This document describes error messages recieved during download or update of feature keys on the Cisco Email Security Appliance (ESA).
When users click "Check for New Keys" on the ESA to download new Feature Keys, they receive the following error message:
Error performing feature key fetch: I/O error opening URL '<update URL>'
This error message is non-critical and is triggered when the ESA is unable to connect to the feature key updates server via HTTP. This is typically a result of one or more of the following problems:
Ping the update URL server (downloads.ironport.com):
> ping downloads.ironport.comPress Ctrl-C to stop.PING downloads.ironport.com (188.8.131.52): 56 data bytes64 bytes from 184.108.40.206: icmp_seq=0 ttl=50 time=28.158 ms64 bytes from 220.127.116.11: icmp_seq=1 ttl=50 time=27.981 ms64 bytes from 18.104.22.168: icmp_seq=2 ttl=50 time=28.055 ms64 bytes from 22.214.171.124: icmp_seq=3 ttl=50 time=28.013 ms^X^C--- downloads.ironport.com ping statistics ---4 packets transmitted, 4 packets received, 0.0% packet lossround-trip min/avg/max/stddev = 27.981/28.052/28.158/0.067 ms
Attempt to Telnet to the update URL server (downloads.ironport.com) on port 80 to verify that the firewall is not blocking outbound port 80 connections from the appliance:
myesa.local> telnet downloads.ironport.com 80Trying 126.96.36.199...Connected to a96-16-7-82.deploy.akamaitechnologies.com.Escape character is '^]'.(press CTRL + ] to exit)telnet> quitConnection closed.
If the appliance is not able to connect, you will see the following:
myesa.local> telnet downloads.ironport.com 80Trying 188.8.131.52...telnet: connect to address downloads.ironport.com: Connection refusedtelnet: Unable to connect to remote host
For appliances that sit behind strict firewall rules, you may need to use the static URL for downloads. Please see the Upgrades or Updates with a Static Server knowledge base article.
Content Security Appliance Upgrades or Updates with a Static Server