Solved: Re: SMA PVO 7025 SSL certificates - Page 2

Lemat · ‎08-08-2022

On "mx" in destination controls I have default "preferred TLS", but our RAT domain has there "required TLS":

since yesterday I have messages in ESA active queue which cannot be delivered to SMA:

the.cpq.host

Down

7,001

0

238.8k

0

mx: Info: New SMTP DCID 19262028 interface 1.2.3.4 address 1.2.3.5 port 7025
mx: Info: DCID 19262028 TLS deferring: verify error: certificate has expired
mx: Info: DCID 19262028 TLS was required but could not be successfully negotiated

sma: Info: New CPQ ICID 893770 interface Management (1.2.3.5) address 1.2.3.4 reverse dns host mx verified yes
sma: Info: ICID 893770 RELAY SG RELAYLIST match 1.2.3.4 SBRS not enabled
sma: Info: ICID 893770 TLS failed: (336151573, 'error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired')
sma: Info: ICID 893770 lost

mx> tlsverify

Enter the TLS domain to verify against:
[]> the.cpq.host

Enter the destination host to connect to. Append the port (example.com:26) if you are not connecting on port 25:
[the.cpq.host]> 1.2.3.5:7025

Connecting to 1.2.3.5 on port 7025.
Connected to 1.2.3.5 from interface 1.2.3.4.
Checking TLS connection.
Certificate verification failed: certificate has expired.
TLS connection to 1.2.3.5 failed: verify error.
TLS was required but could not be successfully negotiated.

Failed to connect to [1.2.3.5].
TLS verification completed.

Temporarily lowering "required" to "preferred" TLS in destination controls on ESA did not help, adding the.cpq.host, or [1.2.3.5] to destination controls did not help either.

uploading certificate pair on SMA using > certconfig []> certificate - did not help

which certificate has expired and how to replace it?

Christian Majewski · ‎08-15-2022

Hello UdupiKrishna,

we still have the problem and we cannot update to a new version at the moment for technical reasons.
Is there already a solution approach from the TAC?
Can the CPQ certificate be made available to us so that we can import it?
Or can TLS be temporarily disabled for communication with the.cpq.host domain for port 7025 or changed from "required" to "preferred"?
etc.?

Thanks a lot for your assistance

UdupiKrishna · ‎08-16-2022

Hello Christian,

If there are challenges to upgrade the device, please work with TAC for available options/workaround but they would primarily insist of getting them upgraded too. Please quote/justify your reasons for not upgrading the appliance and i am sure TAC can come to an arrangement. We can't disable TLS or have other options to avoid them for PVO connectivity

sw-magdeburg · ‎08-09-2022

In our environment it doesn't work. First we upgrade the ESA and SMA to version 14.2.0-203 and after reading this article we use the updatepvocert command and the tls connection from ESA to SMA works,

But we can't release any mail from the SMA to ESA - I've got this Alert when I release a mail:

"Quarantine: Could not connect to PVO release port on ESA x.x.x.x This could be because the ESA is unreachable or PVO is not enabled on ESA."

Finally the mail is no longer in the quarantine and didn't arrived in the recipients mail.

We test the connectivity between the quarantine ports per telnet - it works fine. The ip ist configured, the status in online.

Is there any idea?

stefan-stefan · ‎08-09-2022

@sw-magdeburg Could it be that your version still has to receive the fix through the updater service for your new version ? (new to ESA/SMA so take my suggestion as from a newby)

sw-magdeburg · ‎08-09-2022

Hi, the updater is konfigured as automatically every 5 minutes from the Cisco Update Server. The system upgrade has no upgrade options. Where will I see that my SMA has received the fix?

UdupiKrishna · ‎08-09-2022

The fix via the auto updater service is applicate only for ESA(s). You need to still run "updatepvocert" manually on the SMA to fix the problem.

janjan · ‎08-11-2022

Just a hint: You can see how many messages are queued for delivery to the Policy Quarantine. Go to Monitor -> Delivery Status on the ESA. There is a pseudo domain named "the.cpg.host". One of our customers had like 10k Mails queued.

sw-magdeburg · ‎08-11-2022

Hello to all, yesterday afternoon a cisco engineer forced receiving the fix to our ESA's. And finally it works again. Thanks.