Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2913
Views
0
Helpful
2
Replies

The case application tried and failed 3 times to successfully complete an update

a12288
Level 3
Level 3

‎08-25-2015 10:57 AM

Hi, All.

We started to get those alerts few times a day since C670 upgraded to v9.6.0-042. I believe the update interval is 5 minutes by default, and according to the update_log, most most of the update were successful.

!CLI tail the log

Tue Aug 25 10:49:32 2015 Info: case cleaning up base dir [bindir]
Tue Aug 25 10:49:32 2015 Info: case verifying applied files
Tue Aug 25 10:49:32 2015 Info: case updating the client manifest
Tue Aug 25 10:49:33 2015 Info: case update completed
Tue Aug 25 10:49:33 2015 Info: case waiting for new updates

 

My questions:

1) Any CLI or GUI to explicitly confirm that the update is indeed successful.

2) How can I resolve this? Few alerts a day is annoying, but more importantly, they might let us miss some really important alerts.

 

Thanks.

Leo

 

Labels:
0 Helpful
2 Replies 2

mtomanek
Cisco Employee
Cisco Employee

‎08-26-2015 01:36 PM

Hello Leo,

 

best thing I could advise you is to open a TAC case to get it investigated properly. If this cannot be done, you can get the full updater_logs from the appliance (if they are not being pushed you can get them by enabling ftp on any interface and accessing ftp://IP_OF_INTERFACE , maybe you can spot some further error messages there or find any pattern in regards to time of occurance. You also could issue the below commands to get more informations about update in the CLI:

updatenow force

tail updater_logs

and wait for a minute or two.

 

You should try telnetting to below addresses on both 80 and 443:

update-manifests.ironport.com

downloads.ironport.com

updates.ironport.com

 

As a part of general troubleshooting I would also check the RAID status with 'version' CLI command, and if you are using ironport demo certificate, make sure to change it to new system default demo certificate as explained in:

 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200025-9-5-and-newer-AsyncOS-for-Email-Security.html

 

You could also setup packet capture on ports 80 and 443 to see if you can see any errors there. This can be done on ESA under help and support (upper right corner of GUI) -> packet capture. Best thing would be to run it simultanously also on firewall or proxy.

 

If proxy or firewall is involved you might also try setting up static update servers as explained at:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117854-technote-esa-00.html

 

Hope this is informative, if any of the above will not help you could attach the full updater_logs and possibly the pcaps so we can take a look.

 

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee

‎08-26-2015 10:28 PM

Hey Leo,


From my perspective, before having a TAC case open, a general rule of thumb I use to verify if updates were indeed successful is.

 

Via CLI (or GUI)
CLI > antispamstatus

CLI > antivirusstatus

 

If it's updated, it should reflect on the last updated


Via the updater_logs i generally look for the large amount of text where after case applies files, generally looking like...

 

Thu Aug 27 12:03:58 2015 Info: case sending version details to hermes {'case': {'ALL_RULES_VERSIONS': {'case_rules': '3.5.0-20150826_083100', 'dfa_updates': '20150827_020301', 'uridb': '20150825_101405', 'bayes': '20150826_111454-2015082
6_121043', 'toc_rules': '20150827_012052', 'uridb_updates': '20150825_101405-20150827_014204', 'dfa': '20150827_020250'},

..

...

..

...

EAK_0017626_01', 'description': 'We are seeing unusual volume for file extension(s) zip(exe), zip:e(exe). We are raising the Threat Level to 3. We will continue to monitor the situation.'}, {'outbreak': 17627, 'threat_level': 3.0, 'revis
ion': 1, 'name': 'OUTBREAK_0017627_01', 'description': 'We are seeing unusual volume for file extension(s) zip(vbe), zip:e(vbe). We are raising the Threat Level to 3. We will continue to monitor the situation.'}, {'outbreak': 2969, 'thre
at_level': 3.0, 'revision': 5, 'name': 'OUTBREAK_0002969_05', 'description': 'We are seeing suspicious url(s) propagating through multiple sources. We are raising the Threat Level to 3. We will continue to monitor the situation.'}], 'SCA
NNER_ENGINE_VERSION': '3.5.0-008', 'SCANNER_RULES_VERSION': '3.5.0-20150826_083100', 'SCANNER_VOF_RULES_VERSION': '20150827_050252'}}
Thu Aug 27 15:20:14 2015 Info: case cleaning up base dir [bindir]
Thu Aug 27 15:20:14 2015 Info: case verifying applied files

 

If the above is seen, generally the update was fine.

EDIT: and as mtomanek has also provided, in the event the error comes at intervals, if you can review the entire updater_log and check to see whether you're seeing connection failures or update failures of any sort, it will generally show the connection time-out errors or other failures.

Let us know what you find


Thanks, Matthew

 

 

0 Helpful
Customers Also Viewed These Support Documents