cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6448
Views
1
Helpful
14
Replies

Connection to Url retrospective service failed

sv7
Level 3
Level 3

Hi Team,

I have done an upgradation from 14.2.1-020 to 15.0.0 build 104 and after that facing an Error "Connection to Url retrospective service failure due to invalid certificate". Please find attached snap and let me know how can i resolve this.

 

sv7_0-1699900007095.png

 

 

 

14 Replies 14

Udupi Krishna.
Cisco Employee
Cisco Employee

If you are not using a proxy, ensure ESA can resolve and connect to these URL(s) on port 443.

  • prod-register-api.uce.cmd.cisco.com

  • prodap-retro-api.uce.cmd.cisco.com

  • prodeu-retro-api.uce.cmd.cisco.com

  • produs-retro-api.uce.cmd.cisco.com

We are using proxy. How should we test connectivity to above url in that case ?

That connection to the URL rerro.service is HTTPs. Is your proxy decrypting?

If so, you either need to exempt the ESA from being decrypted, or add the root that the proxy uses for generating its certs to the ESA, just like you had to do for workstations (and that still might not work)

W used to use WSA, and we put the ESA in bypass.

I have checked and able to connect all 4 Url's, but still getting the Error of invalid certificate as per prevoius attachment. What could be the next i can do to resolve this ?

Could you please confirm. How to verify with this at Cisco ESA end? Tq

miani
Level 1
Level 1

Just had a chat with TAC about this. A fix for this is scheduled for release 15.0.2 and 15.5.1. The Defect CSCwi59220 will soon be updated and the fixed releases will be out at the end of April.

saliyev
Cisco Employee
Cisco Employee

@sv7 does issue still persist and do you need assistance or it has been resolved?

I'm still facing tje issue. I check and version 15.0.2 or 15.5.1 are not available yet. Latest version I can see is:

1. AsyncOS 15.0.1 build 030 upgrade For Email, 2023-11-22, This release is a
Maintenance Deployment

Aljosa Pocic,
Did you upgrade yet?
15.5.1-055 ESA was released Tuesday 2 May.
We’re curious if your alerts stopped.

Unfortunatelly problem is still present after upgrade. 

saliyev
Cisco Employee
Cisco Employee

@sv7 , as mentioned by @Ken Stieers , probably session hits SSL Decryption policy in your proxy server.
you can do a packet capture on ESA (navigate to 'help and support' -> 'Packet Capture' page, set relevant filters [f.e. server IP address]), take capture, analyze it by wireshark and here try to find out relevant session, find and check certificate details provided by server during TLS handshake process to figure out by whom provided certificate. you can also share pcap file or some screenshots here.

Hi,
I've been having this problem to, but not as often as now when I upgraded to 15.5.1-055. We took a look at our Proxy and saw in the logs that we were dropping traffic against prodeu-register-api.uce.cmd.cisco.com which is not mentioned in the documentation, at least I can't find it.

In the documentation I can find prod-register-api.uce.cmd.cisco.com but not prodeu-register-api.uce.cmd.cisco.com.

//Micke

One AP endpoint , the one mentioned is for US
The 2nd one is the EMEA endpoint to be GDPR compliant

Hi,

Thanx. This seem absolutely resonable and I guessed it because of the eu ending. It would be helpful if it was in any documentation though, it's a bit tricky to traverse the proxy logs to find it

Michael