Solved: WSA IRONPORT AsyncOS upgrade not working

FrejusMA · ‎06-13-2023

Hello team

I am trying to upgrade my WSA to a new AsyncOS version (currently using version 14-5-0-537), unfortunately when we tried to upgrade from the GUI we have the error message "couldn't connect to the manifest server" even though the WSA can successfully telnet to the manifest servers (update-manifests.ironport.com & updates-static.ironport.com) on both port 80 and 443. I tried to download the package from the url http://updates.ironport.com/fetch_manifest.html and put it on a local web server. But I'am having tremendous difficulties to access the URL. Am I the only one? Is there any other way to download the package!?

Please help !!!!!!!!!!

Ken Stieers · ‎06-15-2023

at this point, I'd open a TAC case... I'm having issues getting it too...

View solution in original post

FrejusMA · ‎06-20-2023

Hi everyone

I have reached out to the TAC and it turns out that I didn't have a VLN, Virtual License Number which is mendatory to perfrom update and upgrade activities. They generated a VLN and I load it via CLI with the command loadlicense, After that I was able to perform my upgrade.

Thanks for all your reply

View solution in original post

fw_mon · ‎06-13-2023

Hello @FrejusMA

do you have a split routing (separate management and data routing)? If yes, check which is used for update/upgrade, try to switch and try again.

If still not working, try to create a packet capture on each interfaces with a filter "host update-manifests.ironport.com or host updates-static.ironport.com" and also with "port 53 or icmp"

FrejusMA · ‎06-14-2023

Hello @fw_mon

Thanks for for your feedback

Yes I have done that, currently on the management. But is there anyway to get this image anywhere on the internet!?

Ken Stieers · ‎06-14-2023

You can do a local download load server via instructions here:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117804-technote-wsa-00.html

FrejusMA · ‎06-15-2023

Hello @Ken Stieers

Thanks for your interest to my issue.

This is actually the same exact guide/instructions I've followed but I cannot download the file.

When I enter my virtual appliance info, it gives me my upgrade path, I launch the download but it just stopped with network error. I thought this was an office network issue but it's not as I tried on a different network (my home Wi-Fi for instance) and I'm having the same issue, download start and stop right after.

Thanks for your help !!!

Ken Stieers · ‎06-15-2023

at this point, I'd open a TAC case... I'm having issues getting it too...

amojarra · ‎06-17-2023

Hello @FrejusMA

you can check Upgrade logs to have more insight of what is the Error.

if you you see the Error right after to start download please verify:

[1] from Upgradelogs you can see what is the exact URL which WSA is trying to connect, also the protocol (HTTP/HTTPS)

to do this from CLI type grep and choose the number associated with : "upgrade_logs" Type: "Upgrade Logs" Retrieval: FTP Poll

[2] from CLI type telnet

Choose your interface (not the Auto please) and add the URL and type port 443 to make sure you have access

[3] check TLS version in your WSA, make sure TLSv1.2 is enabled for updater

to do this from CLI > sslconfig > version > see if for Updater TLSv1.2 is enabled.

[4] also it is good to check free disk space for NextRoot partition from CLI > type ipcheck

please note that ipcheck is a hidden command.

since you mentioned the Error in GUI is "couldn't connect to the manifest server", most probably item number 4 is not the issue, Im just posting this here for further use maybe.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

FrejusMA · ‎06-20-2023

Hi everyone

I have reached out to the TAC and it turns out that I didn't have a VLN, Virtual License Number which is mendatory to perfrom update and upgrade activities. They generated a VLN and I load it via CLI with the command loadlicense, After that I was able to perform my upgrade.

Thanks for all your reply