11-11-2017 10:17 AM - edited 02-21-2020 06:43 AM
Hello all,
after upgrading to version 6.2.2 we face the following error
security intelligence URL: memcap exceeded
also same error exist in 6.2.2.1
I saw similar bug but on FTD, we are not using FTD
we are using one virtual firepower management center to manage two ASAs with firepower module.
11-11-2017 12:09 PM - edited 11-11-2017 12:14 PM
Hi,
It's the same problem, I had a TAC case on a Firepower module and had the same recommendation for workaround.
Try tune your url, si and dns policy.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg34306
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf25058/?referring_site=bugquickviewredir
br, Mickel
11-22-2017 08:02 AM
Why does this bug now say its "fixed" when there are no new releases addressing this. That's a bullsh!t answer from Cisco.
11-22-2017 06:48 PM
I discuss this www.lammle.com/about/blog
I have found that if you remove most of the URL and DNS objects (the layer 7 SI inspection), then the problem goes away. You can Create block rules in your ACP instead..
This problem is based on the lower RAM in the ASA such as 5506 and 5508, but I haven't seen this problem in 6.2.2 on higher end ASA's or 2100/4100/9300.
There cannot be a fix for this issue because it is a RAM issue, meaning that there are more SI objects now than what some ASA's can handle.
11-28-2017 02:19 PM
Would be great if Cisco publishes the maximum no. of objects related to IP, URL & Domains that is supported based on the hardware appliance.
Vaibhav
11-28-2017 03:31 PM
I think they'd rather have you buy a 4100! :)
03-18-2018 08:48 AM
@toddlammle wrote:
I discuss this www.lammle.com/about/blog
I have found that if you remove most of the URL and DNS objects (the layer 7 SI inspection), then the problem goes away. You can Create block rules in your ACP instead..
This problem is based on the lower RAM in the ASA such as 5506 and 5508, but I haven't seen this problem in 6.2.2 on higher end ASA's or 2100/4100/9300.
There cannot be a fix for this issue because it is a RAM issue, meaning that there are more SI objects now than what some ASA's can handle.
I have this issue on a 2120.
03-18-2018 09:08 AM
03-31-2018 04:27 AM
I would like to play devil's advocate here and ask....
How can we tell if FP is truly loading all the objects defined in the SI policy or if maybe they are just suppressing the FMC error?
03-31-2018 04:44 AM
03-31-2018 08:19 AM
Wow, that is disturbing. It seems like we are getting scammed then, no? I certainly don't have all the details but it seems to me that a true and honest fix for this should be possible.
For example, I have a 5512 with 4GB of RAM. On this unit the ASA is assigned 1.8GB of which it is only using 750MB and shows as having about 1GB or 58% free. The FP module is also assigned 1.8GB and it is using 1.3GB so it has about 25% free.
Shouldn't it be possible to reassign a few hundred MB from ASA to FP?
Diego
03-31-2018 08:44 AM
Hi
I would try to answer that. Even if the FP module has enough free memory the issue would still be there because there is a fix memcap (memory limit) for the SI data. So even if the FP module has 750 mb free and and lets assume the fixed memcap is x mb. So once that cap is reached and there is more data to come because more categories of SI URL has been selected, you would see the error.
With the fix (be it hotfix or new release containing fix) the limit might change or become dynamic based on available free memory.
Rate if it helps,
Yogesh
03-31-2018 09:11 AM
Hello Yogdhanu,
Yes, I realize that no matter how much memory you assign to FP there is always the reality that increasing SI data will eventually reach the limit. But in the meantime why can't we "borrow" a few hundred MB from the ASA so we can get more SI data loaded? It is not very efficient to have 1GB of RAM sitting around unused on the ASA side when it can be put to good use increasing SI data capacity on the FP side of the house.
And please keep in mind that under no circumstances is it OK to fool the user into thinking that all the data he/she has selected for protection is being used by the security system when in reality it is not.
Rgds,
Diego
04-01-2018 05:49 AM
Hi Diego,
I understand that something could have been done but that's at the discretion of dev team on how they want to take it.
I would assume that the system needs to have some memory free for other services including processing traffic as well. The fixed version (6.2.3) should take care of the issue.
Thanks,
yogesh
04-01-2018 10:04 AM
What about adding SI URL lists to an ACP rule? I would imagine that there might be some drawback to that since SI urls are designed to be used in SI policy but maybe its something we can live with.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide