Re: Upgrade Gateway c100v - issues

mvs23 · ‎03-10-2026

Hi!

Im trying to upgrade ESA from 15.0.0-104 to 19.0.4-016 which i have understood shouldn't be an issue. However, when i try to upgrade either from GUI using "System Upgrade", i get the error "Error - Failure downloading upgrade list., and if i try through CLI i get the error "Failure downloading upgrade list: Received invalid update manifest response".

Under "Current upgrade settings", server is set to "https://update-manifests.sco.cisco.com", Interface "Auto Select", and proxy is set to our company's proxy. When i check traffic on FW or Proxy, i can't see any related blockings.

Is there a way to upgrade using a file on the ESA, as i have moved the upgrade file to the ESA, using FTP, but struggeling to find a way to use it. Or does anyone know whats stopping me from upgrading?

Thanks in advance for any help!

balaji.bandi · ‎03-10-2026

Make sure the device is reachable to receive updates from the Cisco site, check nslookup from command level.

If the outgoing FW and proxy are not blocking, use curl and check if you can reach those files ?

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117854-technote-esa-00.html

check locally (but i prefer online method using GUI is best)

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117804-technote-wsa-00.html

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mvs23 · ‎03-10-2026

I ran the following commands:

ESA> nslookup update-manifests.sco.cisco.com

A=208.90.58.6 TTL=30m
ESA> telnet update-manifests.sco.cisco.com 443

Trying 208.90.58.6...
telnet: connect to address 208.90.58.6: Connection refused
telnet: Unable to connect to remote host

And im now seeing a block on the FW from ESA to 208.90.58.6. Still got approved on the proxy, but this probrably needs to be opened then?

EDIT: I don't think this should need to be opened, as telnet doesn't use the proxy, which the ESA is specified to do, and we do have a FW opening from ESA to the proxy..

Ken Stieers · ‎03-10-2026

Yes, that needs to be opened.

As Balaj posted, you can set up a local update server, but if your ESA can't get all of the content updates, its hobbled... so make sure its allowed to get to all of the ips listed in the docs.

balaji.bandi · ‎03-10-2026

If that IP resolved, and you need to open that in FW or up proxy for all to work as expected.

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Flavio Miranda · ‎03-10-2026

@mvs23

Seens to be missing permiting rule on your firewall. Keep in mind that dns resolution is necessary but you need to be able to establish connection on port 443 of "https://update-manifests.sco.cisco.com",

mvs23 · ‎03-10-2026

I thought that the way this should work, is that the ESA tries to reach "https://update-manifests.sco.cisco.com", but since we on the FW has a opening from the ESA to our proxy, it shouldnt need to be open on the FW, as the traffic should be routed to the proxy where i can see "Allow" from the ESA to https://update-manifests.sco.cisco.com, using pot 443. I've only seen blocked traffic on the FW after doing the telnet command, but that makes sense since i don't specify that it should use the proxy.

Ken Stieers · ‎03-10-2026

Proxies have problems when the site does cert pinning.

Also, assuming you're doing decryption, the proxy issues a cert from its own root and the esa has to trust it.

I'd have to look at logs and/or packet capture to be sure of what you're running into.

mvs23 · ‎03-10-2026

Im thinking my issue might be because of "Cisco Trusted Root Certificate Bundle", i see that the its running version 2.5, and "New update" is saying "Connecting to update server", and that last update is "Tue Sep 10 14:46:57 2024", we have an ESA in another environment that is not as restricted, was last updated august 2025, and running version 2.6, and status "Not available".