Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4685
Views
5
Helpful
9
Replies

Warning messages from new vESA

Go to solution
Doug Maxfield
Level 1
Level 1

‎11-09-2017 07:04 AM - edited ‎03-08-2019 07:27 PM

Good morning, We just built up a new vESA for our internal MTA to work with our Cloud ESA. Since building up the vESA, we have been receiving the following message:

 

The Warning message is: Unable to connect to the Cisco Aggregator Server. Details: Invalid response received.

 

We have opened up the firewall to allow the server to communicate with aggregator.cisco.com on 443 but still continue to receive the messages. Any ideas what needs to be done to resolve this error message?

 

Thanks in advance,

Doug

4 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎11-09-2017 07:24 AM

Hi Doug,

 

This is due to a known issue that we are facing with the aggregator server.

 

What will cause this issue is an ESA will be unable to connect to the aggregator due to any number of reason (for example, the firewall blocking the connection). As soon as this connection is restored, the ESA will request all the data that it missed while it was unable to connect. This can be months of data.

 

When this ESA queries for the data, this can overflow the aggregator server for a period of time. In this period, if another ESA queries the aggregator server, the aggregator server may not respond in time causing the alert you are seeing.

 

Thankfully. This issue doesn't affect mail flow of the ESA. The following is a link to a defect that was opened to require the ESA's to only query for 30 minutes of data at a time:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg39701/

 

Regards,

Libin Varghese

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎11-09-2017 07:24 AM

Hi Doug,

 

This is due to a known issue that we are facing with the aggregator server.

 

What will cause this issue is an ESA will be unable to connect to the aggregator due to any number of reason (for example, the firewall blocking the connection). As soon as this connection is restored, the ESA will request all the data that it missed while it was unable to connect. This can be months of data.

 

When this ESA queries for the data, this can overflow the aggregator server for a period of time. In this period, if another ESA queries the aggregator server, the aggregator server may not respond in time causing the alert you are seeing.

 

Thankfully. This issue doesn't affect mail flow of the ESA. The following is a link to a defect that was opened to require the ESA's to only query for 30 minutes of data at a time:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg39701/

 

Regards,

Libin Varghese

0 Helpful

Go to solution
Doug Maxfield
Level 1
Level 1
In response to Libin Varghese

‎11-09-2017 07:59 AM

Libin, Thanks for the quick response. So basically, as long as I have the site opened up through the firewall, the service will eventually "catch-up" and I will stop seeing this message. Doug
0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to Doug Maxfield

‎11-09-2017 04:53 PM

That is correct. We are taking steps to improve this on the aggregator server and should have a resolution soon.

 

- Libin V

0 Helpful

Go to solution
Jesse.Wulf
Level 1
Level 1
In response to Libin Varghese

‎11-15-2017 05:38 AM

Are there any updates as to when we might see resolution? I am receiving emails to my devices a few times an hour saying Invalid response received.

 

Thanks!

Go to solution
IT Operations
Level 1
Level 1
In response to Jesse.Wulf

‎11-15-2017 04:31 PM

+1

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to Jesse.Wulf

‎11-15-2017 07:05 PM

No ETA on a fix as of now. Investigation continues.

0 Helpful

Go to solution
kenremiroland
Level 1
Level 1
In response to Libin Varghese

‎05-08-2018 04:36 AM

March 8. 2018. These messages continue to flow in.

1. Is there an ETA now?
2. Is the investigation concluded?
0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to kenremiroland

‎05-08-2018 04:46 AM

The defect that was discussed on this post shows fixed on Async OS 11.1 for ESA.

 

 

What Async OS version is the device on?

Could you share the complete error seen?

Have you verified connectivity to the aggregator server using telnet over 443?

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg39701/

0 Helpful

Go to solution
kenremiroland
Level 1
Level 1
In response to Libin Varghese

‎05-08-2018 04:54 AM - edited ‎05-08-2018 04:56 AM

Hi @Libin Varghese

Version: 11.0.1-027
Update path: 11.0.2b037 2018-04-20 (MD) is the latest (and only) available release.
Device is C170.

Warning <System> <hostname>: Unable to connect to the Cisco
Aggregator Server.; Details: ...
The Warning message is:
Unable to connect to the Cisco Aggregator Server.
Details: Invalid response received.
Version: 11.0.1-027
Serial Number: <>
Timestamp: 08 May 2018 11:56:39 +0200
To learn more about alerts, please visit our Knowledge Base [...]

From ESA I can telnet just fine to v2.sds.cisco.com and aggregator.cisco.com

<host>> telnet v2.sds.cisco.com 443
Trying 172.110.204.44...
Connected to scasds.vrt.sourcefire.com.
Escape character is '^]'.
^**
HTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 08 May 2018 11:53:20 GMT
Content-Type: text/plain
Content-Length: 36
Connection: close
ETag: "576d7302-24"
1017: Could not authenticate client
Connection closed by foreign host.

 

<host>> telnet aggregator.cisco.com 443

Trying 208.90.58.190...
Connected to 208.90.58.190.
Escape character is '^]'.
^*
HTTP/1.1 400 Bad Request
Server: nginx
Date: Tue, 08 May 2018 11:55:01 GMT
Content-Type: text/html
Content-Length: 166
Connection: close

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx</center>
</body>
</html>
Connection closed by foreign host.



--K

0 Helpful
Customers Also Viewed These Support Documents