Symptom

Deployment to a FTD system with low memory may fail and, as a side-effect, during the rollback operation may have "nameif" interface paramenters removed. During the failed deployment, the following error is seen on the CLI of the FTD: "Firepower-module1# ERROR: Insufficient memory to install the rules" Show memory detail displays low memory levels as below: firepower# show mem det Heap Memory: Free Memory: Heapcache Pool: 329524688 bytes ( 1% ) Global Shared Pool: 1005071520 bytes ( 3% ) Message Layer Pool: 49602896 bytes ( 0% ) System: 20889600 bytes ( 0% ) <<<<<< Most common symptom for this lack of memory is the presence of huge amount of ACEs or access-list elements (order of millions) as seen below: Firepower-module1# show access-list | inc elements access-list CSM_FW_ACL_; 1872942 elements; name hash: 0x4a69e3f3 Once the deployment fails, the FMC performs a rollback of the FTD config in order to restore the last known good config on the device, but lack of available memory prevents the nameif command to be parsed accordingly.

Conditions

FTD running on low memory condition

Workaround

Optimize ACP applied to FTD sensor: If possible, duplicate current ACP applied to device and optimize it as much as possible in order to result memory consumption. Remove unnecessary rules and in special revisit network objects configuration and use on ACEs. Quite frequently network object groups with significant amount of objects can lead to this symptom. Consider the following example: Source object group with 400 objects Destination object group with 40 objects Destination port group object with 20 objects One ACL line combining the above objects would result on 320,000 ACEs. In most of the cases there is room for a lot of optimization in such scenario.

Further Problem Description