Symptom
Firepower Management Center reporting Security Intelligence DNS: memcap exceeded
Conditions
After Firepower Threat Defense to Version 6.2.2
Workaround
1. Reduce the number of SI categories in use.
2. Remove regular (Brightcloud-based) URL category filtering
This frees up shared memory for SI to load more entries.
Having even a single URL category can impact how many SI entries are loaded.
Further Problem Description
The catalyst here was a tripling of the entries in the Cisco Intelligence Feed, and is not software related. The additional intelligence was added just before the 6.2.2 CCO post and was after the IFT cycle, hence, this is not an issue. The system is functioning as designed and alerting the customer correctly in the 6.2.2 release. It is expected that systems with less memory, and hence smaller memcaps, will not be able to load this many entries into memory for use with the Security Intelligence feature. Reaching this memcap does not impact any processes or cause an out of memory situation. It just means that it cannot load all of the entries into memory.
