Cisco Email Security Appliance

Content Security Techsupport Tunnel FAQ

Document ID: 117873

Updated: Dec 08, 2015

Contributed by Chris Haag, Cisco TAC Engineer.



This document provides answers to frequently asked questions about the use of Techsupport Tunnels on Cisco Content Security appliances.



Cisco recommends that you have knowledge of these topics:

  • Cisco Email Security Appliance (ESA)
  • Cisco Web Security Appliance (WSA)
  • Cisco Security Management Appliance (SMA)
  • AsyncOS

Components Used

The information in this document is based on the Cisco Content Security appliances that run any version of AsyncOS.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

What are Techsupport Tunnels?

Techsupport tunnels are Secure Shell (SSH) connections that are created from a Cisco Content Security appliance to a bastion host at Cisco Content Security headquarters. Tunnels allow Cisco Customer Support and Applications Engineers to analyze a system and make repairs.

How do Techsupport Tunnels work?

The Techsupport Tunnel works through most firewalls without modification. When the tunnel connection initiates, the appliance makes an SSH connection from a random high-source port to the specified port of one of these Cisco secured servers:

  • - for older AsyncOS builds
  • - for older AsyncOS builds
  • - for C-Series appliances/ESA
  • - for X-Series appliances/ESA
  • - for M-Series appliances/SMA
  • - for S-Series appliances/WSA 

The ports that are available on the Cisco secured-tunnel servers are 22, 25, 53, 80, 443, and 4766. Since the connection is made to the hostname rather than a hard-coded IP address, an active Domain Name Server (DNS) is required in order to establish the tunnel.

Some protocol-aware devices block the connection due to the protocol/port mismatch and some Simple Mail Transport Protocol (SMTP)-aware devices interrupt the connection. In cases where there are protocol-aware devices or outbound connections that are blocked, the use of a port other than the default (25) might be required. Access to the remote end of the tunnel is restricted to only the Cisco Customer Support and Applications Engineers.

Note: When a Cisco Support or Applications Engineer is connected to the tunnel, the system prompt on the appliance includes (SERVICE).

Tip: The tunnels automatically attempt to reestablish themselves, such as when a network outage occurs or when the appliance is rebooted.

How do I establish a Techsupport Tunnel?

In order to establish a Techsupport Tunnel connection via the appliance CLI as an admin user, complete these steps:

  1. Enter the techsupport command.

  2. Choose Tunnel.

  3. Complete the prompts.

Note: When you enable a tunnel, you must enter a temporary password and provide it to the Cisco Customer Support Engineer. This password is not used directly, but is used in order to generate a machine-specific password.

In order to establish a tunnel from the appliance admin GUI, complete these steps:

  1. Navigate to System Administration > Remote Access.

  2. Ensure that you check both the Allow remote access to this appliance and Initiate connection via secure tunnel check boxes.

  3. Submit the form.

It is important to note that any firewall must be configured in order to allow outbound connections to If your firewall has SMTP protocol inspection enabled, the tunnel does not establish. In these situations, you must specify an alternative port. Choose the most suitable port from this list:

  • 22
  • 53
  • 80
  • 443
  • 4766

Note: Port 25 is used as the default destination port.

Tip: In order to disable the tunnel when it is no longer required, enter the techsupport command and choose Disable.

How can I test the Techsupport Tunnel for connectivity?

Use this example in order to perform an initial test for connectivity through your firewall:> > telnet 25

Connected to
Escape character is '^]'.
SSH-2.0-OpenSSH_6.2 CiscoTunnels1

Why does the Techsupport Tunnel not work on the Security Management Appliance (SMA)?

It does not work in instances where the SMA is placed in the local network without direct access to the Internet, though the mentioned ports listed before the Techsupport Tunnel will not establish. In this case the Techsupport Tunnel can be enabled on an ESA instead and SSH access can be enabled on the SMA. This allows Cisco Support to first connect via Techsupport Tunnel to the ESA and from the ESA with SSH to the SMA, which requires that there is connectivity between the ESA and the SMA on port 22.

Establish SSH Access via the SMA CLI as an Admin User

  1. Enter the techsupport command.

  2. Choose SSHACCESS.

  3. Complete the prompts.

Note: Once enabled, provide Cisco Support the serial number of the ESA and SMA as well as the service password. 

Updated: Dec 08, 2015
Document ID: 117873