Unable to connect to Cisco Web Security Service, URL Filtering will not work correctly.

spisipati · ‎02-18-2019

Hello All,

We received an email from Cisco IronPort with below warning.

-----------------

The Warning message is:

Unable to connect to Cisco Web Security Service.

URL Filtering will not work correctly.

Please verify all network, proxy and firewall settings.

Connection to "v2.sds.cisco.com" failed.

The last error seen on this connection: "Request failed with code: 28 (Resolving timed out after 21000 milliseconds)"

Version: 9.1.0-032

Serial Number: xxxxxxxxxxxx-xxxxxx

Timestamp: 18 Feb 2019 13:08:12 +0000

-----------------

The Warning message is:

Unable to connect to Cisco Web Security Service.

URL Filtering will not work correctly.

Please verify all network, proxy and firewall settings.

Connection to "v2.sds.cisco.com" failed.

The last error seen on this connection: "Request failed with code: 35 (SSL: SSL_set_session failed: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table)"

Version: 9.1.0-032

Serial Number: xxxxxxxxxxxx-xxxxxx

Timestamp: 15 Feb 2019 16:15:25 +0000

-----------------

Could anyone please help us how to address / fix these issues from Cisco IronPort end.

Many Thanks in advance.

Regards,

Srinivas P

balaji.bandi · ‎02-18-2019

1. Try from command level using Admin account.

> telnet v2.sds.cisco.com 443

Trying 184.94.240.102...

Connected to 184.94.240.102.

Escape character is '^]'.

^]

telnet> quit

is that working,

2. worth looking Field Notice.

https://www.cisco.com/c/en/us/support/docs/field-notices/641/fn64111.html

3. Also check the feature keys anything expired.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tkiteley · ‎08-13-2019

I have checked our connectivity and also made sure that the service update was done and still receive the message. This only started after I upgraded to 12.5.0-066. None of my licenses are expired... Not sure what to do now... This is the message I get:

The Warning message is:

Unable to connect to Cisco Web Security Service.

URL Filtering will not work correctly.

Please verify all network, proxy and firewall settings.

Connection to "v2.sds.cisco.com" failed.

The last error seen on this connection: "Request failed with code: 28 (Operation timed out after -1 milliseconds with 0 out of 0 bytes received)"

dmccabej · ‎08-13-2019

Hello,

Can you share the output of websecurityadvancedconfig from the CLI?

Thanks!

-Dennis M.

tkiteley · ‎08-13-2019

Enter URL lookup timeout (includes any DNS lookup time) in seconds:
[20]>
Enter the URL cache size (no. of URLs):
[810000]>
Do you want to disable DNS lookups? [N]>
Enter the maximum number of URLs that can be scanned in a message body:
[100]>
Enter the maximum number of URLs that can be scanned in the attachments in a
message:
[25]>
Enter the Web security service hostname:
[v2.sds.cisco.com]>
Enter the threshold value for outstanding requests:
[50]>
Do you want to verify server certificate? [Y]>
Do you want to enable URL filtering for shortened URLs? [Y]>
For shortened URL support to work, please ensure that ESA is able to connect to
following domains:
bit.ly, tinyurl.com, ow.ly, tumblr.com, ff.im, youtu.be, tl.gd, plurk.com,
url4.eu, j.mp, goo.gl, fb.me, alturl.com, wp.me, chatter.com, tiny.cc, ur.ly
Enter the default time-to-live value (seconds):
[30]>
Do you want to rewrite both the URL text and the href in the message? Y
indicates that the full rewritten URL will appear in the email body. N
indicates that the rewritten URL will only be visible in the href for HTML
messages. [Y]>
Do you want to include additional headers? [N]>
Enter the default debug log level for RPC server:
[Info]>

Enter the default debug log level for URL cache:
[Info]>

Enter the default debug log level for HTTP client:
[Info]>

dmccabej · ‎08-13-2019

Hello,

The first thing you'll want to do is lower the outstanding request threshold down from 50 to 5. If you have multiple ESAs then it needs to be performed on each machine individually. More information on that can be found here: https://www.cisco.com/c/en/us/support/docs/field-notices/641/fn64111.html

That should take care of the bulk of the alerts and would be a good starting point.

Thanks!

-Dennis M.

dmccabej · ‎02-18-2019

Hello,

You'll want to test connectivity as previously mentioned; however, you should note that 9.1.0-032 is an unsupported build and you're no longer receiving any critical engine/definition updates. You'll want to upgrade to AsyncOS 10.x or above ASAP to resolve this. As far as the error itself, assuming you can connect successfully, seeing it fairly intermittently is normal and can be ignored.

Thanks!

-Dennis M.

ppreenja · ‎08-13-2019

Hi Spisipati,

As I could see from the information provided by your end, you are already on an end of support version.
Also, as Async OS version become end of support, it stops receiving several important updates and hence might be the reason for your issue.

Please refer the below article for the same:
https://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/eos-eol-notice-c51-738362.html

To resolve the issue, I would request you to upgrade to Async OS verion 10.0 and above and let us know if the issue still persists.
If you still receive the error, kindly check on the telnet connectivity and websecurityadvancedconfig value as per the field notice, as suggested by others on this post.
https://www.cisco.com/c/en/us/support/docs/field-notices/641/fn64111.html

I hope this helps and provide some understanding.

BR,
Pratham

tkiteley · ‎08-14-2019