IRONPORT e-mail security, encrypted e-mails problem

murat_selim_ozturk · ‎11-23-2014

Hi there,

we have recently purchased CISCO Ironport E-mail and web security devices.

I have configured e-mail security, and I want to encrypt an outgoing e-mail. When I send that e-mail I receive a reply:

#< #5.0.0 smtp; 5.x.3 - PXE Encryption failure. (Message could not be encrypted due to a system configuration issue. Please contact your administrator.) (delivery attempts: 0)> #SMTP#

I checked internet but couldn't find anything useful. Can someone point me in a good direction please? I don't know where to look now.

Regards,

Robert Sherwin · ‎11-23-2014

Do you have a valid CRES account created for your company/domain, and the appliance SN tied to that CRES account?

If not -

In order to provision encryption profile(s), please initiate an email request to stg-cres-provisioning@cisco.com with the following information:

1. Name of account: [Please specify the exact company name, as you require this to be listed.]
*If this is for a Hosted customer account, please notate the account name to end as ["<Account Name> HOSTED"]
2. Email address(es) to be used for the Account Admin: [Please specify the corresponding admin email address]
3. The complete serial number of ESA appliance(s): [ANY/ALL SERIAL NUMBER(s)]
4. Any/all domains for the customer account that should be mapped to the CRES account for administration purposes.

*If there is an already provisioned CRES account, please provide the company name or CRES account number previously used. This will assure that any new appliance serial numbers are added to the correct account, and avoid any duplication of company information and provisioning.

Appliance serial numbers can be located from the GUI 'System Administration -> Feature Keys', or appliance CLI by running the command 'version'.

Requests sent to stg-cres-provisioning@cisco.com will be handled within normal business hours. A confirmation email will be sent once the serial numbers are registered or new CRES account provisioning is completed.

Once completed - from the GUI, revisit 'Security Services -> Cisco IronPort Email Encryption -> Email Encryption Profiles', and re-click "Re-provision". This will then complete as "Provisioned".

Also - have you stepped through the following?

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117863-configure-esa-00.html

-Robert

Cheers,
Robert Sherwin

murat_selim_ozturk · ‎11-23-2014

Hi there Robert,

Thank you very much for your time for the answer.

Yes I have done the mail step and I can verify that I can re-provision on my console and the final status is Provisioned.

I had followed the exact steps in the link which you have provided at the end of your message. When I had done that I have received the above error.

PXE encryption failure, what could be the reason? Is there any detailed log file which I can analyze to find out?

Btw I don't know how it happened but I didn't give your post 5 stars also I didn't select it as the answer to my question, because it didn't solve my problem. I'm new in this community so I am not sure if I've done anything wrong..

Robert Sherwin · ‎11-25-2014

So - with regard to the PXE encryption - is this occurring on all messages? Or was it just the one time? If you had successfully provisioned your encryption profile - then you should have clean communication to res.cisco.com on port 443.

What version of AsyncOS is running on the ESA?

Feature Keys - is the Ironport Email Encryption key active and still valid?

Message itself - what was the email? Any attachments? From valid sender? To valid recipient?

Can the sender re-send through succesfully?

Cheers,
Robert Sherwin