Ironport warning "not able to connect v2.sds.cisco.com"

SupportAC · ‎03-28-2018

Hi,

We are receiving many warning indicating that the IronPort has not been able to connect to the server of "v2.sds.cisco.com". Since several weeks ago the number of emails received for this reason has increased considerably. Warnings say: "Server busy or service unavailable".

We run "telnet v2.sds.cisco.com 443", and we can reach it.

Why are we receiving these warnings???? how could we solve it???

Ironport Version is: 9.7.1-066

Mathew Huynh · ‎03-28-2018

Hello SupportAC,

Is the issue still recurring at this current moment?
I do believe last week there was a minor niggle on the servers as some capacity concerns were met so the responses were a bit slower to respond.

If it's still occurring; i would recommend to check the websecuritydiagnostics information and see the response times - if there are some delay in response times it would generally occur during high volume traffic.

If so; consider (per machine) changing some settings on the websecurityadvancedconfig.

I generally recommend this to most of the users i work with:
Enter URL lookup timeout (includes any DNS lookup time) in seconds:
[15]>

Enter the URL cache size (no. of URLs):
[810000]>

Do you want to disable DNS lookups? [N]>

Enter the maximum number of URLs that should be scanned:
[50]>

Enter the Web security service hostname:
[v2.sds.cisco.com]>

Enter the threshold value for outstanding requests:
[5]>

Do you want to verify server certificate? [N]>

Enter the default time-to-live value (seconds):
[30]>

(Depending on how much emails are coming through and impact, I may suggest either disabling DNS lookup, or increasing the timeout to 180seconds).

Regards,
Matthew

Updata_GW · ‎03-29-2018

We currently have this too. Checking from cli we usually find either no value returned for nslookup of v2.sds.cisco.com, or a value which differs from that which we get when checking it directly. dnsflush, after which nslookup gives the correct value usually seems to fix it for a while. But as it is only a 60 second ttl it's something we're having to sort several times a day.

marc.luescherFRE · ‎03-29-2018

He there,
Happing here too, since about 2 weeks (March 15th, 2018) the problem has become worse again.

Mathew Huynh · ‎03-29-2018

Hey Marc,

What does websecuritydiagnostics show on your side?
Also may i ask if you were able to review the configuration of websecurityadvancedconfig and try the above shared configuration should it be different.

Regards,
matthew

Mathew Huynh · ‎03-29-2018

Hey Updata_gw

the IP resolution should not be changing or see no results ; that would be indicative of some DNS troubles which is causing the ESA to fail to connect to the v2.sds.cisco.com client.

Are you using local internal DNS or root dns or google dns?

Regards,
matthew

Updata_GW · ‎04-09-2018

Using internet root servers. But the issue hasn't been seen again since March 29th, so whatever was returning the wrong values appears now to have updated.

Mathew Huynh · ‎04-09-2018

Hey Updata_GW,

I'm very glad to hear that.
Do not hesitate to reach out to me on this thread if there's any ongoing issues or open a new thread and i'll do my best to help :).

Thanks,
Matthew