Upgrade failure

r.harris · ‎05-14-2013

Hi experts,

I am deploying a new WSA, but seem unable to upgrade AsyncOS - when I check for available upgrades, I receive the following error:

Error

—

Failure downloading upgrade list.

Everything else seems to be OK - I have time via the default NTP servers, checks for new feature keys return a success, policy trace returns what I would expect.

I have noticed that the feature keys the client purchased are listed as Active with 30 days remaining and an expiration date of Dormant.

Does the appliance license need to be activated? I can't seem to locate a Claim Certificate to find the PAK...

Thanks.

Ken Stieers · ‎05-15-2013

They don't do PAKs on the Ironport boxes. The keys are typically downloaded, but you'll often get them via email too.

Start banging on the reseller and local Cisco rep.

r.harris · ‎05-15-2013

Have been hounding the distributor, but they just keep regurgitating the Smartnet contract details.

A check for new feature keys results in no new keys available.

According to the license activation document at:

http://www.cisco.com/en/US/services/ps10436/ps11169/ironport-sw-license-activation-key-process.pdf

"Perpetual licenses purchased with the initial appliance purchase are shipped preactivated "

The client has purchased 12 months license in this instance, so I assume the above does not apply (as it is not perpetual)?

We (the reseller) have not received any email from the distributor with an activation key nor PAK.

Can someone confirm whether this device is properly licensed? "Dormant" in expiration date field suggests not...

kussriva · ‎05-15-2013

Hi,

Please refer to

https://ironport.custhelp.com/app/answers/detail/a_id/1138 and make sure the issue is not related to the issues in the doc.

For further assistance on pre-production issues, you can open a case at http://www.cisco.com/web/partners/tools/pdihd.html

Regards,

Kush

Cisco PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

r.harris · ‎05-15-2013

Thanks Kush.

It does not appear to be DNS related. Authentication failure with manifest server:

-------------------------------------------------------------------------------------------------------

proxy.local> nslookup downloads.ironport.com

A=61.9.193.214 TTL=30m
A=61.9.193.134 TTL=30m
proxy.local> upgrade

Important: After upgrading, you cannot revert to a previous
version of the Web Security appliance. Cisco IronPort strongly
recommends you review the release notes to identify changes to
the Web Security appliance in the latest version. Do you want
to continue with the upgrade? [Y]>

Failure downloading upgrade list: Failed to authenticate with manifest server

-------------------------------------------------------------------------------------------------------

I have a single-leg deployment (intending to use WCCP on ASA) and have only the M1 interface connected. I note the not-particularly-helpful statement in the KB article "the P1 interface may be the correct interface to use for upgrades" and will switch over to P1 next time I am onsite.

I would be appreciative if you could answer the above question relating to the licensing status of the appliance - "Dormant" cannot be right.

Thanks again.

kussriva · ‎05-15-2013

Hi,

The status Dormant means that the feature is currently not being used by the Device e.g as the HTTPS Proxy status shows Dormant this generally means that the device is currently not using this feature.

Regarding the Upgrade issue, I would request you to make sure the following ports are not being blocked by the firewall:

Firewall Ports:

Port Protocol In/Out Hostname use Description

===============================================
20/21 TCP In or out AsyncOS IPs FTP server FTP for aggregation of
log files.
22 TCP In AsyncOS IPs SSH access to the CLI,
aggregation of log files.
22 TCP Out SCP server SCP push to log server.
23 Telnet In AsyncOS IPs Telnet access to the CLI.
23 Telnet Out Telnet server Telnet upgrades.
25 TCP Out Any SMTP to send email.

25 TCP In AsyncOS IPs SMTP to receive bounced
email or if injecting email from outside firewall.

80 TCP In or out AsyncOS IPs,downloads.ironport.com HTTP access
to the GUI for system monitoring. AsyncOS and Sophos upgrades are retrieved via HTTP from
port 80.

82 HTTP In AsyncOS IPs Used for viewing the
IronPort Spam Quarantine.
83 HTTPS In AsyncOS IPs Used for viewing the IronPort
Spam Quarantine.
53 UDP/TCP Out DNS servers DNS if configured to use
Internet root servers or other DNS servers outside the firewall. Also for SenderBase

110 TCP Out POP server POP authentication for end
users for IronPort Spam Quarantine.
123 UDP Out NTP server NTP if time servers are
outside firewall.
143 TCP Out IMAP server IMAP authentication for end
users for IronPort Spam Quarantine.
161 UDP In AsyncOS IPs SNMP queries.
162 UDP Out Management station SNMP traps.

389 or 3268 LDAP Out LDAP servers LDAP if LDAP directory servers
are outside firewall. LDAP authentication for IronPort Spam Quarantine.
636 or 3269 LDAPS Out LDAPS LDAPS ActiveDirectory's global
catalog server.
443 TCP In AsyncOS IPs Secure HTTP (https) access
to the GUI for system monitoring.
443 TCP Out update manifests, ironport.com -Verify the
latest files for the update server.
443 TCP Out phonehome.senderbase.org - Receive/send Virus
Outbreak Filters.
514 UDP/TCP Out Syslog server Syslog logging.
2222 CCS In/Out AsyncOS IPs Cluster Communication Service
(for centralized management).
6025 TCP In/Out AsyncOS IPs Send IronPort Spam Quarantine
data to the Security Management appliance if the external IronPort Spam Quarantine is
enabled.

If it still fails, please try to use the recommended P1 interface and then try to do the upgrade.

Regards,

Kush

r.harris · ‎05-16-2013

Ah - OK, thanks.

Yeah I saw the firewall requirements - right now I have a static NAT and a PERMIT IP ANY ANY for this host.

I'll try the P1 port.