Hi,

I had some customers with this issue lately, but there is a workarround and it's described here https://bst.cisco.com/bugsearch/bug/CSCwb34240 

/Chess

There are at least five "high unmanaged disk space" bugs.

I've been collecting a list:

https://bst.cisco.com/bugsearch/bug/CSCvt77813
https://bst.cisco.com/bugsearch/bug/CSCvo74833
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb34240
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc30487
https://bst.cisco.com/bugsearch/bug/CSCvy26511

Marvin,

I am having the same issue with my FTD 1140 running 7.0.4. When I run pidof syslog-ng I get three PIDS

8058 8057 and 6464. Which would be the correct PID to kill?

@ethutchinson generally speaking the last listed one does the trick. So in your case at hand, "kill 6464".

Marvin,

Thanks for the assist. Killing the syslog-ng pid (third one in list) worked.

Run the LSOF command again but also grep for syslog-ng.

lsof | grep deleted | grep syslog-ng

Then kill any PIDs that are also in the list from "pidof".

kill -n 1 <PID>

@ethutchinson Please open a new post for this so we can help you better and easier for other to find should the solution be different than that of this post.

This fix seems to solve the problem permanently. I used it with a customer on 28 Dec. 22 and so far I haven't seen any errors related to "High unmanaged disk usage". Thank you Chess Norris.

I am sick of manually clearing these files just to lower the unmanaged disk usage. i do this every 10 days.

every 10days i always get this error. before, even if my disk usage is only at 60% the error keeps popping out and i followed what TAC told me that to change some values in diskmanager.conf file, i thought that the error will be gone but when the disk usage reaches 80% the same error pops up again. So i am back again at clearing the freaking log files. As per TAC this bug has been fixed in FMC 7.3.0 and FTD 7.0.5 but i am already running 7.3.0 but still this errors pops up and some new bugs came out. Are we expecting a chain of BUGS here? 

i will try to upgrade my FTD to 7.0.5 once i can ask for maintenance window maybe during Sundays and hoped that this freaking bug will be gone forever. and by the way my device ASA5508X will have its last FTD version which is 7.0.5 (and it is already gold star) so i am really expecting that this version would really be it, fingers crossed.

/etc/sf/diskmanager.conf file

- Change:

          percent_exceeded 60;

     TO:

           percent_exceeded 25;

- Restart diskmanager process using pmtool. "pmtool restartbyid diskmanager"

This is the disk usage after clearing up the log files in:

/ngfw/var/sf/detection_engines/<uuid>/instance-*/fileperfstats.log.*
/ngfw/var/sf/detection_engines/<uuid>/instance-*/ssl-certs-unified.log.*
/ngfw/var/sf/detection_engines/<uuid>/instance-*/ssl-nse-debug.log.*
/ngfw/var/sf/detection_engines/<uuid>/instance-*/ssl-stats-unified.log.*

This is the disk usage after performing:

lsof | grep deleted
pidof syslog-ng
kill <pid returned from previous command>

pmtool restartbyid diskmanager

As far as my issue, this was my solution.

Cisco Firepower Extensible Operating System (FX-OS) v2.10.1 (build 208)
Cisco Firepower 2140 Threat Defense v7.0.4 (build 55)

Hi Sir,

Try checking the log files from these directories below and if you find something that is defined below then you can delete it then run the "lsof | grep deleted" command again.

• /var/sf/detection_engines/<uuid>/instance-*/fileperfstats.log.*
• /var/sf/detection_engines/<uuid>/instance-*/ssl-certs-unified.log.*
• /var/sf/detection_engines/<uuid>/instance-*/ssl-nse-debug.log.*
• /var/sf/detection_engines/<uuid>/instance-*/ssl-stats-unified.log.*
• /var/sf/detection_engines/<some GUID>/backup/
• /var/sf/detection_engines/<some GUID>/instance-1/backup/
• /var/sf/detection_engines/<some GUID>/instance-2/backup/

after deleting you need to run the restart diskmanager "pmtool restartbyid diskmanager"

then run the "lsof | grep deleted" command

@derek.small it's the /ngfw folder that the alert is triggering on. So check it with "df -k /ngfw".