Why does this bug now say its "fixed" when there are no new releases addressing this. That's a bullsh!t answer from Cisco. 

Would be great if Cisco publishes the maximum no. of objects related to IP, URL & Domains that is supported based on the hardware appliance.

Vaibhav

I think they'd rather have you buy a 4100! :)

@toddlammle wrote:

I discuss this www.lammle.com/about/blog

I have found that if you remove most of the URL and DNS objects (the layer 7 SI inspection), then the problem goes away. You can Create block rules in your ACP instead..

This problem is based on the lower RAM in the ASA such as 5506 and 5508, but I haven't seen this problem in 6.2.2 on higher end ASA's or 2100/4100/9300.

 

There cannot be a fix for this issue because it is a RAM issue, meaning that there are more SI objects now than what some ASA's can handle. 

 

---

I have this issue on a 2120. 

I would like to play devil's advocate here and ask....

How can we tell if FP is truly loading all the objects defined in the SI policy or if maybe they are just suppressing the FMC error?

Wow, that is disturbing.  It seems like we are getting scammed then, no?  I certainly don't have all the details but it seems to me that a true and honest fix for this should be possible.

For example, I have a 5512 with 4GB of RAM.  On this unit the ASA is assigned 1.8GB of which it is only using 750MB and shows as having about 1GB or 58% free.  The FP module is also assigned 1.8GB and it is using 1.3GB so it has about 25% free. 

Shouldn't it be possible to reassign a few hundred MB from ASA to FP?

Diego

 Hi

I would try to answer that. Even if the FP module has enough free memory the issue would still be there because there is a fix memcap (memory limit) for the SI data. So even if the FP module has 750 mb free and and lets assume the fixed memcap is x mb. So once that cap is reached and there is more data to come because more categories of SI URL has been selected, you would see the error.

With the fix (be it hotfix or new release containing fix) the limit might change or become dynamic based on available free memory.

Rate if it helps,

Yogesh

Hello Yogdhanu,

Yes, I realize that no matter how much memory you assign to FP there is always the reality that increasing SI data will eventually reach the limit.  But in the meantime why can't we "borrow" a few hundred MB from the ASA so we can get more SI data loaded?  It is not very efficient to have 1GB of RAM sitting around unused on the ASA side when it can be put to good use increasing SI data capacity on the FP side of the house.

And please keep in mind that under no circumstances is it OK to fool the user into thinking that all the data he/she has selected for protection is being used by the security system when in reality it is not. 

Rgds,

Diego

Hi Diego,

I understand that something could have been done but that's at the discretion of dev team on how they want to take it.

I would assume that the system needs to have some memory free for other services including processing traffic as well. The fixed version (6.2.3) should take care of the issue.

Thanks,
yogesh

What about adding SI URL lists to an ACP rule?  I would imagine that there might be some drawback to that since SI urls are designed to be used in SI policy but maybe its something we can live with.