Re: Security Intelligence URL: memcap exceeded - Page 3

kicmar · ‎12-28-2022

Hi

Does anybody else noticed this warning started this weekend on their devices ?

XXX : Security Intelligence URL: memcap exceeded (loaded 2167178 of 2939377)

This started showing up since this saturday, with no change to any policy/configuration, and only for low memory/older devices (aka ASA 5516 running FTD/Firepower 1010). This is not afecting Firepower 1120 or above models.

One interesting observation is that it seems like feed is constantly growing by each day:

Time: Sat Dec 24 04:54:44 2022 UTC - Security Intelligence URL: memcap exceeded (loaded XXX of 2317133)

Time: Sat Dec 24 20:39:59 2022 UTC - Security Intelligence URL: memcap exceeded (loaded XXX of 2354548)

Time: Sun Dec 25 04:33:19 2022 UTC - Security Intelligence URL: memcap exceeded (loaded XXX of 2365381)

Time: Sun Dec 25 20:19:23 2022 UTC - Security Intelligence URL: memcap exceeded (loaded XXX of 2413343)

Time: Mon Dec 26 04:14:15 2022 UTC - Security Intelligence URL: memcap exceeded (loaded XXX of 2444498)

Time: Mon Dec 26 19:59:33 2022 UTC - Security Intelligence URL: memcap exceeded (loaded XXX of 2612033)

Time: Tue Dec 27 03:49:22 2022 UTC - Security Intelligence URL: memcap exceeded (loaded XXX of 2667956)

Time: Tue Dec 27 19:37:55 2022 UTC - Security Intelligence URL: memcap exceeded (loaded XXX of 2891657)

Time: Wed Dec 28 03:32:46 2022 UTC - Security Intelligence URL: memcap exceeded (loaded XXX of 2939377)

mcw1217 · ‎01-18-2023

ours nope, is there any changes done by Cisco?

dharmeshsolanki · ‎01-19-2023

What appliance or firewalls are you using? We had reported issues on the Cisco 5508-x firewalls.

kicmar · ‎01-16-2023

Issue seems to be fixed now. After feeds went over 4 million, it started decreasing significantly and now this error is not seen anymore.

Based on latest TAC update - this was not a planned activity (lol :D), and there is a announcemtn from Talos expected to describe the issue.

dharmeshsolanki · ‎01-16-2023

Thanks for the update. Checked with the TAC engineer I raised a case with, but he was not aware of any fix released. Hopefully, the SI feed with remain in these parameters so that the error does not re-surface again.

razelle · ‎01-16-2023

The Alert for memcap exceeded has stopped on my system as well. I haven't heard anything back from my TAC engineer at this point however I'm still seeing the continuous "core-compressor exited (5) times alert which started occurring when the memcap started.

razelle · ‎01-16-2023

My TAC engineer just confirmed the Talos work to resolve the memcap issue. "Yes, TALOS have been working with the Engineering Team for the last week or so to revolve the Security Intelligence URL: memcap issue.

dharmeshsolanki · ‎01-17-2023

Yes, received similar feedback from the TAC engineer this morning about TALOS carrying out remediation work.

TCSPB · ‎01-18-2023

This is fixed for us now and no longer showing the errors. Would like to see Talos explain what exactly happened here.

Pkpumpkin · ‎04-06-2023

As of this time we are still incurring this issue.
We have a Firepower 1010 running 7.0.5, managed via FDM. We upgraded to 7.0.5 to resolve the CA Cert issue, however, post the upgrade we discovered the Intelligence Feed Mem Cap issue.

We do have a TAC ticket open which is still pending an update from Development.
Has anyone received a one off / special patch for their 7.0.5 / 1010 and did it resolve your Mem Cap issue?

Thanks in advance for your reply

G