https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235354#M3440 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The status Dormant means that the feature is currently not being used by the Device e.g as the HTTPS Proxy status shows Dormant this generally means that the device is currently not using this feature.</P><P></P><P>Regarding the Upgrade issue, I would request you to make sure the following ports are not being blocked by the firewall:</P><P></P><PRE>Firewall Ports: Port&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Protocol&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In/Out&nbsp; Hostname use&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Description =============================================== 20/21&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In or out&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp; FTP server FTP for aggregation of log files. 22&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp; SSH access to the CLI, aggregation of log files. 22&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SCP server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SCP push to log server. 23&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Telnet&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp; Telnet access to the CLI. 23&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Telnet&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Telnet server&nbsp;&nbsp;&nbsp; Telnet upgrades. 25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Any SMTP to send email. 25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SMTP to receive bounced email or if injecting email from outside firewall. 80&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In or out&nbsp; AsyncOS IPs,downloads.ironport.com&nbsp;&nbsp; HTTP access to the GUI for system monitoring. AsyncOS and Sophos upgrades are retrieved via HTTP from port 80. 82&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; HTTP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Used for viewing the IronPort Spam Quarantine. 83&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; HTTPS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Used for viewing the IronPort Spam Quarantine. 53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UDP/TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DNS servers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DNS if configured to use Internet root servers or other DNS servers outside the firewall. Also for SenderBase 110&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; POP server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; POP authentication for end users for IronPort Spam Quarantine. 123&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UDP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NTP server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NTP if time servers are outside firewall. 143&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IMAP server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IMAP authentication for end users for IronPort Spam Quarantine. 161&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UDP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SNMP queries. 162&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UDP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Management station&nbsp; SNMP traps. 389 or 3268&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAP&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAP servers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAP if LDAP directory servers are outside firewall. LDAP authentication for IronPort Spam Quarantine. 636 or 3269&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAPS&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAPS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAPS ActiveDirectory's global catalog server. 443&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Secure HTTP (https) access to the GUI for system monitoring. 443&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; update manifests, ironport.com&nbsp; -Verify the latest files for the update server. 443&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; phonehome.senderbase.org - Receive/send Virus Outbreak Filters. 514&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UDP/TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Syslog server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Syslog logging. 2222&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CCS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In/Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Cluster Communication Service (for centralized management). 6025&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In/Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Send IronPort Spam Quarantine data to the Security Management appliance if the external IronPort Spam Quarantine is enabled. </PRE><P></P><P></P><P>If it still fails, please try to use the recommended P1 interface and then try to do the upgrade.</P><P></P><P>Regards,</P><P></P><P>Kush</P></BODY></HTML> Thu, 16 May 2013 06:59:08 GMT kussriva 2013-05-16T06:59:08Z https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235349#M3435 <P>Hi experts,</P><P></P><P>I am deploying a new WSA, but seem unable to upgrade AsyncOS - when I check for available upgrades, I receive the following error:</P><P></P><TABLE border="0" cellpadding="0" cellspacing="0" width="700"><TBODY><TR valign="top"><TD nowrap="nowrap">Error</TD><TD style="padding-left: 3px; padding-right: 6px;">—</TD><TD id="action-results-message">Failure downloading upgrade list.</TD></TR></TBODY></TABLE><P></P><P>Everything else seems to be OK - I have time via the default NTP servers, checks for new feature keys return a success, policy trace returns what I would expect.</P><P></P><P>I have noticed that the feature keys the client purchased are listed as Active with 30 days remaining and an expiration date of Dormant.</P><P></P><P>Does the appliance license need to be activated? I can't seem to locate a Claim Certificate to find the PAK...</P><P></P><P>Thanks.</P> Wed, 15 May 2013 06:48:20 GMT https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235349#M3435 r.harris 2013-05-15T06:48:20Z https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235350#M3436 <HTML><HEAD></HEAD><BODY><P>They don't do PAKs on the Ironport boxes. The keys are typically downloaded, but you'll often get them via email too.</P><P></P><P>Start banging on the reseller and local Cisco rep.</P></BODY></HTML> Wed, 15 May 2013 13:53:29 GMT https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235350#M3436 Ken Stieers 2013-05-15T13:53:29Z https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235351#M3437 <HTML><HEAD></HEAD><BODY><P>Have been hounding the distributor, but they just keep regurgitating the Smartnet contract details.</P><P></P><P>A check for new feature keys results in no new keys available.</P><P></P><P>According to the license activation document at:</P><P></P><P><A href="http://www.cisco.com/en/US/services/ps10436/ps11169/ironport-sw-license-activation-key-process.pdf">http://www.cisco.com/en/US/services/ps10436/ps11169/ironport-sw-license-activation-key-process.pdf</A></P><P></P><P>"<SPAN style="font-size: 8pt;">Perpetual licenses purchased with the initial appliance purchase are shipped preactivated </SPAN>"</P><P></P><P>The client has purchased 12 months license in this instance, so I assume the above does not apply (as it is not perpetual)?</P><P></P><P>We (the reseller) have not received any email from the distributor with an activation key nor PAK.</P><P></P><P>Can someone confirm whether this device is properly licensed? "Dormant" in expiration date field suggests not...</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/9/2/3/139329-Feature%20Keys1.png" class="jive-image" /></P></BODY></HTML> Wed, 15 May 2013 23:24:37 GMT https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235351#M3437 r.harris 2013-05-15T23:24:37Z https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235352#M3438 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Please refer to </P><P><A class="jive-link-external-small" href="https://ironport.custhelp.com/app/answers/detail/a_id/1138">https://ironport.custhelp.com/app/answers/detail/a_id/1138</A><SPAN> and make sure the issue is not related to the issues in the doc.