09-01-2015 11:28 AM
Of late, customers reporting an up-tick in the following alert:
The Warning message is:
The File Reputation service is not reachable.
Version: 9.6.0-042
Serial Number: 000084FA6CC1CCF1111-000069E31111
Timestamp: 31 Aug 2015 17:31:45 +0000
This is being tracked with the following defect:
https://tools.cisco.com/bugsearch/bug/CSCuv90803
Symptom:
If the Cloud Server IP gets changed, AMP in ESA does not try to resolve the cloud server once it fail to connect.
System generates alerts:
The File Reputation service is not reachable.
Conditions:
ESA with AMP File reputation feature enabled
Workaround:
Disable and re-enable AMP File Reputation and Analysis feature under Security Services.
Please let us know if you continue to see issues post-workaround, if you have received this alert.
-Robert
10-26-2016 06:35 AM
Hello Robert!
In the past days our clustered ESA C390 keep sending warning messages:
one is about reachability with Cisco Web Security Services:
"Unable to connect to Cisco Web Security Service.
URL Filtering will not work correctly.
Please verify all network, proxy and firewall settings.
Connection to "v2.sds.cisco.com" failed.
The last error seen on this connection: "Request failed with code: 28 (Operation timed out after 5000 milliseconds with 0 bytes received)"
Version: 9.1.2-036
Timestamp: 26 Oct 2016 16:03:13 +0300
and the other concerning Anti-virus and AMP:
The Warning message is:
MID 267349 antivirus timeout error using engine Sophos. This message was treated as unscannable because scanning the message exceeded the configured timeout period (120).
Version: 9.1.2-036
Timestamp: 26 Oct 2016 16:15:23 +0300
I've checked the connectivity with "v2.sds.cisco.com" and doesn't seem to drop a single frame so everything should be fine from connectivity perspective. And still, once a day or once a few days they still send warnings.
Could you please share any ideas?
Ionut
10-26-2016 07:00 AM
Hi,
officially this should do the trick:
http://www.cisco.com/c/en/us/support/docs/field-notices/641/fn64111.html
Regards,
Philippe
10-26-2016 07:25 AM
Thank you Philippe for the quick reply,
I've checked that solution but hesitated to apply it as couldn't understand the "Enter the threshold value for outstanding requests", default being 50. What "outstanding request" mean? It is a significant drop from 50 to 5.
Also, being in a cluster, any modification must be done on both the appliances for the cluster not to check any inconsistencies and return another problems.
L.E. I've done the modifications, will keep you informed if it did the trick or not in my case. :) Still, the Anti-Virus and AMP warning shouldn't be related to this issue. I'm thinking increasing the timeout there might be a workaround.
10-26-2016 11:09 AM
Hello,
I would agree with the above in regards to changing the 'Outstanding Requests' value from 50 down to 5. Keep in mind this is a machine-level setting and you need to perform this on each appliance separately.
Regarding your other question, I do not see anything involving AMP in the alert you posted, only a Sophos timeout warning. Sophos timeouts can be safely ignored if not occurring on a constant basis. All this means, is that you received a large and/or complex message and Sophos was not able to complete scanning within the allotted timeframe (120 seconds).
I would definitely not suggest increasing the timeout as that could lead to workqueue backups on the ESA when processing excessive amounts of large emails.
Thanks!
-Dennis M.
10-28-2016 02:10 AM
Thank you Dennis for the support, indeed, i left the timers as is, that Sophos timeout was one singular alert, but the first problem still exists.
From last evening :), warning from the second appliance:
The Warning message is:
Unable to connect to Cisco Web Security Service.
URL Filtering will not work correctly.
Please verify all network, proxy and firewall settings.
Connection to "v2.sds.cisco.com" failed.
The last error seen on this connection: "Request failed with code: 28 (Operation timed out after 5000 milliseconds with 0 out of -1 bytes received)"
Version: 9.1.2-036
Timestamp: 27 Oct 2016 17:57:23 +0300
10-28-2016 07:12 AM
Hi
For the URL filtering error I would recommend increasing the timeout from 5 to 15 secs as per the below defect.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus08194/?reffering_site=dumpcr
Also please notes as per a recent field notice the threshold for outstanding requests should be changed from 50 to 5.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux63499/?reffering_site=dumpcr
Both are configured at the machine level from the CLI using command "websecurityadvancedconfig"
Thanks
Libin
10-31-2016 05:02 AM
What would be a side effect of altering the timeout? Isn't the same story as the Sophos timing? I mean, my primary focus is on fast and correct function of the appliance. After all, i won't mind receiving a warning from time to time as long as it works.
I mean this value, as Libin suggested:
Enter URL lookup timeout (includes any DNS lookup time) in seconds
Wouldn't the 15 sec make it slower in processing URL filtering requests overall?
I found it in the release notes aswell: http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7-1_Release_Notes.pdf , regarding the modifications to the server pool used by the URL Reputation feature.
Thanks
Ionut
10-31-2016 05:23 AM
Ionut,
The configuration of websecurityadvancedconfig are as per suggestions from the development teams in order to increase efficiency of the device communication with the url filtering servers, this would not slow down the processing capability of the appliance itself.
These changes are recommended in order to correct any underlying defects which adversely affect the workqueue processing.
Thanks
Libin
11-15-2016 01:52 AM
Ok Libin, will keep you updated. Commited the changes.
L.E. Passed two weeks and so far so good, the appliances are working sweet, got rid of the error.
Thank you guys for the kind support!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide