cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1199
Views
0
Helpful
6
Replies

Issue with remediating Messages in Mailboxes with SMA Message Tracking

CSCO11645642
Level 1
Level 1

Hello All,

I have configured Mailbox Auto Remediation on Cisco Secure Email (Microsoft 365) helping Cisco guides below:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/211404-How-to-configure-Azure-AD-and-Office-365.html
https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/user_guide/b_ESA_Admin_Guide_13-0/b_ESA_Admin_Guide_12_1_chapter_010101.html#con_1096601

This works very fine (auto remediation with AMP retropsective alert) but I have an issue with Remediate Messages in the Mailboxes from SMA with error seen SMA Remediation Logs:
Thu Sep 29 17:36:32 2022 Warning: Remediation failed for MID(s): 6901105 initiated as part of batch test remediation 1. Reason: Unknown Token Error 400 (Host 192.168.X.X)
Thu Sep 29 17:36:48 2022 Warning: Remediation failed for MID(s): 6901105 initiated as part of batch test remediation 1. Reason: Unknown Token Error 400 (Host 192.168.X.X)
Thu Sep 29 17:36:48 2022 Warning: Remediation failed for MID(s): 6901105 initiated as part of batch test remediation 1. Reason: Unknown Token Error 400 (Host 192.168.X.X)

api logs (SMA):
Thu Sep 29 17:36:26 2022 Info: Remediation request accepted for 'test remediation 1'
Thu Sep 29 17:36:26 2022 Info: localhost.example.com - - 29/Sep/2022 17:36:26 +0200 POST /sma/api/v2.0/remediation HTTP/1.0 200 -
Thu Sep 29 17:36:26 2022 Info: Checking access for user MyDomain\adm_xxx role Role Not Available
Thu Sep 29 17:36:26 2022 Info: localhost.example.com - - 29/Sep/2022 17:36:26 +0200 GET /sma/api/v2.0/message-tracking/remediation-details?batchID=creos%5Cad_1664465786&endDate=2022-09-29T15:36:00.000Z&searchOption=batch_details&startDate=2022-09-27T22:00:00.000Z HTTP/1.0 200 -
Thu Sep 29 17:36:42 2022 Info: Checking access for user MyDomain\adm_xxx role Role Not Available
Thu Sep 29 17:36:42 2022 Info: Remediation request accepted for 'test remediation 1'
Thu Sep 29 17:36:42 2022 Info: localhost.example.com - - 29/Sep/2022 17:36:42 +0200 POST /sma/api/v2.0/remediation HTTP/1.0 200 -
Thu Sep 29 17:36:42 2022 Info: Checking access for user MyDomain\adm_xxx role Role Not Available
Thu Sep 29 17:36:42 2022 Info: localhost.example.com - - 29/Sep/2022 17:36:42 +0200 GET /sma/api/v2.0/message-tracking/remediation-details?batchID=creos%5Cad_1664465802&endDate=2022-09-29T15:36:00.000Z&searchOption=batch_details&startDate=2022-09-27T22:00:00.000Z HTTP/1.0 200 -

I have enabled the trailblazer port and AsyncOS API HTTP port on ESA and SMA.
https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide_13-5-1/b_ESA_Admin_Guide_ces_13-5-1/b_ESA_Admin_Guide_12_1_chapter_010101.html#con_1098741

I checked Firewall logs, I have no drop.

SMA : Content Security Management Virtual Appliance AsyncOS 13.8.1
2 x ESA : Email Security Appliance C395 13.5.2

Could you please let me know if you have a idea about this issue ?
Thank you for your help.

Best regards,
Julien

6 Replies 6

I had a similar issue.
Make sure that the SMA can resolve itself via DNS, ditto with the ESAs, and of course they should be able to resolve each other.
IIRC it was the ESAs not being able to find themselves as one process calls the API via a DNS lookup which is failing.
I had switched my ESAs to point at a public dns to resolve one issue, but it created this one...


Thank you Ken for your reply.
About DNS, I made a test to resolve with NSlookup command on ESA and SMA (using internal DNS server) and DNS resolution works but I have the same issue.

What does it mean this error: Reason: Unknown Token Error 400 on SMA? I couldn't find an explanation.

I will keep looking and if needed, I will open a case to the support

Hi @CSCO11645642 , any luck with this?  I have the same issue.

Here are the list of steps that you can take to fix the Token error

1. Ensure SMA is able to resolve the interface hostname of the ESA it connects to.

2. ESA has API and trailblazer enabled and reachable from SMA. This also means that the ESA should be able to resolve its own interface hostnames as pointed in earlier comments to enable trailblazer.

3. ESA needs to trust the certificate authority assigned to the ESA interface (which it is connecting to) . You can additionally try by disabling cert validation on validation. Below is the snippet from user guide,

If the managed Cisco Email Security appliance is using a certificate whose Certificate Authority does not exist in the Cisco Content Security Management appliance trust store, the server certificate validation on the Content Security Management appliance fails. To allow communication, add the Certificate Authority of the signed certificate used by the Cisco Email Security appliance to the Cisco Content Security Management appliance. To add the Certificate Authority, use certconfig > CERTAUTHORITY sub command in the CLI."

The ESA is using the demo certificate which is self signed. We cannot add this into the SMA CA trust store becuase its not exactly CA certificate type

They are 2 options,

1. get a certificate signed by 3rd party (involved cost) or internal CA, assign it to the interface of ESA, then add the CA to the SMA trust store

2. Disable certificate verification on the SMA so that it connect without validating the ESA cert (not recommended), even user guide says so consider security

CAUTION: If you want to disable the server certificate validation on the Content Security Management appliance, use the esaapiconfig command in the CLI. Cisco does not recommend you to disable the certificate validation for security reasons

Robert Sherwin
Cisco Employee
Cisco Employee

TomML
Level 1
Level 1

Thanks @UdupiKrishna @Robert Sherwin.  Looks like we had some certificate issues in our environment.  It's working as intended now. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: