I am new to the Ironport products, so please bear with me
I have been able to setup several email encryption profiles, one for Cisco Registered Envelope Service, and one for the In Network (IronPort Encryption Appliance ).
The outbound content filtering rules triggering the Cisco Registered Envelope Service work just fine, but messages getting flagged for the content filtering rules meeting the criteria for the In network/Ironport Encryption Appliance, get stuck in the encryption queue. When looking at the encryption logs, they show:
Tue Feb 9 12:20:26 2010 Critical: PXE encryption - Thread-2, http.HttpConnectionApache, Unable to send HTTP request: Retry 1 of 1 in 2000 milliseconds
Tue Feb 9 12:20:29 2010 Critical: PXE encryption - Thread-2, local.LocalResponse, HTTP Connection Error (4): Unable to send HTTP request
Tue Feb 9 12:35:33 2010 Critical: PXE encryption - Thread-2, http.HttpConnectionApache, Unable to send HTTP request: Retry 1 of 1 in 2000 milliseconds
Tue Feb 9 12:35:36 2010 Critical: PXE encryption - Thread-2, local.LocalResponse, HTTP Connection Error (4): Unable to send HTTP request
Emails eventually time out and sender gets:
[#< #5.0.0 smtp; 5.x.3 - Temporary PXE Encryption failure. Please try resending the message. If the problem persists, please contact your administrator. (Encryption operation expired due to key server communication problems or resource constraints.) ]
I am using both NICs on the C160. One (management interface) has a few specific IP routes specified for our internal LAN, and the 2nd NIC is in a DMZ style VLAN, with the Default Gateway/route going out it.
Emails not triggering encryption or triggering the Cisco Registered Envelope Service, are processed and sent just fine.
I'm probably missing something real basic here.
Please point me in the right directions...
I'd suggest first going to CLI and checking PING connectivity to the encryption server.
If ping is working, we can rule out netowrk connectivity and gateway/route issues.
The other thing you can probably try ( if ping works ), is to see if you need a proxy between the encryption appliance and the C-series. Maybe the HTTP/HTTPS packets are being dropped somewhere in between.