</SPAN></P><P></P><P><SPAN>For further assistance on pre-production issues, you can open a case at </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/web/partners/tools/pdihd.html">http://www.cisco.com/web/partners/tools/pdihd.html</A></P><P></P><P>Regards,</P><P></P><P>Kush</P><P>Cisco PDI Help Desk</P><P><A class="jive-link-external-small" href="http://www.cisco.com/go/pdihelpdesk">http://www.cisco.com/go/pdihelpdesk</A></P></BODY></HTML> Thu, 16 May 2013 04:29:11 GMT https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235352#M3438 kussriva 2013-05-16T04:29:11Z https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235353#M3439 <HTML><HEAD></HEAD><BODY><P>Thanks Kush.</P><P></P><P>It does not appear to be DNS related. Authentication failure with manifest server:</P><P>-------------------------------------------------------------------------------------------------------</P><P>proxy.local&gt; nslookup downloads.ironport.com</P><P></P><P>A=61.9.193.214 TTL=30m<BR />A=61.9.193.134 TTL=30m<BR />proxy.local&gt; upgrade</P><P></P><P>Important: After upgrading, you cannot revert to a previous<BR />version of the Web Security appliance. Cisco IronPort strongly<BR />recommends you review the release notes to identify changes to<BR />the Web Security appliance in the latest version. Do you want<BR />to continue with the upgrade? [Y]&gt;</P><P></P><P>Failure downloading upgrade list: Failed to authenticate with manifest server</P><P>-------------------------------------------------------------------------------------------------------</P><P></P><P>I have a single-leg deployment (intending to use WCCP on ASA) and have only the M1 interface connected. I note the not-particularly-helpful statement in the KB article "the P1 interface <EM>may </EM>be the correct interface to use for upgrades" and will switch over to P1 next time I am onsite.</P><P></P><P>I would be appreciative if you could answer the above question relating to the licensing status of the appliance - "Dormant" cannot be right.</P><P></P><P>Thanks again.</P></BODY></HTML> Thu, 16 May 2013 05:29:33 GMT https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235353#M3439 r.harris 2013-05-16T05:29:33Z https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235354#M3440 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The status Dormant means that the feature is currently not being used by the Device e.g as the HTTPS Proxy status shows Dormant this generally means that the device is currently not using this feature.</P><P></P><P>Regarding the Upgrade issue, I would request you to make sure the following ports are not being blocked by the firewall:</P><P></P><PRE>Firewall Ports: Port&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Protocol&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In/Out&nbsp; Hostname use&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Description =============================================== 20/21&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In or out&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp; FTP server FTP for aggregation of log files. 22&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp; SSH access to the CLI, aggregation of log files. 22&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SCP server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SCP push to log server. 23&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Telnet&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp; Telnet access to the CLI. 23&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Telnet&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Telnet server&nbsp;&nbsp;&nbsp; Telnet upgrades. 25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Any SMTP to send email. 25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SMTP to receive bounced email or if injecting email from outside firewall. 80&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In or out&nbsp; AsyncOS IPs,downloads.ironport.com&nbsp;&nbsp; HTTP access to the GUI for system monitoring. AsyncOS and Sophos upgrades are retrieved via HTTP from port 80. 82&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; HTTP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Used for viewing the IronPort Spam Quarantine. 83&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; HTTPS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Used for viewing the IronPort Spam Quarantine. 53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UDP/TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DNS servers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DNS if configured to use Internet root servers or other DNS servers outside the firewall. Also for SenderBase 110&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; POP server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; POP authentication for end users for IronPort Spam Quarantine. 123&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UDP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NTP server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NTP if time servers are outside firewall. 143&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IMAP server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IMAP authentication for end users for IronPort Spam Quarantine. 161&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UDP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SNMP queries. 162&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UDP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Management station&nbsp; SNMP traps. 389 or 3268&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAP&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAP servers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAP if LDAP directory servers are outside firewall. LDAP authentication for IronPort Spam Quarantine. 636 or 3269&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAPS&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAPS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAPS ActiveDirectory's global catalog server. 443&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Secure HTTP (https) access to the GUI for system monitoring. 443&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; update manifests, ironport.com&nbsp; -Verify the latest files for the update server. 443&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; phonehome.senderbase.org - Receive/send Virus Outbreak Filters. 514&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UDP/TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Syslog server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Syslog logging. 2222&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CCS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In/Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Cluster Communication Service (for centralized management). 6025&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In/Out&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AsyncOS IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Send IronPort Spam Quarantine data to the Security Management appliance if the external IronPort Spam Quarantine is enabled. </PRE><P></P><P></P><P>If it still fails, please try to use the recommended P1 interface and then try to do the upgrade.</P><P></P><P>Regards,</P><P></P><P>Kush</P></BODY></HTML> Thu, 16 May 2013 06:59:08 GMT https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235354#M3440 kussriva 2013-05-16T06:59:08Z https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235355#M3441 <HTML><HEAD></HEAD><BODY><P> Ah - OK, thanks.</P><P></P><P>Yeah I saw the firewall requirements - right now I have a static NAT and a PERMIT IP ANY ANY for this host.</P><P></P><P>I'll try the P1 port.</P></BODY></HTML> Thu, 16 May 2013 11:44:26 GMT https://community.cisco.com/t5/web-security/upgrade-failure/m-p/2235355#M3441 r.harris 2013-05-16T11:44:26Z