the CLI this morning and it automatically kicked off the upgrade again. Everything is back up and running now.

Thanks for the help.