You pretty much cant use Secure Client (AnyConnect) Firepower 1010

dranik555 · ‎10-02-2024

Hello,

In case someone will run into the same issue. You may not be able to use Secure Client (anyconnect) with Firepower 1010 platform

I was trying to use Secure Client on Firepower 1010, uploading packages for Windows, Linux and Mac. Upon deployment I was getting errors below. Opened a case with Cisco TAC and pretty much they told me that Firepower 1010 may not work and its kind of expected. Firewall load is only about 20Mbps on average, number of ACEs is about 30, 1 vpn tunnel only, no SSL decrypt or any advanced features. So this is very strange and frustrating... Seems like the hardware is terribly designed and doesn't worth spending money on. At this point TAC kind of dismisses issue as not a big deal.

"I was able to confirm the cause for your deployment behavior to be the number of AC package deployed and your particular hardware. This is contributing to a subsequent amount FTD (Lina) memory usage. You will find this documented here, https://bst.cisco.com/bugsearch/bug/CSCwc82675.

We advise to consider upgrading the hardware based on network requirements to better handle the memory demands. The impact of this behavior is more prevalent on lower end devices, hence FPR1010 is seeing 90% memory usage. Ref : https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/vpn-remote-access.html#reference_xby_dml_wy Unsupported Features of AnyConnect: Using multiple AnyConnect packages on threat defense devices can increase memory usage and affect the device’s performance. "

FMC >> anyconnect image disk0:/csm/cisco-secure-client-win-5.1.5.65-webdeploy-k9.pkg 1 regex "Windows"

FMC >> anyconnect image disk0:/csm/cisco-secure-client-macos-5.1.5.65-webdeploy-k9.pkg 2 regex "Mac OS"

FMC >> anyconnect image disk0:/csm/cisco-secure-client-linux64-5.1.5.65-webdeploy-k9.pkg 3 regex "Linux"

1 >> error : the disk is (or was) full during extraction.

WARNING: Unable to install image

WARNING: Unable to remove image

Config Error -- anyconnect image disk0:/csm/cisco-secure-client-linux64-5.1.5.65-webdeploy-k9.p

Other logs

Lina config ROLLBACK failure log Lina configuration application failure. Error in lina apply phase due to Config Error response from LINA Rollback skipped as Lina and SNORT are in sync

Write mem executed as Lina and SNORT are in sync

Lina write mem operation successful

MHM Cisco World · ‎10-02-2024

Thanks alot for share this info

MHM

IFS · ‎10-02-2024

We have a couple of 1010's and at one point the Anyconnect packages became larger than what FMC could deploy. I believe we used the workaround in this bug report: CSCwi86503

We are now on 7.2.8 FTD and FMC code and our 1010 devices seem to behave as if they have a memory leak. A reboot brings them back down to somewhere around 85% usage, but after a couple of weeks we are back to high 90's or even 99% before weird things start to happen. Removing one of the Anyconnect images certainly helped reduce how much memory was being use on startup.

dranik555 · ‎10-02-2024

I'm on 7.2.7 and didn't have issue with the file size. I was able to do only 2 SC images (not 3) which is not ideal since had to tell some people to not use Linux systems and do VPN from Windows VM. Memory usage is at 92% which is very scary. Still believe that Firepower 1010 is a badly designed platform if it can't handle normal operations like Secure Client VPN and the advise from TAC to just buy a new hardware is a bit disappointing.

I guess if you need remote access VPN don't buy 1010 and ignore all datasheet metrics, this device is bad (but cheap).