cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
494
Views
15
Helpful
11
Replies
smid
Beginner

The updater has been unable to communicate with the update server for at least 1h

The last two days I get this warning every 2 hrs.

How can I solve this?

Nothing has changed in my environment and I can ping/telnet the update server.

Under "System upgrade" it says that I'm using server https://update-manifests.sco.cisco.com/

I get a certificate error when visiting this site in chrome. Does that have anything to do with this?

 

I'm using a C195

 

Thanks

11 REPLIES 11
svgeorgi
Cisco Employee

C195 should be reaching out to this website. I can assume at this point that you have a mixed cluster of virtual ESAs and physical C195.

If that's correct, you should create a machine level settings under CLI>updateconfig for your hardware appliance/s only. Issue the subcommand dynamichost and correct the manifest server back to its default value (update-manifests.ironport.com).

Also you can test the connectivity by telnetting it on port 443, and also ensure that there are no proxies (which are not configured on the ESA) or firewall inspections which might be messing up with the connection.

smid
Beginner

I only have this one physical unit (C195).
I can telnet to  update-manifests.sco.cisco.com:443 from the unit. No proxies.
We have SSL inspection but we have whitelisted these servers.

When I visit the website in chrome (i've tried different networks), I get an SSL error NET::ERR_CERT_SYMANTEC_LEGACY
This is probably unrelated to my problem though

svgeorgi
Cisco Employee

That's great! I'm wondering then where this wrong URL came from into your physical ESA in first place.

Just revert your dynamic host to update-manifests.ironport.com:443 then, and it should be good.

Your ESA should be okay to connect properly when the correct server is used.

smid
Beginner

Sorry, I didn't realize you posted a new URL. My apologies.

I don't have the subcommand "dynamichosts".

I have:

- SETUP - Edit update configuration.
- VALIDATE_CERTIFICATES - Validate update server certificates
- TRUSTED_CERTIFICATES - Manage trusted certificates for updates

When I select "SETUP" I can either use ciscos update servers or manually enter one.
Should I enter the URL you posted under

"Cisco IronPort AsyncOS upgrades
Cisco IronPort Servers" ?

SriramV
Cisco Employee

"dynamichost" its a hidden command 

Choose the operation you want to perform:
- SETUP - Edit update configuration.
- VALIDATE_CERTIFICATES - Validate update server certificates
- TRUSTED_CERTIFICATES - Manage trusted certificates for updates
[]> dynamichost

Enter new manifest hostname:port
[update-manifests.ironport.com:443]>

svgeorgi
Cisco Employee

"I don't have the subcommand "dynamichosts"."

Just try it, it is there. It's just dynamichost, not dynamichosts.

 

smid
Beginner

Thank you. The command wasn't listed, so that confused me

I've update the server now. Will post result in a few hours.

svgeorgi
Cisco Employee

You can force an update to your security engines with CLI>updatenow force and check the updater_logs for any errors with CLI>tail updater_logs. If everything is cool in there, then such alerts shouldn't be generated anymore.

I changed the URL and commited the changes but I still get the error message.

I tried your suggestion to force updates and tail_logs but I can't see any error messages.

After the graymail update it stops at:

 Info: case cleaning up base dir [bindir]
 Info: case verifying applied files
 Info: case updating the client manifest
 Info: case update completed
 Info: case waiting for new updates

 

I will try a system upgrade in a week when we have maintenance.

I have disabled email notifications until this has been resolved.

 

Don't know if this is related but under "top alerts" I found this:

"Unable to connect to Cisco Web Security Service. URL Filtering will not work correctly. Please verify all network, proxy and firewall settings. Connection to "v2.sds.cisco.com" failed. The last error seen on this connection: "Request failed with code: 28 (Operation timed out after 0 milliseconds with 0 out of 0 bytes received)"

svgeorgi
Cisco Employee

That last alert is related to the connection to the URL filtering server where it is fetching web scores (WBRS) for URLs found in the messages. You can perform a pcap to that server v2.sds.cisco.com to check what's going on, but most likely you'll have to have the timeouts to that service loose under CLI>websecurityadvancedconfig.

From the output you've provided from updater_logs cannot see any issues there.

What is CLI>antispamstatus showing for example? "Structural Rules" should contain today's date in its version if everything's alright.

 

If nothing works, you can open a TAC case for further investigation - for both alerts.

Content for Community-Ad