The updater has been unable to communicate with the update server for at least 1h

smid · ‎05-07-2021

The last two days I get this warning every 2 hrs.

How can I solve this?

Nothing has changed in my environment and I can ping/telnet the update server.

Under "System upgrade" it says that I'm using server https://update-manifests.sco.cisco.com/

I get a certificate error when visiting this site in chrome. Does that have anything to do with this?

I'm using a C195

Thanks

svgeorgi · ‎05-10-2021

C195 should be reaching out to this website. I can assume at this point that you have a mixed cluster of virtual ESAs and physical C195.

If that's correct, you should create a machine level settings under CLI>updateconfig for your hardware appliance/s only. Issue the subcommand dynamichost and correct the manifest server back to its default value (update-manifests.ironport.com).

Also you can test the connectivity by telnetting it on port 443, and also ensure that there are no proxies (which are not configured on the ESA) or firewall inspections which might be messing up with the connection.

smid · ‎05-10-2021

I only have this one physical unit (C195).
I can telnet to update-manifests.sco.cisco.com:443 from the unit. No proxies.
We have SSL inspection but we have whitelisted these servers.

When I visit the website in chrome (i've tried different networks), I get an SSL error NET::ERR_CERT_SYMANTEC_LEGACY
This is probably unrelated to my problem though

svgeorgi · ‎05-10-2021

That's great! I'm wondering then where this wrong URL came from into your physical ESA in first place.

Just revert your dynamic host to update-manifests.ironport.com:443 then, and it should be good.

Your ESA should be okay to connect properly when the correct server is used.

smid · ‎05-11-2021

Sorry, I didn't realize you posted a new URL. My apologies.

I don't have the subcommand "dynamichosts".

I have:

- SETUP - Edit update configuration.
- VALIDATE_CERTIFICATES - Validate update server certificates
- TRUSTED_CERTIFICATES - Manage trusted certificates for updates

When I select "SETUP" I can either use ciscos update servers or manually enter one.
Should I enter the URL you posted under

"Cisco IronPort AsyncOS upgrades
Cisco IronPort Servers" ?

SriramV · ‎05-11-2021

"dynamichost" its a hidden command

Choose the operation you want to perform:
- SETUP - Edit update configuration.
- VALIDATE_CERTIFICATES - Validate update server certificates
- TRUSTED_CERTIFICATES - Manage trusted certificates for updates
[]> dynamichost

Enter new manifest hostname:port
[update-manifests.ironport.com:443]>

svgeorgi · ‎05-11-2021

"I don't have the subcommand "dynamichosts"."

Just try it, it is there. It's just dynamichost, not dynamichosts.

smid · ‎05-11-2021

Thank you. The command wasn't listed, so that confused me

I've update the server now. Will post result in a few hours.

svgeorgi · ‎05-11-2021

You can force an update to your security engines with CLI>updatenow force and check the updater_logs for any errors with CLI>tail updater_logs. If everything is cool in there, then such alerts shouldn't be generated anymore.

smid · ‎05-11-2021

I changed the URL and commited the changes but I still get the error message.

I tried your suggestion to force updates and tail_logs but I can't see any error messages.

After the graymail update it stops at:

Info: case cleaning up base dir [bindir]
Info: case verifying applied files
Info: case updating the client manifest
Info: case update completed
Info: case waiting for new updates

I will try a system upgrade in a week when we have maintenance.

I have disabled email notifications until this has been resolved.

smid · ‎05-12-2021

Don't know if this is related but under "top alerts" I found this:

"Unable to connect to Cisco Web Security Service. URL Filtering will not work correctly. Please verify all network, proxy and firewall settings. Connection to "v2.sds.cisco.com" failed. The last error seen on this connection: "Request failed with code: 28 (Operation timed out after 0 milliseconds with 0 out of 0 bytes received)"

svgeorgi · ‎05-12-2021

That last alert is related to the connection to the URL filtering server where it is fetching web scores (WBRS) for URLs found in the messages. You can perform a pcap to that server v2.sds.cisco.com to check what's going on, but most likely you'll have to have the timeouts to that service loose under CLI>websecurityadvancedconfig.

From the output you've provided from updater_logs cannot see any issues there.

What is CLI>antispamstatus showing for example? "Structural Rules" should contain today's date in its version if everything's alright.

If nothing works, you can open a TAC case for further investigation - for both alerts.