05-07-2021 03:16 AM - edited 05-07-2021 03:19 AM
The last two days I get this warning every 2 hrs.
How can I solve this?
Nothing has changed in my environment and I can ping/telnet the update server.
Under "System upgrade" it says that I'm using server https://update-manifests.sco.cisco.com/
I get a certificate error when visiting this site in chrome. Does that have anything to do with this?
I'm using a C195
Thanks
05-10-2021 03:51 AM
C195 should be reaching out to this website. I can assume at this point that you have a mixed cluster of virtual ESAs and physical C195.
If that's correct, you should create a machine level settings under CLI>updateconfig for your hardware appliance/s only. Issue the subcommand dynamichost and correct the manifest server back to its default value (update-manifests.ironport.com).
Also you can test the connectivity by telnetting it on port 443, and also ensure that there are no proxies (which are not configured on the ESA) or firewall inspections which might be messing up with the connection.
05-10-2021 01:54 PM
I only have this one physical unit (C195).
I can telnet to update-manifests.sco.cisco.com:443 from the unit. No proxies.
We have SSL inspection but we have whitelisted these servers.
When I visit the website in chrome (i've tried different networks), I get an SSL error NET::ERR_CERT_SYMANTEC_LEGACY
This is probably unrelated to my problem though
05-10-2021 04:29 PM
That's great! I'm wondering then where this wrong URL came from into your physical ESA in first place.
Just revert your dynamic host to update-manifests.ironport.com:443 then, and it should be good.
Your ESA should be okay to connect properly when the correct server is used.
05-11-2021 05:35 AM
Sorry, I didn't realize you posted a new URL. My apologies.
I don't have the subcommand "dynamichosts".
I have:
- SETUP - Edit update configuration.
- VALIDATE_CERTIFICATES - Validate update server certificates
- TRUSTED_CERTIFICATES - Manage trusted certificates for updates
When I select "SETUP" I can either use ciscos update servers or manually enter one.
Should I enter the URL you posted under
"Cisco IronPort AsyncOS upgrades
Cisco IronPort Servers" ?
05-11-2021 05:56 AM
"dynamichost" its a hidden command
Choose the operation you want to perform:
- SETUP - Edit update configuration.
- VALIDATE_CERTIFICATES - Validate update server certificates
- TRUSTED_CERTIFICATES - Manage trusted certificates for updates
[]> dynamichost
Enter new manifest hostname:port
[update-manifests.ironport.com:443]>
05-11-2021 05:58 AM
"I don't have the subcommand "dynamichosts"."
Just try it, it is there. It's just dynamichost, not dynamichosts.
05-11-2021 06:28 AM
Thank you. The command wasn't listed, so that confused me
I've update the server now. Will post result in a few hours.
05-11-2021 06:30 AM
You can force an update to your security engines with CLI>updatenow force and check the updater_logs for any errors with CLI>tail updater_logs. If everything is cool in there, then such alerts shouldn't be generated anymore.
05-11-2021 10:34 PM
I changed the URL and commited the changes but I still get the error message.
I tried your suggestion to force updates and tail_logs but I can't see any error messages.
After the graymail update it stops at:
Info: case cleaning up base dir [bindir]
Info: case verifying applied files
Info: case updating the client manifest
Info: case update completed
Info: case waiting for new updates
I will try a system upgrade in a week when we have maintenance.
I have disabled email notifications until this has been resolved.
05-12-2021 03:03 AM
Don't know if this is related but under "top alerts" I found this:
"Unable to connect to Cisco Web Security Service. URL Filtering will not work correctly. Please verify all network, proxy and firewall settings. Connection to "v2.sds.cisco.com" failed. The last error seen on this connection: "Request failed with code: 28 (Operation timed out after 0 milliseconds with 0 out of 0 bytes received)"
05-12-2021 05:27 AM
That last alert is related to the connection to the URL filtering server where it is fetching web scores (WBRS) for URLs found in the messages. You can perform a pcap to that server v2.sds.cisco.com to check what's going on, but most likely you'll have to have the timeouts to that service loose under CLI>websecurityadvancedconfig.
From the output you've provided from updater_logs cannot see any issues there.
What is CLI>antispamstatus showing for example? "Structural Rules" should contain today's date in its version if everything's alright.
If nothing works, you can open a TAC case for further investigation - for both alerts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide