Field Notice: FN72230 - Virtual Email Security Appliance/Security Management Appliance Upgrade Fails Due to Small Nextroot Partition Size - Workaround Provided

Available Languages

Updated:November 6, 2023

Document ID:FN72230

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Affected Software Product	Affected Release	Affected Release Number	Comments
AsyncOS for Content Security Management Appliance (SMA)	14	14.0.0	and later
AsyncOS for ESA	14	14.0.0	and later

Defect Information

Defect ID	Headline
CSCvy69068	Upgrade of virtual ESA fails due to small partition size
CSCvy69076	Upgrade of virtual SMA fails due to small partition size

Problem Description

An attempt to upgrade a Virtual Email Security Appliance (vESA) or Virtual Security Management Appliance (vSMA) with a nextroot partition size less than 500MB fails.

Background

Initially, vESA and vSMA images were built with a nextroot partition size of less than 500MB. Over the years, and with later AsyncOS releases that include additional features, upgrades have had to use more and more of this partition throughout the upgrade process. This results in upgrades that fail because of this partition size.

This issue is known to affect upgrades to AsyncOS Version 14.x, 15.5, and later for both ESA and SMA appliances.

Problem Symptom

An older vESA or vSMA image with a nextroot partition size of less than 500MB might fail to upgrade with these errors:


...
...
...
Finding partitions... done.                                                    
Setting next boot partition to current partition as a precaution... done.      
Erasing new boot partition... done.                                            
Extracting eapp done.                                                          
Extracting scanerroot done.                                                    
Extracting splunkroot done.                                                    
Extracting savroot done.                                                       
Extracting ipasroot done.                                                      
Extracting ecroot done.                                                        
Removing unwanted files in nextroot done.                                      
Extracting distroot                                                            
/nextroot: write failed, filesystem is full
./usr/share/misc/termcap: Write failed
./usr/share/misc/pci_vendors: Write to restore size failed
./usr/libexec/getty: Write to restore size failed
./usr/libexec/ld-elf.so.1: Write to restore size failed
./usr/lib/libBlocksRuntime.so: Write to restore size failed
./usr/lib/libBlocksRuntime.so.0: Write to restore size failed
./usr/lib/libalias.so: Write to restore size failed
./usr/lib/libarchive.so: Write to restore size failed

For Cisco AsyncOS releases 15.5 and later, if the next partition is less than 4GB, the upgrade will be aborted, and the following message will be printed in the console:

Your system upgrade to AsyncOS 15.5 version is blocked because the machine has a next root partition of less than 4GB disk space. You must deploy a new virtual appliance with a next root partition of 4 GB disk space. For more information on how to deploy a new virtual appliance with a next root partition of 4 GB disk space, see the Field Notice (FN) at https://www.cisco.com/c/en/us/support/docs/field-notices/722/fn72230.html.

Workaround/Solution

To ensure that the vESA/vSMAcan be upgraded, first check if the nextroot partition size is 4GB using the ipcheck CLI command, as shown in the following example:

(lab.cisco.com) > ipcheck
<----- Snippet of relevant section from the output ----->

  Root                  4GB 7%
  Nextroot              4GB 1%
  Var                   400MB 3%
  Log                   172GB 3%  
  DB                    2GB 0%  
  Swap                  6GB  
  Mail Queue            10GB

<----- End of snippet ----->

Important: If the nextroot partition is less than 4GB, it is highly recommended that you prevent nextroot partition size issues on future upgrades by following the steps in How to Apply the Workaround for Cisco vESA/vSMA Failing Upgrade Due to Small Partition Size to migrate your current VM template to a later updated image.

Revision History

Version	Description	Section	Date
2.0	Added information to better reflect the impact on future AsyncOS releases.	Problem Symptom and Workaround/Solution	2023-NOV-06
1.1	Updated the Background and Problem Symptom Sections	—	2023-APR-05
1.0	Initial Release	—	2021-SEP-14

For More Information

For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:

Receive Email Notification About New Field Notices

To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)