Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8841
Views
61
Helpful
22
Replies

SMA PVO 7025 SSL certificates

Go to solution
Lemat
Level 1
Level 1

‎08-08-2022 12:36 AM

On "mx" in destination controls I have default "preferred TLS", but our RAT domain has there "required TLS":

since yesterday I have messages in ESA active queue which cannot be delivered to SMA:

Down
7,001
0
238.8k
0
0

mx: Info: New SMTP DCID 19262028 interface 1.2.3.4 address 1.2.3.5 port 7025
mx: Info: DCID 19262028 TLS deferring: verify error: certificate has expired
mx: Info: DCID 19262028 TLS was required but could not be successfully negotiated

sma: Info: New CPQ ICID 893770 interface Management (1.2.3.5) address 1.2.3.4 reverse dns host mx verified yes
sma: Info: ICID 893770 RELAY SG RELAYLIST match 1.2.3.4 SBRS not enabled
sma: Info: ICID 893770 TLS failed: (336151573, 'error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired')
sma: Info: ICID 893770 lost

mx> tlsverify

Enter the TLS domain to verify against:
[]> the.cpq.host

Enter the destination host to connect to. Append the port (example.com:26) if you are not connecting on port 25:
[the.cpq.host]> 1.2.3.5:7025

Connecting to 1.2.3.5 on port 7025.
Connected to 1.2.3.5 from interface 1.2.3.4.
Checking TLS connection.
Certificate verification failed: certificate has expired.
TLS connection to 1.2.3.5 failed: verify error.
TLS was required but could not be successfully negotiated.

Failed to connect to [1.2.3.5].
TLS verification completed.

Temporarily lowering "required" to "preferred" TLS in destination controls on ESA did not help, adding the.cpq.host, or [1.2.3.5] to destination controls did not help either.

uploading certificate pair on SMA using > certconfig []> certificate - did not help

which certificate has expired and how to replace it? 

7 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
22 Replies 22

Go to solution
stefan-stefan
Level 1
Level 1

‎08-08-2022 02:37 AM

I am having the precise same problem, cant be a coincidence.

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎08-08-2022 02:38 AM

There is a ongoing issue with SMA(s) - 

https://community.cisco.com/t5/security-urgent-notices/urgent-esa-issue-2022-08-08-1/ta-p/4665516

Work with TAC for available options

Go to solution
Ken Stieers
VIP
VIP
In response to UdupiKrishna

‎08-08-2022 03:09 AM

Is all delivery from the SMA broken? Or just "release"? Can I forward mail?
0 Helpful

Go to solution
KevinNg59926
Level 1
Level 1
In response to Ken Stieers

‎08-08-2022 04:06 AM

I tried forwarding from SMA and that didnt work either. updatepvocert CLI command appears to only resolve half of the issue?

0 Helpful

Go to solution
AlexDog
Level 1
Level 1
In response to UdupiKrishna

‎08-08-2022 03:40 AM

We are experiencing the same issue, when will this be resolved? Is there a workaround?

0 Helpful

Go to solution
pdias
Level 1
Level 1
In response to UdupiKrishna

‎08-11-2022 04:05 AM

Hi,

is this public acess ?
cant acess  

Tanks

Access Denied

Thank you for your interest in this Cisco Community.

You are not authorized to access this page.

Many pages on the community are accessible only to Cisco customers, partners or logged in entitled guests.

If you believe you should have access, please contact us

0 Helpful

Go to solution
Lemat
Level 1
Level 1

‎08-08-2022 03:17 AM

the original post is about esa->sma email delivery, which was solved for me by updatepvocert CLI command.

BUT I can see also email released from quarantines (SMA -> ESA) have similar issue. On ESA there is no updatepvocert CLI command. 

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee
In response to Lemat

‎08-08-2022 03:42 AM

This is correct. updatepvocert is only fixing the connectivity issues from ESA to SMA.

However there are still problems to release them from SMA and being reviewed for possible options (workaround, fix etc)

Go to solution
mailsecurity
Level 1
Level 1

‎08-08-2022 03:25 PM

After cli updatepvocert on SMA >> communication in both directions resumes to normal work in our configuration

 

0 Helpful

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎08-08-2022 08:51 PM - edited ‎08-08-2022 08:52 PM

A quick update

= For CES customers, fix is added to both ESA and SMA by our internal teams.

= For on-prem ESA(s), fix was added via the updater service last night. This fixes connectivity problems from SMA to ESA(to release emails)

= For on-prem SMA(s) - please run updatepvocert to fix connectivity problems from ESA to SMA

Go to solution
stefan-stefan
Level 1
Level 1

‎08-09-2022 12:36 AM

I can confirm that it is working again. I myself already did the updatepvocert yesterday and disabled the centralised quarantine on the ESA's (which I enabled again just now). A save way to test, before releasing messages, is to open a flagged email in the PVO quarantine and send a copy to yourself (that also didnt work yesterday). 

 

Untitled.png

0 Helpful

Go to solution
Christian Majewski
Level 1
Level 1

‎08-09-2022 01:22 AM

We have the same issue, but our SMA is on version 12.5.0-683 and the updatepvocert command does not work. 

Is there another possibilty to solve this problem?

0 Helpful

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee
In response to Christian Majewski

‎08-09-2022 11:00 PM

Work with TAC to get necessary assistance for versions older than 13.X.

0 Helpful

Go to solution
Christian Majewski
Level 1
Level 1
In response to UdupiKrishna

‎08-12-2022 02:04 AM

Is there already news from TAC for support on this issue from versions older than 13.x?

Thank you

Customers Also Viewed These Support Documents