Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1157
Views
0
Helpful
6
Replies

FPR-1010 Deployment Failed - "The disk is (or was) full during extract

chartech0
Level 1
Level 1

‎04-03-2025 06:39 AM - edited ‎04-03-2025 08:00 AM

This is a relatively new remote site and up 25 days.  I was successfully able to install and configure Anyconnect VPN.  It is currently running 7.2.8-25 out-of-the-box from Cisco.  I have it staged for 7.4.2.2-28 Cisco's gold start.  Show Disk: is showing me over a 100 Gig of free space.  I was trying to configure FirePower.  I had already configured all the auto updates for rules, geo and vdb.  I was going to do this in stages in case it killed my VPN for whatever reason.

First thing I did was switch on Security Intelligence and activated all of the categories to DROP under Network.  I then applied the Deployed the Policy.  It took several minutes as expected but all of the sudden I was kicked out of the VPN.  Hoping that this was Normal, in a few minutes Anyconnect reconnected.  When I went into the Deployment Log, I saw this error:

Why was it trying to Delete my Windows anyconnect client file?  I don't want to loose connection as I want to finish deploying the rest of my Intrusion policy but I don't want to have my Anyconnect VPN blocked as this is a remote site and interrupt service.

Labels:
Preview file
1167 KB
Preview file
77 KB
0 Helpful
6 Replies 6

chartech0
Level 1
Level 1

‎04-03-2025 11:11 PM

Rebooting the firewall fixed this error.  I rebooted and redeployed the changes locally and not through Anyconnect.

0 Helpful

chartech0
Level 1
Level 1
In response to chartech0

‎04-04-2025 06:01 AM

After the reboot I was successfully able to apply the policy and upgrade it to 7.4.2-127.  Can anyone tell me if you can manage Firepower via Anyconnect when applying policies?  Or was this a bug with 7.2.8-25 software?

0 Helpful

HQuest
Level 1
Level 1

‎04-04-2025 06:48 AM - edited ‎04-04-2025 06:55 AM

I have noticed this error happening much more often on lower end firewalls such as the FPR1010 but have seen the error on larger, busier units too. The firewall fails to unpack/process the AnyConnect images during deployment because it runs out of memory (and the web GUI logs are very misleading/inaccurate). While the firewall reload is an alternative workaround to free memory at the device, it is unsustainable and not the right approach one should plan on downtime every time you need to do mundane changes such as update to VPN images.

Unless you run a dedicated firewall for Remote VPN and another for IPS, you will likely experience this issue on combined VPN/IPS units until Cisco manages to take action - or revisit its hardware, as you cannot upgrade certain elements such as memory in some models.

0 Helpful

chartech0
Level 1
Level 1
In response to HQuest

‎04-04-2025 07:25 AM

Do you see this when managed by the FMC too?  I have big Firewall upgrade where I have an HA pair of 1150s for IPS and Anyconnect with 3105s running ASA for multiple contexts.  The 1150s will be managed by FMC.  How about the automatic updates and re-deployment of policy for rules, geo and VDB?  Do those start failing to deploy?  So far on  my 1010 they have updated and redeployed smoothly

0 Helpful

HQuest
Level 1
Level 1
In response to chartech0

‎04-04-2025 08:33 AM - edited ‎04-04-2025 08:36 AM

All of my FPR devices are FMC managed, so yes. I had one series of deployment failures a while ago on devices that started their life as 6.2 - I think this was around 7.2 days. We had to reimage them as 7.2 and while some were back with a configuration restore, others had to be reconfigured from scratch. Otherwise rules/geo/vdb/lsp push wouldn't go thru. PITA. Recently there was a certificate issue that expired in late March, but there is a workaround to recover it - supposedly to be fixed with VDB 4.0.6 but that isn't out yet so I will need to run the manual workaround again.

Our rule of thumb lately has been to never combine deployments: if you are changing policies, not changes to anything but policies. If changing settings, nothing but settings. Updates to AnyConnect images without any other changes. Then after the successful deployment, we move to another area. So we can at least keep the platform somewhat stable.

Scheduled, auto-updates of VDB/Geo/LSP seems to be going thru on their own.

We push (maybe too far) our 1010 lab device and its dedicated FMC, and that poor box has had more troubles that it should - but we saved our time ironing out bugs on it instead of on production. Well worth it, if you can spare extra resources. Currently running (and having this exact trouble with "out of disk space") on FMC 7.7.0-91. FPR 7.7.0-89, but I do recall seeing it randomly on 7.4, 7.6 and 7.6.1 as well.

0 Helpful

chartech0
Level 1
Level 1
In response to HQuest

‎04-04-2025 09:48 AM - edited ‎04-04-2025 10:02 AM

Read your response wrong.  Sorry. The FPR-1010 is managed internally by the web gui.  Was hoping this didn't happened with FMC.    My new big deployment of 5525x with Firepower are managed by FMC.  I will manage my replacement 1150s via FMC so I have IPS and then since FTD cannot do contexts, I will use the 3105 for contexts.  Since the 3105 can have up to 5 virtural firewalls in it but you cannot mix and match ASA and FTD.  If I could do that, I would just use an HA 3105 and run one FTD for IPS and one for ASA.  I was told that FTD will never do contexts.

0 Helpful
Customers Also Viewed These Support Documents