Follow these steps to check connectivity:
1. Log in to the CLI of the WSA.
2. Enter the logconfig command.
3. Enter the hostkeyconfig command.
4. Enter the scan command.
5. Enter the CTA server hostname: etr.cloudsec.sco.cisco.com
6. Choose All when asked for the SSH protocol type.
7. Enter Y when asked whether the CTA host key should be added.
Note: If you receive the below log, it means the DNS server is unable to resolve etr.cloudsec.sco.cisco.com. This has nothing to do with the CTA configuration. You must resolve the DNS issue from the DNS server, or you can add a new local IP to host mapping from the CLI > dnsconfig > local hosts > new
Log Error: Push error for subscription CTAlog: Failed to connect to etr.cloudsec.sco.cisco.com: DNS Soft Error looking up etr.cloudsec.sco.cisco.com (A)
also, lets try these to make sure the DNS resolution is working correctly
telnet etr.cloudsec.sco.cisco.com 22
ping etr.cloudsec.sco.cisco.com
nslookup etr.cloudsec.sco.cisco.com
from my PC, I am resolving multiple deferent IP from My network, check from a another system in your Network to see if the Name resolution is working correctly