This document describes how to troubleshoot and resolve on the Email Security Appliance (ESA) and Cloud Email Security (CES) when security features are displaying as "Not Available" on the Incoming and Outgoing mail policies despite the feature keys being available on the device.
Contributed by Alan Macorra and Mathew Huynh Cisco CX Engineers.
Any ESA/CES on any version of AsyncOS.
Device licensed with available feature keys for security services.
Understanding of the different levels of cluster configuration and overrides.
The ESA/CES device is failing to execute any security scanning from services such as:
Advanced Malware Protection
DLP (Outbound only)
Feature keys are available and able to be verified on the GUI or CLI.
GUI: System Administration > Feature Keys
On the Incoming and Outgoing Mail Policies, all the security features displaying as "Not Available", when checking the security service itself, it is configured as Enabled.
Feature keys are available on the device, however services are "Not Available" and not executing scans.
Clicking the "Not Available" link on the mail policies, redirects you to the global settings for that specific security service, which shows enabled and modifying this does not change the "Not Available" status on the mail policies itself.
Sample output provided:
This issue typically stems from the feature keys on the device getting expired before renewed and license re-installed, when this happens the End User License Agreement (EULA) needs to be re-accepted. Given the devices had them enabled prior to expiry, when initial key reinstall/renewal was done the EULA isn't presented again as the device is set at Cluster level.
To resolve this, you will need to override the settings on the ESA/CES to machine level to allow the EULA to present for acceptance. In doing so, the device will register the keys renewal and re-activate the features again.
Note: The configuration mode you are currently logged in with will be displayed on the upper left where it displays Mode -- Cluster/Group/Machine. Depending on the mode, what is displayed may be different from the initial same output provided which is already in Machine Mode.
Warning: When creating overrides for this solution, ensure you DO NOT select Move configuration, as this will force the cluster level configuration into an unconfigured mode for the specific service. If this was selected, when removing the overrides, the feature will fall back into an unconfigured (not enabled) state.
On each security service which shows "Not Available":
Click the "Not Available" link from the Incoming or Outgoing Mail Policies Page.
This redirects to the global settings per engine, select Change Mode… then from the drop-down menu. Select the machine currently logged on.
Click on Override Settings
Select Copy from: Cluster. (This will copy your current enabled settings from the cluster level down to machine).
The configuration will now show it is Enabled, proceed to click on Edit Global Settings...
The EULA will be displayed, read through and accept the EULA.
Commit Changes to save this setting.
Repeat the steps on your other features requiring to be re-enabled.
Sample output provided:
Using the drop down on the right, change it to the machine you're logged into.
Copying the settings from cluster to machine override.
Override setting output:
After clicking on Edit Global Settings... the EULA is displayed.
Accept the EULA and commit changes.
The settings for Sophos will now be reflected on the mail policy and no longer show "Not Available".
Removing machine override to fall back to Cluster level
To remove the machine override settings:
Go to the Machine mode from the drop down as previously done.
Click to expand Centralized Management Options
Click on Delete Settings
Click the Delete button and the settings will fall back to the higher level (Group or Cluster, whichever is configured).
Verify the settings are properly configured on the higher level chosen.