This document describes when a Virtual Email Security Appliance (VESA) is not downloading and applying updates for the Cisco anti-spam engine (CASE) or Sophos and/or McAfee anti-virus, even though the virtual appliance is licensed correctly.
Contributed by Robert Sherwin, Cisco TAC Engineer.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
VESA, running AsyncOS 8.0.0 and newer
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Virtual ESA is not able to download and apply updates for anti-spam or anti-virus
When updating anti-spam or anti-virus, the processes are not able to reach out and update the service engine or rulesets, even if using an update force command.
One of the following command may have been issued directly from the CLI on the VESA:
> antispamupdate ironport > antispamupdate ironport force > antivirusupdate force
When running tail updater_logs, the errors seen would be similar to the following:
Mon Oct 21 17:48:43 2013 Info: Dynamic manifest fetch failure: Received invalid update manifest response
This is indicating that the dynamic host associated to the update configuration is not able to reach the proper updater manifest correctly. The dynamic host is set within the updateconfig command. The subcommand, dynamichost, is a hidden command with-in updateconfig, as highlighted below:
Enter new manifest hostname : port [update-manifests.sco.cisco.com:443]>
Verify that the appliance is using the correct URL. There are two different dynamic host URLs that are used for customers based on how they are associated through Cisco:
Customer Virtual appliances: ESA, WSA
Customer Physical appliances: ESA, WSA, SMA
Friendlies, Beta Virtual appliances
Friendlies, Beta Physical appliances
Note: Customers should be only using the update-manifests.sco.cisco.com URL, unless they have gained pre-provisioning access through Cisco for beta usage.
Continuing from updateconfig and the dynamichost subcommand, enter in the dynamic host URL as needed, return to the main CLI prompt, and commit changes:
Enter new manifest hostname : port [update-manifests.sco.cisco.com:443]> stage-stg-updates.ironport.com:443 > [HIT RETURN TO GO BACK TO THE MAIN CLI PROMPT]
In order to verify that the appliance is now reaching out to the proper dynamic host, and updates are successful, follow these three steps:
Increase the updater_logs to debug.
Currently configured logs:> logconfig
Log Name Log Type Retrieval Interval --------------------------------------------------------------------------------- 1. antispam Anti-Spam Logs Manual Download None [SNIP FOR BREVITY] 28. updater_logs Updater Logs Manual Download None 29. upgrade_logs Upgrade Logs Manual Download None Choose the operation you want to perform: - NEW - Create a new log. - EDIT - Modify a log subscription. - DELETE - Remove a log subscription. - SETUP - General settings. - LOGHEADERS - Configure headers to log. - HOSTKEYCONFIG - Configure SSH host keys. > edit Enter the number of the log you wish to edit. > 28 [NOTE, log # will be different on a per/appliance basis] Please enter the name for the log: [updater_logs]> Log level: 1. Critical 2. Warning 3. Information 4. Debug 5. Trace > 4 [SNIP FOR BREVITY]
Run a force update on either anti-spam (antispamupdate force) or anti-virus (antivirusupdate force).
myesa.local> antivirusupdate force
Sophos Anti-Virus updates: Requesting forced update of Sophos Anti-Virus.
Finally, tail updater_logs and assure that the appliance is able to reach the dynamichost as indicated:
Mon Oct 21 18:19:12 2013 Debug: Acquiring dynamic manifest from stage-stg-updates.ironport.com:443
Assure that default updateconfig is being used. If the VESA or host is behind a firewall, assure that updates with a static server are in use.
Assure that you can telnet to the dynamic host URL as chosen:
> telnet Please select which interface you want to telnet from. 1. Auto 2. Management (172.16.6.165/24: myesa_2.local) 3. new_data (192.168.1.10/24: myesa.local_data1) > Enter the remote hostname or IP address. > stage-stg-updates.ironport.com Enter the remote port. > 443 Trying 22.214.171.124... Connected to stage-stg-updates.ironport.com. Escape character is '^]'. ^] ["CTRL + ]"] telnet> quit Connection closed.