Guest

Cisco Email Security Appliance

Virtual ESA is not able to download and apply updates for anti-spam or anti-virus

Document ID: 118065

Updated: Jul 24, 2014

Contributed by Robert Sherwin, Cisco TAC Engineer.

   Print

Introduction

This document describes when a Virtual Email Security Appliance (VESA) is not downloading and applying updates for the Cisco anti-spam engine (CASE) or Sophos and/or McAfee anti-virus, even though the virtual appliance is licensed correctly.

Contributed by Robert Sherwin, Cisco TAC Engineer.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • ESA
  • VESA
  • AysncOS

Components Used

The information in this document is based on these software and hardware versions:

  • VESA, running AsyncOS 8.0.0 and newer

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Virtual ESA is not able to download and apply updates for anti-spam or anti-virus

When updating anti-spam or anti-virus, the processes are not able to reach out and update the service engine or rulesets, even if using an update force command.  

One of the following command may have been issued directly from the CLI on the VESA:

> antispamupdate ironport
> antispamupdate ironport force
> antivirusupdate force

When running tail updater_logs, the errors seen would be similar to the following:

Mon Oct 21 17:48:43 2013 Info: Dynamic manifest fetch failure: Received invalid update manifest response

This is indicating that the dynamic host associated to the update configuration is not able to reach the proper updater manifest correctly. The dynamic host is set within the updateconfig command.  The subcommand, dynamichost, is a hidden command with-in updateconfig, as highlighted below:

myesa.local> updateconfig
Service (images): Update URL:
------------------------------------------------------------------------------
Feature Key updates http://downloads.ironport.com/asyncos
McAfee Anti-Virus definitions Cisco IronPort Servers
RSA DLP Engine Updates Cisco IronPort Servers
PXE Engine Updates Cisco IronPort Servers
Sophos Anti-Virus definitions Cisco IronPort Servers
IronPort Anti-Spam rules Cisco IronPort Servers
Intelligent Multi-Scan rules Cisco IronPort Servers
Outbreak Filters rules Cisco IronPort Servers
Timezone rules Cisco IronPort Servers
Cisco IronPort AsyncOS upgrades Cisco IronPort Servers
IMS Secondary Service rules Cisco IronPort Servers
Service (list): Update URL:
------------------------------------------------------------------------------
McAfee Anti-Virus definitions Cisco IronPort Servers
RSA DLP Engine Updates Cisco IronPort Servers
PXE Engine Updates Cisco IronPort Servers
Sophos Anti-Virus definitions Cisco IronPort Servers
IronPort Anti-Spam rules Cisco IronPort Servers
Intelligent Multi-Scan rules Cisco IronPort Servers
Outbreak Filters rules Cisco IronPort Servers
Timezone rules Cisco IronPort Servers
Service (list): Update URL:
------------------------------------------------------------------------------
Cisco IronPort AsyncOS upgrades Cisco IronPort Servers
Update interval: 5m
Proxy server: not enabled
HTTPS Proxy server: not enabled
Choose the operation you want to perform:
- SETUP - Edit update configuration.
[]> dynamichost

Enter new manifest hostname : port
[update-manifests.sco.cisco.com:443]>

Verify that the appliance is using the correct URL.  There are two different dynamic host URLs that are used for customers based on how they are associated through Cisco:

update-manifests.sco.cisco.com:443 

Customer Virtual appliances: ESA, WSA

Customer Physical appliances: ESA, WSA, SMA

stage-stg-updates.ironport.com:443

Friendlies, Beta Virtual appliances

Friendlies, Beta Physical appliances

Note: Customers should be only using the update-manifests.sco.cisco.com URL, unless they have gained pre-provisioning access through Cisco for beta usage.

Continuing from updateconfig and the dynamichost subcommand, enter in the dynamic host URL as needed, return to the main CLI prompt, and commit changes:

Enter new manifest hostname : port
[update-manifests.sco.cisco.com:443]> stage-stg-updates.ironport.com:443
[]> [HIT RETURN TO GO BACK TO THE MAIN CLI PROMPT]

myesa.local> commit


Verification

In order to verify that the appliance is now reaching out to the proper dynamic host, and updates are successful, follow these three steps:

  • Increase the updater_logs to debug.
Currently configured logs:> logconfig

Log Name Log Type Retrieval Interval
---------------------------------------------------------------------------------
1. antispam Anti-Spam Logs Manual Download None
[SNIP FOR BREVITY]
28. updater_logs Updater Logs Manual Download None
29. upgrade_logs Upgrade Logs Manual Download None
Choose the operation you want to perform:
- NEW - Create a new log.
- EDIT - Modify a log subscription.
- DELETE - Remove a log subscription.
- SETUP - General settings.
- LOGHEADERS - Configure headers to log.
- HOSTKEYCONFIG - Configure SSH host keys.
[]> edit
Enter the number of the log you wish to edit.
[]> 28 [NOTE, log # will be different on a per/appliance basis]
Please enter the name for the log:
[updater_logs]>
Log level:
1. Critical
2. Warning
3. Information
4. Debug
5. Trace
[3]> 4
[SNIP FOR BREVITY]

myesa_2.local> commit 
  • Run a force update on either anti-spam (antispamupdate force) or anti-virus (antivirusupdate force).
myesa.local> antivirusupdate force

Sophos Anti-Virus updates:
Requesting forced update of Sophos Anti-Virus.
  • Finally, tail updater_logs and assure that the appliance is able to reach the dynamichost as indicated:
Mon Oct 21 18:19:12 2013 Debug: Acquiring dynamic manifest from stage-stg-updates.ironport.com:443

Troubleshooting

  1. Assure that default updateconfig is being used. If the VESA or host is behind a firewall, assure that updates with a static server are in use.
  2. Assure that you can telnet to the dynamic host URL as chosen:
> telnet
Please select which interface you want to telnet from.
1. Auto
2. Management (172.16.6.165/24: myesa_2.local)
3. new_data (192.168.1.10/24: myesa.local_data1)
[1]>
Enter the remote hostname or IP address.
[]> stage-stg-updates.ironport.com
Enter the remote port.
[25]> 443
Trying 208.90.58.24...
Connected to stage-stg-updates.ironport.com.
Escape character is '^]'.
^] ["CTRL + ]"]
telnet> quit
Connection closed.

 

Related Information

Updated: Jul 24, 2014
Document ID: 118065