Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
955
Views
0
Helpful
2
Replies

CISCO IRONPORT C-170 FIRMWARE UPDATE TO Version: 9.7.0-125

fninos001
Level 1
Level 1

‎11-25-2015 01:07 AM

I recently update to latest firmware and i got the following message:


The Warning message is:


Unable to connect to Cisco Web Security Service.

URL Filtering will not work correctly.

Please verify all network, proxy and firewall settings.

Connection to "v2.sds.cisco.com" failed.

The last error seen on this connection: "Authentication failure. Please check

client certificate"



Version: 9.7.0-125

"

Anyone knows how to solve it ?

Labels:
0 Helpful
2 Replies 2

Mathew Huynh
Cisco Employee
Cisco Employee

‎11-25-2015 09:17 PM

Hello,

Your ESA will need to be able to communicate with v2.sds.cisco.com on port 443 for an SSL encrypted connection.

However, This is usually due to a change in configuration or when the service first establishes, it
holds on to stale certificate.

Please let us know if it's still frequently happening.

Regards,

Matthew

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee

‎11-26-2015 08:54 AM

Can you check your ecstatus output?  As Matthew said, if this was post-upgrade boot-up, this would have reached out to get and establish cert, and possible to be a race condition in that completing and the service being used.

Enrollment Client is set along w/ update configuration via updateconfig.

Enrollment Client Updates (used to fetch certificates for URL Filtering)

To check the service -->

> ecstatus

Component Version Last Updated
Enrollment Client 1.0.2-054 26 Nov 2015 16:51 (GMT +00:00)

You can run ecupdate force to have the appliance reach out and get the EC updates & cert cleanly.  Watch the updater_logs for actions --->

> grep enrollment updater_logs

Thu Nov 26 11:50:42 2015 Info: enrollment_client updater shutdown complete
Thu Nov 26 11:50:42 2015 Info: enrollment_client waiting for new updates
Thu Nov 26 11:51:13 2015 Info: Server manifest specified an update for enrollment_client
Thu Nov 26 11:51:13 2015 Info: enrollment_client was signalled to start a new update
Thu Nov 26 11:51:13 2015 Info: enrollment_client processing files from the server manifest
Thu Nov 26 11:51:13 2015 Info: enrollment_client started downloading files
Thu Nov 26 11:51:13 2015 Info: enrollment_client waiting on download lock
Thu Nov 26 11:51:13 2015 Info: enrollment_client acquired download lock
Thu Nov 26 11:51:13 2015 Info: enrollment_client beginning download of remote file "http://updates.ironport.com/enrollment_client/1.0/enrollment_client/default/102054"
Thu Nov 26 11:51:13 2015 Info: enrollment_client released download lock
Thu Nov 26 11:51:13 2015 Info: enrollment_client successfully downloaded file "enrollment_client/1.0/enrollment_client/default/102054"
Thu Nov 26 11:51:13 2015 Info: enrollment_client started applying files
Thu Nov 26 11:51:13 2015 Info: enrollment_client applying file "enrollment_client"
Thu Nov 26 11:51:13 2015 Info: enrollment_client installing new libexec
Thu Nov 26 11:51:13 2015 Info: enrollment_client restarting
Thu Nov 26 11:51:16 2015 Info: enrollment_client verifying applied files
Thu Nov 26 11:51:16 2015 Info: enrollment_client updating the client manifest
Thu Nov 26 11:51:16 2015 Info: enrollment_client update completed
Thu Nov 26 11:51:16 2015 Info: enrollment_client waiting for new updates

If this is error is happening on a repeated basis, then open a support case, and we'll need to get remote access opened to investigate further.

-Robert

Cheers,
Robert Sherwin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents