Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
5272
Views
35
Helpful
9
Replies

CPQ certificate is expired

Go to solution
Dustin Anderson
VIP
VIP

ā€Ž08-11-2022 10:35 AM

So, we started getting this error yesterday:

If your email gateway is experiencing issues when delivering messages to Centralized Policy Quarantine (CPQ) and you received an alert that indicates that the CPQ certificate is expired, make sure you execute the updatepvocert CLI command on the Security Management Appliance to fix this issue. You can ignore this notification if you have not enabled CPQ or have already corrected it.

 

I followed and did the command to regenerate, but I am still getting the error and getting emails from the email firewalls. Am I missing something?

> updatepvocert

This command recreates a Policy, Virus, and Outbreak Quarantines certificate
and key of strength 2048 bits.
The new certificate is also signed by a CA of strength 2048 bits.
One of the internal services restarts after the certificate update. There is no
commit required.
Do you want to proceed with the certificate update? [Y]> y

The certificate update is successful.
. An internal service restart is needed for the changes to be effective.
Enter the number of seconds to wait before abruptly closing connections.
[30]>

Waiting for listeners to exit...
Receiving suspended for euq_listener, cpq_listener.
Waiting for outgoing deliveries to finish...
Mail delivery suspended.
Receiving resumed for euq_listener, cpq_listener.
Mail delivery resumed.

The internal service will be up in a moment.

>

 

7 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dustin Anderson
VIP
VIP

ā€Ž08-11-2022 11:51 AM

response from TAC to check your system. Trying to verify if the alert will clear itself or a bug.

 

From your problem description, I understood:

You applied the command updatepvocert and you still getting the alert.

 

 

Please let me know if anything stated above is incorrect.

 

Action Plan to take for the next step on this case:

                Are you getting some issues to send or release emails from the PVO???? Or getting port 7025 issues on your ESAs or SMA.

 

                If all is working fine, you can ignore the alert. This is an advice for the customer triggering and issue with expired certificate since last Sunday.

                If you still getting issues on the PVO, please review the next information.

 

        -------

This issue has been resolved for now after pushing the update package.

 

Since you are using on-prem or virtual appliance, you have to run "updatepvocert" command on SMA.

The command on SMA is to restore the Email flow from ESA>SMA.

 

Connectivity from the SMA to the ESA has been successfully addressed through a cloud update received at the ESA.

Ref:  https://community.cisco.com/t5/security-urgent-notices/urgent-esa-issue-2022-08-08-1/ta-p/4665516

 

Plan of Action:

After updating the PVO certificate, please run the below command on ESA CLI:

  • To check the High Active Recipients count for ā€œthe.cpq.hostā€
    (Machine esa) (SERVICE)> tophosts

 

Sort results by:

 

  1. Active Recipients
  2. Connections Out
  3. Delivered Recipients
  4. Hard Bounced Recipients
  5. Soft Bounced Events

[1]>

 

Status as of:                   Tue Aug 09 14:30:56 2022 +08

Hosts marked with '*' were down as of the last delivery attempt.

 

                                              Active  Conn.     Deliv.       Soft       Hard

#   Recipient Host               Recip.    Out     Recip.    Bounced    Bounced

 

  • If you find High Active Recipients for ā€œthe.cpq.hostā€, please run ā€œdelivernow host the.cpq.hostā€ command to force deliver the mails.

 

  • To verify the Status Up/Down of PVO

    (Machine esa) (SERVICE)> hoststatus

 

Recipient host:

[]> the.cpq.host

 

Host mail status for: 'the.cpq.host'

Status as of:         Tue Aug 09 14:27:12 2022 +08

Host up/down:         down

 

Counters:

  Queue

    Soft Bounced Events                        0

  Completion

    Completed Recipients                 XXXX

      Hard Bounced Recipients                  0

        DNS Hard Bounces                       0

        5XX Hard Bounces                       0

        Filter Hard Bounces                    0

        Expired Hard Bounces                   0

        Other Hard Bounces                     0

      Delivered Recipients               XXXX

      Deleted Recipients                       0

 

After following the above, you can verify from the ESA GUI for the mails. Give around 10 minutes and review that the.cpq.host is draining.

View solution in original post

9 Replies 9

Go to solution
tonychaffe
Level 1
Level 1

ā€Ž08-11-2022 10:48 AM - edited ā€Ž08-11-2022 10:49 AM

I have this same message and followed the same steps, even went so far as to reboot the SMA, although I don't think that would have helped. I haven't found a way of supressing this message either or established why it has suddenly started to appear.

