Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2062
Views
5
Helpful
1
Replies

What is a CPQ ICID

Tony Kilbarger
Level 1
Level 1

‎11-20-2020 01:55 PM

We are in CES and recently upgraded to:

 

C100V
13.5.2-036
25 Sep 2020 00:00 (GMT -04:00)
14 Oct 2020 15:49 (GMT -04:00)

 

We are seeing entries such as these in our mail log indicating rejected connections:

 

Fri Nov 20 14:11:47 2020 Info: New CPQ ICID 668023 interface Data 1 (216.71.147.11) address 192.168.247.27 reverse dns host unknown verified no
Fri Nov 20 14:11:47 2020 Info: ICID 668023 REJECT SG None match ALL SBRS not enabled country not enabled
Fri Nov 20 14:11:47 2020 Info: ICID 668023 close

 

Fri Nov 20 14:13:22 2020 Info: New CPQ ICID 1078445 interface Data 1 (68.232.140.232) address 10.8.235.36 reverse dns host unknown verified no
Fri Nov 20 14:13:22 2020 Info: ICID 1078445 REJECT SG None match ALL SBRS not enabled country not enabled
Fri Nov 20 14:13:22 2020 Info: ICID 1078445 close

 

I have never heard of a CPQ ICID.  It is always these 2 IP's.  They are in a range included in the HAT entry CiscoMonitoring, but not seeming to match successfully:

192.168.247.0/27 None

10.8.235.32/27 None

 

I see other NEW SMTP ICID messages from addresses close to these.

 

Anyone else seeing this?  Can't say it causes issue, I was looking for some rejected IP's and these popped up.

 

Labels:
1 Reply 1

Libin Varghese
Cisco Employee
Cisco Employee

‎11-22-2020 06:15 PM

CPQ stands for Centralized Policy Quarantine and the ICID's represent emails being released from the Policy quarantine on SMA trying to be delivered to the ESA.

 

This issue is commonly seen if centralized services on the ESA were initially enabled to point to SMA with IP X and later the IP on the SMA was changed to Y.

 

To handle released emails from SMA, ESA has an internal listener named "cpq_listener" which can be seen in the downloaded xml configuration file of the ESA. Since ESA was setup to use SMA with IP X it would allow those emails while rejecting emails from the new IP Y.

 

A quick fix would be to download the ESA xml configuration file, locate cpq_listener and add IP Y (here 192.168.247.27 and 10.8.235.36) to the Relaylist right below it if these are legitimate emails and upload it back to the ESA.

 

A single SMA can be used for PVO features so seeing two different IP's would suggest more than one SMA in use trying to release emails to the ESA.

 

Regards,

Libin

0 Helpful
Customers Also Viewed These Support Documents