Solved: C160 IN NETWORK Encryption question

kjacko · ‎02-09-2010

I am new to the Ironport products, so please bear with me

I have been able to setup several email encryption profiles, one for Cisco Registered Envelope Service, and one for the In Network (IronPort Encryption Appliance ).

The outbound content filtering rules triggering the Cisco Registered Envelope Service work just fine, but messages getting flagged for the content filtering rules meeting the criteria for the In network/Ironport Encryption Appliance, get stuck in the encryption queue. When looking at the encryption logs, they show:

Tue Feb 9 12:20:26 2010 Critical: PXE encryption - Thread-2, http.HttpConnectionApache, Unable to send HTTP request: Retry 1 of 1 in 2000 milliseconds
Tue Feb 9 12:20:29 2010 Critical: PXE encryption - Thread-2, local.LocalResponse, HTTP Connection Error (4): Unable to send HTTP request
Tue Feb 9 12:35:33 2010 Critical: PXE encryption - Thread-2, http.HttpConnectionApache, Unable to send HTTP request: Retry 1 of 1 in 2000 milliseconds
Tue Feb 9 12:35:36 2010 Critical: PXE encryption - Thread-2, local.LocalResponse, HTTP Connection Error (4): Unable to send HTTP request

Emails eventually time out and sender gets:

[#< #5.0.0 smtp; 5.x.3 - Temporary PXE Encryption failure. Please try resending the message. If the problem persists, please contact your administrator. (Encryption operation expired due to key server communication problems or resource constraints.) ]

I am using both NICs on the C160. One (management interface) has a few specific IP routes specified for our internal LAN, and the 2nd NIC is in a DMZ style VLAN, with the Default Gateway/route going out it.

Emails not triggering encryption or triggering the Cisco Registered Envelope Service, are processed and sent just fine.

I'm probably missing something real basic here.

Please point me in the right directions...

Thanks.

sumbansa · ‎02-09-2010

I'd suggest first going to CLI and checking PING connectivity to the encryption server.

If ping is working, we can rule out netowrk connectivity and gateway/route issues.

The other thing you can probably try ( if ping works ), is to see if you need a proxy between the encryption appliance and the C-series. Maybe the HTTP/HTTPS packets are being dropped somewhere in between.

--Sumit

View solution in original post

sumbansa · ‎02-09-2010

I'd suggest first going to CLI and checking PING connectivity to the encryption server.

If ping is working, we can rule out netowrk connectivity and gateway/route issues.

The other thing you can probably try ( if ping works ), is to see if you need a proxy between the encryption appliance and the C-series. Maybe the HTTP/HTTPS packets are being dropped somewhere in between.

--Sumit

sumbansa · ‎02-09-2010

ALso try to ping with the IP/Hostname. In case the DNS is not able to resolve the encryption server name, the IP PING should work.

kjacko · ‎02-25-2010

Sorry, was a newby to the Ironport appliance.

I don't have an encryption appliance, so the CRES service is the only option

Thanks,

Kirk...

kyerramr · ‎02-10-2010

Kirk,

Check to see if there are any errors/exceptions logged on the IronPort Encryption Appliance .

Log to check /usr/local/postx/server/log/server_postx.log, as much we have the NICs configured run a connectivity test to the IEA from ESA on port 80 and 443.

I would also suggest to review this KB http://tinyurl.com/2doepp

Best,

Kishore

sergin1rn · ‎08-03-2010

Hello Kirk Jacko,

Try open the comunication ports of protocols HTTP, HTTPS, NTP, SMTP and DNS for your appliances in firewall rules.

I think it will work..

Regards