SMA Version: 14.2.0-203

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to tonychaffe

ā€Ž08-11-2022 10:56 AM

ok, so may be a bug. As much as I hate opening TACs, I may to find out a correction.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

ā€Ž08-11-2022 11:51 AM

response from TAC to check your system. Trying to verify if the alert will clear itself or a bug.

 

From your problem description, I understood:

You applied the command updatepvocert and you still getting the alert.

 

 

Please let me know if anything stated above is incorrect.

 

Action Plan to take for the next step on this case:

                Are you getting some issues to send or release emails from the PVO???? Or getting port 7025 issues on your ESAs or SMA.

 

                If all is working fine, you can ignore the alert. This is an advice for the customer triggering and issue with expired certificate since last Sunday.

                If you still getting issues on the PVO, please review the next information.

 

        -------

This issue has been resolved for now after pushing the update package.

 

Since you are using on-prem or virtual appliance, you have to run "updatepvocert" command on SMA.

The command on SMA is to restore the Email flow from ESA>SMA.

 

Connectivity from the SMA to the ESA has been successfully addressed through a cloud update received at the ESA.

Ref:  https://community.cisco.com/t5/security-urgent-notices/urgent-esa-issue-2022-08-08-1/ta-p/4665516

 

Plan of Action:

After updating the PVO certificate, please run the below command on ESA CLI:

  • To check the High Active Recipients count for ā€œthe.cpq.hostā€
    (Machine esa) (SERVICE)> tophosts

 

Sort results by:

 

  1. Active Recipients
  2. Connections Out
  3. Delivered Recipients
  4. Hard Bounced Recipients
  5. Soft Bounced Events

[1]>

 

Status as of:                   Tue Aug 09 14:30:56 2022 +08

Hosts marked with '*' were down as of the last delivery attempt.

 

                                              Active  Conn.     Deliv.       Soft       Hard

#   Recipient Host               Recip.    Out     Recip.    Bounced    Bounced

 

  • If you find High Active Recipients for ā€œthe.cpq.hostā€, please run ā€œdelivernow host the.cpq.hostā€ command to force deliver the mails.

 

  • To verify the Status Up/Down of PVO

    (Machine esa) (SERVICE)> hoststatus

 

Recipient host:

[]> the.cpq.host

 

Host mail status for: 'the.cpq.host'

Status as of:         Tue Aug 09 14:27:12 2022 +08

Host up/down:         down

 

Counters:

  Queue

    Soft Bounced Events                        0

  Completion

    Completed Recipients                 XXXX

      Hard Bounced Recipients                  0

        DNS Hard Bounces                       0

        5XX Hard Bounces                       0

        Filter Hard Bounces                    0

        Expired Hard Bounces                   0

        Other Hard Bounces                     0

      Delivered Recipients               XXXX

      Deleted Recipients                       0

 

After following the above, you can verify from the ESA GUI for the mails. Give around 10 minutes and review that the.cpq.host is draining.

Go to solution
afre.j
Level 1
Level 1
In response to Dustin Anderson

ā€Ž08-12-2022 02:03 AM

Hi Dustin,

I got same issue.

Does CPQ / centralized ESA enable or disable in your SMA.

 

Thanks,

afr

 

0 Helpful

Go to solution
jnourbakhsh
Level 1
Level 1
In response to Dustin Anderson

ā€Ž08-13-2022 02:45 AM

Hi Mr. Anderson

I am using C600V 14.2.0-620 with Centralized Policy Quarantine (CPQ) Warning but this command updatepvocert is not run in CLI mode, also i can't close following message box that appeared on Top. I will appreciated for your cooperation.

Attached files are the Screenshots of A.M matter about Warning Message.

 

Best Regards, Jalal

Preview file
89 KB

Go to solution
jnourbakhsh
Level 1
Level 1
In response to Dustin Anderson

ā€Ž08-13-2022 02:54 AM

Hi Mr. Anderson

By the way, i forgot to say, your link in the response is not working for us because of of existing low privilege in this forum.

Thanks Again 

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

ā€Ž08-11-2022 11:55 AM

2nd update from TAC, should clear in a week or 2?

 

Just a temp advice as per the general issue. It will be disabled in a week or 2.

Go to solution
AndreRS
Level 1
Level 1
In response to Dustin Anderson

ā€Ž08-14-2022 08:56 PM

Hi Dustin.

so the notification will clear automatically?

because i can't clear it on the device

 

thank you

0 Helpful

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee
In response to AndreRS

ā€Ž08-16-2022 03:13 AM - edited ā€Ž08-16-2022 03:14 AM

Yes the notification will be cleared automatically. The ETA is a week or two but there is no exact date/timeline

Customers Also Viewed These Support Documents