02-09-2010 11:21 AM
I am new to the Ironport products, so please bear with me
I have been able to setup several email encryption profiles, one for Cisco Registered Envelope Service, and one for the In Network (IronPort Encryption Appliance ).
The outbound content filtering rules triggering the Cisco Registered Envelope Service work just fine, but messages getting flagged for the content filtering rules meeting the criteria for the In network/Ironport Encryption Appliance, get stuck in the encryption queue. When looking at the encryption logs, they show:
Tue Feb 9 12:20:26 2010 Critical: PXE encryption - Thread-2, http.HttpConnectionApache, Unable to send HTTP request: Retry 1 of 1 in 2000 milliseconds
Tue Feb 9 12:20:29 2010 Critical: PXE encryption - Thread-2, local.LocalResponse, HTTP Connection Error (4): Unable to send HTTP request
Tue Feb 9 12:35:33 2010 Critical: PXE encryption - Thread-2, http.HttpConnectionApache, Unable to send HTTP request: Retry 1 of 1 in 2000 milliseconds
Tue Feb 9 12:35:36 2010 Critical: PXE encryption - Thread-2, local.LocalResponse, HTTP Connection Error (4): Unable to send HTTP request
Emails eventually time out and sender gets:
[#< #5.0.0 smtp; 5.x.3 - Temporary PXE Encryption failure. Please try resending the message. If the problem persists, please contact your administrator. (Encryption operation expired due to key server communication problems or resource constraints.) ]
I am using both NICs on the C160. One (management interface) has a few specific IP routes specified for our internal LAN, and the 2nd NIC is in a DMZ style VLAN, with the Default Gateway/route going out it.
Emails not triggering encryption or triggering the Cisco Registered Envelope Service, are processed and sent just fine.
I'm probably missing something real basic here.
Please point me in the right directions...
Thanks.
Solved! Go to Solution.
02-09-2010 09:15 PM
I'd suggest first going to CLI and checking PING connectivity to the encryption server.
If ping is working, we can rule out netowrk connectivity and gateway/route issues.
The other thing you can probably try ( if ping works ), is to see if you need a proxy between the encryption appliance and the C-series. Maybe the HTTP/HTTPS packets are being dropped somewhere in between.
--Sumit
02-09-2010 09:15 PM
I'd suggest first going to CLI and checking PING connectivity to the encryption server.
If ping is working, we can rule out netowrk connectivity and gateway/route issues.
The other thing you can probably try ( if ping works ), is to see if you need a proxy between the encryption appliance and the C-series. Maybe the HTTP/HTTPS packets are being dropped somewhere in between.
--Sumit
02-09-2010 09:17 PM
ALso try to ping with the IP/Hostname. In case the DNS is not able to resolve the encryption server name, the IP PING should work.
02-25-2010 09:39 AM
Sorry, was a newby to the Ironport appliance.
I don't have an encryption appliance, so the CRES service is the only option
Thanks,
Kirk...
02-10-2010 11:04 PM
Kirk,
Check to see if there are any errors/exceptions logged on the IronPort Encryption Appliance .
Log to check /usr/local/postx/server/log/server_postx.log, as much we have the NICs configured run a connectivity test to the IEA from ESA on port 80 and 443.
I would also suggest to review this KB http://tinyurl.com/2doepp
Best,
Kishore
08-03-2010 11:37 AM
Hello Kirk Jacko,
Try open the comunication ports of protocols HTTP, HTTPS, NTP, SMTP and DNS for your appliances in firewall rules.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide