C160 IN NETWORK Encryption question

Answered Question

I am new to the Ironport products, so please bear with me

I have been able to setup several email encryption profiles, one for Cisco Registered Envelope Service, and one for the In Network (IronPort Encryption Appliance ).

The outbound content filtering rules triggering the Cisco Registered Envelope Service work just fine, but messages getting flagged for the content filtering rules meeting the criteria for the In network/Ironport Encryption Appliance, get stuck in the encryption queue.  When looking at the encryption logs, they show:

Tue Feb  9 12:20:26 2010 Critical: PXE encryption - Thread-2, http.HttpConnectionApache, Unable to send HTTP request: Retry 1 of 1 in 2000 milliseconds
Tue Feb  9 12:20:29 2010 Critical: PXE encryption - Thread-2, local.LocalResponse, HTTP Connection Error (4): Unable to send HTTP request
Tue Feb  9 12:35:33 2010 Critical: PXE encryption - Thread-2, http.HttpConnectionApache, Unable to send HTTP request: Retry 1 of 1 in 2000 milliseconds
Tue Feb  9 12:35:36 2010 Critical: PXE encryption - Thread-2, local.LocalResponse, HTTP Connection Error (4): Unable to send HTTP request


Emails eventually time out and sender gets:

[#< #5.0.0 smtp; 5.x.3 - Temporary PXE Encryption failure. Please try resending the message. If the problem persists, please contact your administrator. (Encryption operation expired due to key server communication problems or resource constraints.) ]


I am using both NICs on the C160. One (management interface) has a few specific IP routes specified for our internal LAN, and the 2nd NIC is in a DMZ style VLAN, with the Default Gateway/route going out it.


Emails not triggering encryption or triggering the Cisco Registered Envelope Service, are processed and sent just fine.


I'm probably missing something real basic here.

Please point me in the right directions...


Thanks.

Correct Answer by sumbansa about 7 years 2 months ago

I'd suggest first going to CLI and checking PING connectivity to the encryption server.


If ping is working, we can rule out netowrk connectivity and gateway/route issues.


The other thing you can probably try ( if ping works ), is to see if you need a proxy between the encryption appliance and the C-series. Maybe the HTTP/HTTPS packets are being dropped somewhere in between.


--Sumit

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
sumbansa Tue, 02/09/2010 - 21:15
User Badges:

I'd suggest first going to CLI and checking PING connectivity to the encryption server.


If ping is working, we can rule out netowrk connectivity and gateway/route issues.


The other thing you can probably try ( if ping works ), is to see if you need a proxy between the encryption appliance and the C-series. Maybe the HTTP/HTTPS packets are being dropped somewhere in between.


--Sumit

sumbansa Tue, 02/09/2010 - 21:17
User Badges:

ALso try to ping with the IP/Hostname. In case the DNS is not able to resolve the encryption server name, the IP PING should work.

kyerramr Wed, 02/10/2010 - 23:04
User Badges:

Kirk,


  Check to see if there are any errors/exceptions logged on the IronPort Encryption Appliance .


Log to check /usr/local/postx/server/log/server_postx.log, as much we have the NICs configured run a connectivity test to the IEA from ESA on port 80 and 443.


I would also suggest to review this KB http://tinyurl.com/2doepp



Best,

Kishore

sergin1rn Tue, 08/03/2010 - 11:37
User Badges:

Hello Kirk Jacko,


Try open the comunication ports of protocols HTTP, HTTPS, NTP, SMTP and DNS for your appliances in firewall rules.


I think it will work..

Regards

Actions

This Discussion

Related Content