Introduction
This document describes a corner case encountered for the "Unable to retrieve SBRS" error on the Email Security Appliance (ESA).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Cisco Secure Email Appliance
Components Used
The information in this document is based on these software and hardware versions:
- Cisco Secure Email Appliance
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
ESA fails to retrieve SBRS score for all the sender IP addresses. Connection to Cisco Cloud servers on port 443 (HTTPS) fails with TLS errors.
Sender Base Reputation Scores(SBRS) are scores that are assigned to IP addresses based on a combination of factors, including email volume and reputation.
Problem
The ESA appliance is unable to retrieve the SBRS score, causing email delays. Despite successful connectivity to the SBRS and SDR servers, the appliance fails to update components, and the command sdrdiagnostics displays a connection status of "Not Connected" to the Cisco Sender Domain Reputation Service.
Solution
SBRS server connectivity fails because of an expired internal certificate. The ESA is designed to automatically renew this certificate. However, in rare instances, connectivity issues with update/download servers prevent the ESA from renewing it automatically, resulting in TLS errors. The appliance must connect to the update servers in order to allow the internal certificate to update:
- update-manifests.ironport.com on port 443
- updates.ironport.com on port 80
- downloads.ironport.com on port 80
Note: Run sdrdiagnostics from the command line. A connected state confirms the connectivity.
Related Information