Troubleshoot vESA Unable to Download and Apply Antispam or Antivirus Updates

Available Languages

Download Options

  • PDF     (29.1 KB)
    View with Adobe Reader on a variety of devices
Updated:February 21, 2026
Document ID:118065

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes why vESA fails to update antispam or antivirus engines, despite having valid licensing.

    Prerequisites and Warnings

    Requirements

    Ensure familiarity with these products and concepts:

    • Email Security Appliance (ESA)
    • vESA, virtual Web Security Appliance (vWSA), virtual Security Management Appliance (vSMA)
    • AsyncOS

    Components Used

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Important Notes

    • Hardware appliances (C190, C195, C390, C395, C690, and C695) must use the dynamic host URL update-manifests.ironport.com:443 only.
    • Only use staging update server URLs if Cisco has provisioned access for Beta usage. Without a valid Beta license, updates will not be received from staging servers.
    • In cluster configurations with both ESA and vESA, configure updateconfig at the machine level and confirm the dynamichost is set accordingly.

    Symptoms

    vESA does not successfully download or apply updates for antispam or antivirus engines, even when properly licensed. Running update commands such as:

    > antispamupdate ironport
> antispamupdate ironport force
> antivirusupdate force
> updatenow force

    does not resolve the issue. Reviewing logs with tail updater_logs displays errors similar to:

    Mon Oct 21 17:48:43 2025 Info: Dynamic manifest fetch failure: Received invalid update manifest response

    This indicates the appliance cannot reach the correct updater manifest at the dynamic host URL configured via the updateconfig command. The dynamichost subcommand, available within updateconfig, defines which update server the appliance will use.

    Set the Correct Dynamic Host URL

    Configure the dynamic host URL according to your appliance type and support status:

    1. update-manifests.sco.cisco.com:443
      • Use for vESA, vWSA, and vSMA appliances.
    2. stage-stg-updates.ironport.com:443
      • Use for friendlies, Beta virtual, and hardware appliances with explicit Cisco Beta authorization only.

    To set the dynamic host URL, use the updateconfig command, access the hidden dynamichost subcommand, enter the desired host and port, then commit the changes.

    esa.example.com> updateconfig
[]> dynamichost

Enter new manifest hostname : port
[update-manifests.sco.cisco.com:443]> stage-stg-updates.ironport.com:443
[]> <<<HIT RETURN TO GO BACK TO THE MAIN CLI PROMPT>>>

esa.example.com> commit

    Verify Appliance Update Functionality

    Use these steps to confirm the appliance is updating from the correct dynamic host URL:

    1. Increase the updater_logs log level to debug to capture detailed update activity:

    esa.example.com> logconfig
[...]
28. updater_logs Updater Logs Manual Download None
[...]
[]> edit
Enter the number of the log you wish to edit.
[]> 28
Please enter the name for the log:
[updater_logs]>
Log level:
1. Critical
2. Warning
3. Information
4. Debug
5. Trace
[3]> 4
[...]
esa.example.com> commit
    note-icon

    Note: The log number can differ on each appliance.

    2. Run a forced update to test connectivity and update functionality:

    esa.example.com> updatenow force

Success - Force update for all components requested

    3. Review updater_logs to confirm a successful connection to the correct dynamic host:

    Mon Oct 21 18:19:12 2025 Debug: Acquiring dynamic manifest from stage-stg-updates.ironport.com:443

    Troubleshooting Steps

    1. Confirm that the default updateconfig is being used. If vESA or its host is behind a firewall, ensure updates are configured to use a static server as described in the Content Security Appliance Upgrades or Updates with a Static Server document.
    2. Test connectivity to the dynamic host URL using Telnet to verify network reachability: 
      esa.example.com> telnet
Please select which interface you want to telnet from.
1. Auto
2. Management (172.16.6.165/24: esa-mgmt.example.com)
3. Data (192.168.1.10/24: esa-data.example.com)
[1]>
Enter the remote hostname or IP address.
[]> stage-stg-updates.ironport.com
Enter the remote port.
[25]> 443
Trying 208.90.58.24...
Connected to stage-stg-updates.ironport.com.
Escape character is '^]'.
^] ["CTRL + ]"]
telnet> quit
Connection closed.

    Related Information

    Revision History

    Revision Publish Date Comments
    2.0
    21-Feb-2026
    Re-written using updated steps and syntax.
    1.0
    24-Jul-2014
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Dennis McCabe Jr
      Cisco Technical Leader
    • Robert Sherwin
      Cisco Technical Leader

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products