cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3117
Views
0
Helpful
9
Replies

Warning <Anti-Virus and AMP> esa.local: The File Reputation service is not reachable.

Robert Sherwin
Cisco Employee
Cisco Employee

Of late, customers reporting an up-tick in the following alert:

The Warning message is:

 

The File Reputation service is not reachable.

 

Version: 9.6.0-042

Serial Number: 000084FA6CC1CCF1111-000069E31111

Timestamp: 31 Aug 2015 17:31:45 +0000

 

This is being tracked with the following defect:

https://tools.cisco.com/bugsearch/bug/CSCuv90803

 

Symptom:
If the Cloud Server IP gets changed, AMP in ESA does not try to resolve the cloud server once it fail to connect.

System generates alerts:
The File Reputation service is not reachable.

Conditions:
ESA with AMP File reputation feature enabled

Workaround:
Disable and re-enable AMP File Reputation and Analysis feature under Security Services.

 

Please let us know if you continue to see issues post-workaround, if you have received this alert.

-Robert

9 Replies 9

iscinteianu
Level 1
Level 1

Hello Robert!

In the past days our clustered ESA C390 keep sending warning messages: 

one is about reachability with Cisco Web Security Services:

"Unable to connect to Cisco Web Security Service.

URL Filtering will not work correctly.

Please verify all network, proxy and firewall settings.

Connection to "v2.sds.cisco.com" failed.

The last error seen on this connection: "Request failed with code: 28 (Operation timed out after 5000 milliseconds with 0 bytes received)"

 Version: 9.1.2-036

Timestamp: 26 Oct 2016 16:03:13 +0300

and the other concerning Anti-virus and AMP:

The Warning message is:

 MID 267349 antivirus timeout error using engine Sophos.  This message was treated as unscannable because scanning the message exceeded the configured timeout period (120).

 Version: 9.1.2-036

Timestamp: 26 Oct 2016 16:15:23 +0300

I've checked the connectivity with "v2.sds.cisco.com" and doesn't seem to drop a single frame so everything should be fine from connectivity perspective. And still, once a day or once a few days they still send warnings.

Could you please share any ideas?

Ionut

Hi,

officially this should do the trick:

http://www.cisco.com/c/en/us/support/docs/field-notices/641/fn64111.html

Regards,

Philippe

Thank you Philippe for the quick reply,

I've checked that solution but hesitated to apply it as couldn't understand the "Enter the threshold value for outstanding requests", default being 50. What "outstanding request" mean? It is a significant drop from 50 to 5.

Also, being in a cluster, any modification must be done on both the appliances for the cluster not to check any inconsistencies and return another problems.

L.E. I've done the modifications, will keep you informed if it did the trick or not in my case. :) Still, the Anti-Virus and AMP warning shouldn't be related to this issue. I'm thinking increasing the timeout there might be a workaround. 

Hello,

I would agree with the above in regards to changing the 'Outstanding Requests' value from 50 down to 5. Keep in mind this is a machine-level setting and you need to perform this on each appliance separately.

Regarding your other question, I do not see anything involving AMP in the alert you posted, only a Sophos timeout warning. Sophos timeouts can be safely ignored if not occurring on a constant basis. All this means, is that you received a large and/or complex message and Sophos was not able to complete scanning within the allotted timeframe (120 seconds).

I would definitely not suggest increasing the timeout as that could lead to workqueue backups on the ESA when processing excessive amounts of large emails.

Thanks!

-Dennis M.

Thank you Dennis for the support, indeed, i left the timers as is, that Sophos timeout was one singular alert, but the first problem still exists.

From last evening :), warning from the second appliance:

The Warning message is:

 

Unable to connect to Cisco Web Security Service.

URL Filtering will not work correctly.

Please verify all network, proxy and firewall settings.

Connection to "v2.sds.cisco.com" failed.

The last error seen on this connection: "Request failed with code: 28 (Operation timed out after 5000 milliseconds with 0 out of -1 bytes received)"

 

Version: 9.1.2-036

Timestamp: 27 Oct 2016 17:57:23 +0300

Hi

For the URL filtering error I would recommend increasing the timeout from 5 to 15 secs as per the below defect.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus08194/?reffering_site=dumpcr

Also please notes as per a recent field notice the threshold for outstanding requests should be changed from 50 to 5.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux63499/?reffering_site=dumpcr

Both are configured at the machine level from the CLI using command "websecurityadvancedconfig"

Thanks

Libin 

What would be a side effect of altering the timeout? Isn't the same story as the Sophos timing? I mean, my primary focus is on fast and correct function of the appliance. After all, i won't mind receiving a warning  from time to time as long as it works. 

I mean this value, as Libin suggested:

Enter URL lookup timeout (includes any DNS lookup time) in seconds

Wouldn't the 15 sec make it slower in processing URL filtering requests overall?

I found it in the release notes aswell: http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7-1_Release_Notes.pdf , regarding the modifications to the server pool used by the URL Reputation feature. 

Thanks

Ionut

Ionut,

The configuration of websecurityadvancedconfig are as per suggestions from the development teams in order to increase efficiency of the device communication with the url filtering servers, this would not slow down the processing capability of the appliance itself.

These changes are recommended in order to correct any underlying defects which adversely affect the workqueue processing.

Thanks

Libin

Ok Libin, will keep you updated. Commited the changes. 

L.E. Passed two weeks and so far so good, the appliances are working sweet, got rid of the error.

Thank you guys for the kind support!