Cisco Firepower Security Intelligence Error: URL memcap exceeded – Solution found 1/23/18

After upgrading my pods and half my customer to Cisco Firepower/FTD 6.2.2 code, a health alert starting appearing on “a some” of my FMC’s and “some” of my customers, but not all of them. Very odd.

Since I didn’t really see a problem, meaning the SI still was dropping bad guys, I kinda ignored it, especially because when I took the boxes to FTD the problem didn’t appear again. Also, I tested the SI objects and the packets were dropped.

So here is what I found out.

  • This issue has been happening for some time now, but due to 6.2.2 and the implementation of the SI health module alert we are now seeing it
  • In the past three weeks, TALOS has exponentially increased the amount of items in the SI feed database thus causing this partial load of SI objects

So which is it? Has it always been happening or did it just happen to where we are only getting <= 50% of the overall SI feed? This is the question isn’t it?

Need a way to inform user when SI URL/DNS memcap is exceeded on onbox
CSCvd96543

Symptom:
URLs or DNS entries to be blocked by security intelligence are not blocked and vice versa

Conditions:
Relatively large number of entries in feeds used for security intelligence DNS or URL

Workaround:
None

So, this is a VERY hot issue internally to Cisco and that the dev’s and leadership are feverishly looking for a solution.

I’ll mention again that I can’t seem to find a problem, but how can you tell if something is missing from SI? You can’t…

UPDATE 1/23/2018: Cisco has a hotfix out for this. Received it from TAC and I installed it today and all issues with the errors are resolved.
If you call Cisco, chances are they won’t find this or know about this fix…
—Tell them the hot fix is:
Sourcefire_3D_Defense_Center_S3_Hotfix_H-6.2.2.2-1.sh.REL.tar