cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

16366
Views
0
Helpful
7
Replies
jokkmeister
Beginner

The updater has been unable to communicate with the update server for at least 1h.

I have been getting these warnings for both my C-370's every hour since 16.37 EST April 1st. Before that it has happened now and then but always kicked in again.

Network department claims they haven't done anything. Anyone know if Cisco has problems or what else might be causing this? Everyhitng else works but for the anti-spam and sophos updates it seems.

1 ACCEPTED SOLUTION

Accepted Solutions
David Owens
Beginner

We had the same problem - please check and update your firewall settings to the following information from Cisco:

 

Cisco is releasing new improvements to our Security Intelligence Operations infrastructure that will enable greater scalability and efficacy to all of your Cisco security products.  As part of this effort, there is a scheduled change to the IPv4 addresses for two hosts used in retrieving reputation updates from Cisco.com for Cisco Web, Email, and IPS appliances, as well as for the CX and Botnet Traffic Filter capabilities of the ASA. 

By default, Cisco security technologies use DNS to locate the appropriate update servers.  However, some environments may have configured static IP addresses in their access control.  If you have configured IP-based access control to permit outbound connections for updates from Cisco, you will need to modify your rules to support the new IP addresses.

Changes will be implemented between February 21, 2013 and March 30, 2013.

If the following IP addresses have been added to your access control policy:

update-manifests.ironport.com: 204.15.82.17 on port 443

updates-static.ironport.com: 204.15.82.16 on port 80

Please add the following IP addresses to your access control policy by February 21, 2013:

update-manifests.ironport.com 208.90.58.5 on port 443

updates-static.ironport.com 208.90.58.25 on port 80

Another note confirm this setting also:

downloads-statis.ironport.com: 204.15.82.8

The original IPs addresses will be deprecated by April 30, 2013.  If you do not modify necessary access controls, your Cisco security technologies will not be able to receive reputation updates.

Should you have any questions, please contact your local Cisco Support Team.

View solution in original post

7 REPLIES 7
David Owens
Beginner

We had the same problem - please check and update your firewall settings to the following information from Cisco:

 

Cisco is releasing new improvements to our Security Intelligence Operations infrastructure that will enable greater scalability and efficacy to all of your Cisco security products.  As part of this effort, there is a scheduled change to the IPv4 addresses for two hosts used in retrieving reputation updates from Cisco.com for Cisco Web, Email, and IPS appliances, as well as for the CX and Botnet Traffic Filter capabilities of the ASA. 

By default, Cisco security technologies use DNS to locate the appropriate update servers.  However, some environments may have configured static IP addresses in their access control.  If you have configured IP-based access control to permit outbound connections for updates from Cisco, you will need to modify your rules to support the new IP addresses.

Changes will be implemented between February 21, 2013 and March 30, 2013.

If the following IP addresses have been added to your access control policy:

update-manifests.ironport.com: 204.15.82.17 on port 443

updates-static.ironport.com: 204.15.82.16 on port 80

Please add the following IP addresses to your access control policy by February 21, 2013:

update-manifests.ironport.com 208.90.58.5 on port 443

updates-static.ironport.com 208.90.58.25 on port 80

Another note confirm this setting also:

downloads-statis.ironport.com: 204.15.82.8

The original IPs addresses will be deprecated by April 30, 2013.  If you do not modify necessary access controls, your Cisco security technologies will not be able to receive reputation updates.

Should you have any questions, please contact your local Cisco Support Team.

View solution in original post

I've been receiving emails with the exact same error several times a week.  When I check my firewall syslogs I'm seeing SYN Timeout" errors when attempting to make a connection to the new IP (208.90.58.5).  Anyone else seeing these issues?

Note: I'm using the Ironport Update Servers setting in WSA.

Joe

Joe,

Just this morning I started getting the same emails. I have never seen them before so I'm thinking you're on to something here.


Greg

I checked the update log files on the WSA and also getting the errors below indicating that the WSA can't connect to the update server. 

Fri Apr  5 07:29:39 2013 Info: Starting scheduled update

Fri Apr  5 07:30:39 2013 Info: Failed to acquire the server manifest

Fri Apr  5 07:32:39 2013 Info: Failed to acquire the server manifest

Fri Apr  5 07:34:39 2013 Info: Failed to acquire the server manifest

Fri Apr  5 07:34:39 2013 Info: Scheduled next update to occur at Fri Apr  5 08:34:39 2013

Just wanted to add that there is a slight typo in the URL mentioned above.

downloads-statis.ironport.com must be  downloads-static.ironport.com

Apart from that, thanks for the great information!

Regards,

Prab :)

GILLES GAUTHIER
Beginner

We have the same alerts, starting today.  Our firewall do not block per static IPs.  BTW, we still receive antispam updates, featurekey updates, so I think the problem is intermittent.  Could Cisco have problem with their new update servers?

From: andmuell [mailto:supportforums-donotreply@supportforums.cisco.com]
Sent: Friday, April 05, 2013 6:44 AM
Subject: [Email Security] Announcement: DNS resolution issue for the ironport.com domain (Updates, Upgrades, CRES)

Announcement: DNS resolution issue for the ironport.com domain (Updates, Upgrades, CRES)

created by Andreas Mueller in Email Security - View the announcement

We're currently facing an issue with the DNS resolution of the ironport.com domain, which is impacting service updates (Antispam, Antivirus, VOF) as well as AsyncOS upgrades and CRES. Our IT team is actively investigating this at the moment.

Announcement expires on 7. April 2013