Troubleshoot a Corner Case of the Error "Unable to Retrieve SBRS"

Available Languages

Download Options

  • PDF     (32.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (83.9 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (69.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 18, 2025
Document ID:222840

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes a corner case encountered for the "Unable to retrieve SBRS" error on the Email Security Appliance (ESA).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Secure Email Appliance

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco Secure Email Appliance

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    ESA fails to retrieve SBRS score for all the sender IP addresses. Connection to Cisco Cloud servers on port 443 (HTTPS) fails with TLS errors.

    Sender Base Reputation Scores(SBRS) are scores that are assigned to IP addresses based on a combination of factors, including email volume and reputation.

    Problem

    The ESA appliance is unable to retrieve the SBRS score, causing email delays. Despite successful connectivity to the SBRS and SDR servers, the appliance fails to update components, and the command sdrdiagnostics displays a connection status of "Not Connected" to the Cisco Sender Domain Reputation Service.

    Solution

    SBRS server connectivity fails because of an expired internal certificate. The ESA is designed to automatically renew this certificate. However, in rare instances, connectivity issues with update/download servers prevent the ESA from renewing it automatically, resulting in TLS errors. The appliance must connect to the update servers in order to allow the internal certificate to update:

    • update-manifests.ironport.com on port 443
    • updates.ironport.com on port 80
    • downloads.ironport.com on port 80
    note-icon

    Note: Run sdrdiagnostics from the command line. A connected state confirms the connectivity.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    18-Mar-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Abhishek Kumar
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products