Solved: Error on ESA C170: FIle Reputation Service is unreachable

vschuckmann · ‎12-01-2014

Dear community,

I´ve a problem on an ESA C170:

Warning <System> *******.local: amp The File Reputation service in the cloud is unreachable....

The Warning message is:

amp The File Reputation service in the cloud is unreachable.

Last message occurred 61 times between Mon Dec 1 12:43:36 2014 and Mon Dec 1 13:43:26 2014.

Version: 8.5.6-074

Serial Number: D48*******************

Timestamp: 01 Dec 2014 13:44:13 +0100

I´ve already edited the heratbeat interval to 900 seconds (15'), but the error still occures. The telnet command cloud-sa.amp.sourcefire.com 443 is also working fine.

Do you have any ideas?

Thanks a lot!

Robert Sherwin · ‎12-02-2014

What is the query timeout set to? From the CLI use ampconfig and advanced, or in the GUI, Security Services > File Reputation and Analysis > Edit Global Settings... > Advanced (drop down arrow)

[]> advanced

Enter cloud query timeout?

[15]>

Assure that this is set to 15 seconds (or higher)... up to 30 max.

-Robert

Cheers,
Robert Sherwin

View solution in original post

Robert Sherwin · ‎12-02-2014

What is the query timeout set to? From the CLI use ampconfig and advanced, or in the GUI, Security Services > File Reputation and Analysis > Edit Global Settings... > Advanced (drop down arrow)

[]> advanced

Enter cloud query timeout?

[15]>

Assure that this is set to 15 seconds (or higher)... up to 30 max.

-Robert

Cheers,
Robert Sherwin

Dominic Kallas · ‎12-16-2014

I tried the above steps and it says 1-5 seconds is the only interval available. This is through cli or gui that it makes this statment.

tfellinger · ‎12-21-2014

Hello,

probably you have to open TCP Port 32137 or activate communication over SSL and open SSL Port 443 for the Ironport Appliance. This information is also supplied in Appendix D in the User Guide.

BR,

Thomas

tim_berry · ‎08-31-2015

Hi,

Attempting to set up AMP but cam to find out that the IP range for the cloud portion is dynamic. Our firewalls only work with IP addresses at this time so I cannot enter the 'cloud-sa.amp.sourcefire.com.' entry. Was told by Cisco support to set up a firewall rule that would allow the ironports to go to any destination via 443, bidirectional. This is not best practice from what I researched. Any opinions or other solutions are appreciated.

Tim

Robert Sherwin · ‎08-31-2015

We have an ENH request to get static IP/hostnames for this set:

https://tools.cisco.com/bugsearch/bug/CSCut69420

But - this has remained pretty consistent w/ the current IP/hostnames:

$ dig cloud-sa.amp.sourcefire.com +short

cloud-sa-589592150.us-east-1.elb.amazonaws.com.

184.73.197.18

23.21.99.40

54.225.89.105

23.21.199.158

With the cloud-sa resolving:

$ dig cloud-sa-589592150.us-east-1.elb.amazonaws.com +short

23.21.199.158

23.21.99.40

184.73.197.18

54.225.89.105

-Robert

Cheers,
Robert Sherwin

Mathew Huynh · ‎08-31-2015

Just to further clarify on this as well.

On version 8.5 releases, AMP cloud timeout allows a maximum of 5 seconds.
On version 9.6 release, AMP cloud timeout for reputation allows up to 30 seconds for timeout.

Regards,

Matthew

vschuckmann · ‎01-06-2015

Hi Robert,

thanks for your reply.

We´ve solved the issue: The FeatureKey S/N was built for the wrong ESA S/N.

Sorry for the silly mistake :/