Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2277
Views
10
Helpful
7
Replies

Temporary Data Partition is at 91% Capacity on WSA S390

fabc1
Level 1
Level 1

‎06-12-2022 09:06 PM - edited ‎06-12-2022 09:12 PM

Dear all,

 

Need your advice on how to tackle this issue. We suddenly received error on WSA that the temporary data partition is at 91%. 

Current version: AsyncOS 12.5.2-007

I run command #ipcheck and the outcome as attached. i also attached the status of the appliance.

I tried to find similar issue at community here but only managed to find this topic

https://community.cisco.com/t5/web-security/how-to-solve-the-temporary-data-partition-is-at-109-capacity/td-p/2444149

 

Based on above discussion, so i checked on Log Subscription there's 3 type of accesslog listed. AccessLogExternal, TAC_accesslog, accesslog. All those accesslog have the deanonymization button under the column (refer attachment).

Based on the discussion link, should i proceed to enable Log Compression on accesslog to resolve the issue?

Appreciate any idea and advice. thanks!

1 person had this problem
Labels:
Preview file
178 KB
Preview file
81 KB
Preview file
305 KB
0 Helpful
7 Replies 7

amojarra
Cisco Employee
Cisco Employee

‎06-14-2022 01:24 PM

Hi @fabc1 

From the ipcheck Output I can see the root partition and /var partition are higher than 90% which are both expected. these values will change during time, some files will be overwritten and some files will get compressed automatically. 

even sometimes it is normal to see root partition more than 100%.

your log partition has 36% free  so you can check how long it was taken for this amount of disk to get full. 

 

for the 3 types of the accesslogs, I believe the TAC_accesslogs gives you more details in compare of accesslogs itself. 

you can check them, and remove one of them as you don't need duplicate accesslogs in your device, 

on the other hand you have a syslog server which you are sending your assesslog to it as well 

 

 

+ All those accesslog have the deanonymization button under the column

I am not sure if there is any question regarding this line?

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

fabc1
Level 1
Level 1
In response to amojarra

‎06-15-2022 12:52 AM

Dear amojarra,

 

Thank you so much for the reply! May i know how do i check on how long the log partition was taken for this amount of disk to get full? 

 

since you are mentioning that TAC_accesslog will be more details and similar to accesslog, then i think i can proceed to delete the accesslog instead of TAC_accesslog.

 

One more thing, is it normal to received the email from cisco regarding the "Temporary Data Partition is at 91% Capacity" alert? on our current setup of accesslog (under Log Subscription), we have set 10gb for "Rollover by File Size". is it normal to receive alert if appliance will be automatically rollover the log once hit 10gb?

 

**Additional note**

Current setup for the Rollover by File Size setting:-

accesslog: 10G

TAC_accesslog: 2G

AccessLogExternal: 100M

 

Thanks!

0 Helpful

amojarra
Cisco Employee
Cisco Employee
In response to fabc1

‎06-15-2022 05:08 AM

Hi @fabc1 

 

Thanks for the reply 

[1] May i know how do i check on how long the log partition was taken for this amount of disk to get full? 

you can connect via FTP to your WSA, and check the date of first Accesslog and compare to current date 

 

[2] TAC_accesslog will be more details and similar to accesslog, then i think i can proceed to delete the accesslog instead of TAC_accesslog.

you can grep the accesslogs and TAC_accesslogs from CLI > grep > selecting the desired number and compare one line of each accesslogs 

alternately you can navigate to SYSTEM Administration > LOG SUBSCRIPTION from GUI . select the accesslogs and check Custom Fields (optional)

to see what fields were added in them 

 

[3]  accesslog: 10G -  TAC_accesslog: 2G

this will be the maximum file size it is better not to use 10GB since the file will be too large and opening or moving the file will be hard / time consuming

in the Retrieval Method , you can see Maximum Number of Files this is when the old accesslogs will be overwritten, lets say daily you have 2.5 GB of accesslogs and configured it for maximum 100 files , then the access logs totaly will consume 100x2.5=250GB 

 

 

[4] One more thing, is it normal to received the email from cisco regarding the "Temporary Data Partition is at 91% Capacity" alert? 

please check from GUI > System Administration > Alerts to check the configured alerts level 

I am not sure, but I believe it is normal to see this 

 

 

[5] is it normal to receive alert if appliance will be automatically rollover the log once hit 10gb?

I might be able to check this, please let me know the alerts level as mentioned in Item 4. 

 

 

please feel free to let me know if there is any question 

 

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

fabc1
Level 1
Level 1
In response to amojarra

‎06-16-2022 12:37 AM

Dear @amojarra ,

 

Thank you again for the explanation for #1, #2 and #3!!

 

and for #4, I have checked the configured alert level and it has been set Critical for Hardware. i have attached the screenshot image of the email alert from appliance, the current setup on Alert. Thanks!

Preview file
20 KB
Preview file
166 KB
Preview file
116 KB
0 Helpful

amojarra
Cisco Employee
Cisco Employee
In response to fabc1

‎06-17-2022 02:40 AM

Thanks @fabc1 

 

 

yes since this warning is Critical and your Alert configuration is set to Send Alert for Critical it is norma.

 

If you can, please try to reboot your Device : CLI > reboot 

this will delete some temp files. maybe it will help you to get less warning. if you still getting these alerts please Open a TAC case, we will check from BackEnd to see if there is anything we can do to free-up Space for you.

 

Yours,

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

0 Helpful

fabc1
Level 1
Level 1
In response to amojarra

‎06-20-2022 01:02 AM

Dear @amojarra ,

 

thank you for the reply! 

Unfortunately, we unable to proceed with the device reboot suggestion as we need to justify the action to mgmt, may i know if we would like to proceed to lower the size for "Rollover by File Size" setting, what is the recommended size you could advise? like we have mentioned on previous post, currently it has been set to 10gb. and, do we need to request maintenance window to do this changes? Thanks!

0 Helpful

amojarra
Cisco Employee
Cisco Employee
In response to fabc1

‎06-20-2022 02:14 AM

Hi @fabc1 

 

[1] may i know if we would like to proceed to lower the size for "Rollover by File Size" setting, what is the recommended size you could advise?

There is no official recommendation for Rollover size, But my personal experience is searching in the logs with size less than 2GB, or moving the log files, is much faster. but there is no limitation nor performance issue.

 

 

[2] Do we need to request maintenance window to do this changes?

This will restart the proxy service for a few seconds (5~20 seconds) and all the current connections will be dropped.

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

0 Helpful
Customers Also Viewed These Support Documents