Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

async os 6.5.1

Just after the new year started, I upgraded my first of three x1050s to 6.5.0. A few days later after no issues were encountered by this first upgrade, I processed upgrades to my remaining two X's and my M. Unfortunately, on one of these X's I upgraded straight to 6.5.1. Fast forward a few days and another admin went to recreate the cluster, to process some rules, and encountered the out of sync AsyncOSs. A panic ensues and upgrades are applied to the remaining three, all to 6.5.1.

I ran this past through a support ticket and found the actual problem with another MTAs TLS config. Here we check for TLS and require if available. Outside MTAs is available but broken. Prior to upgrades, unsecure email processed through to my internal users without issue. After the upgrades, all messages failed. Support reports that they attempted email with this domain using earlier Async OS versions and all comm still failed.

Allegedly no change on outside MTA. They have broken TLS, know it, have experienced it with other MTAs as well. They are not fixing their corrupt TLS deployment. However, unsecure still worked. Outside MTA domain is sigc.us.

Are my tracking logs gone after an AsyncOS upgrade? Can I recover?

Was TLS enhanced to fail with broken outside TLS config, from 6.4.x to 6.5.1?

6.5.1 is a maintenance release? Should I be running it?

Can I get the bound version of the Ironport AsyncOS 6.5 users guide and advanced users guide? Can I download? I have 5.1 literature. I'd really like to get my ironports dialed in to 6.5.x.

Thanks,

-bear

4 REPLIES
Community Member

Re: async os 6.5.1

Just after the new year started, I upgraded my first of three x1050s to 6.5.0.  A few days later after no issues were encountered by this first upgrade, I processed upgrades to my remaining two X's and my M.  Unfortunately, on one of these X's I upgraded straight to 6.5.1.  Fast forward a few days and another admin went to recreate the cluster, to process some rules, and encountered the out of sync AsyncOSs.  A panic ensues and upgrades are applied to the remaining three, all to 6.5.1.

So I take it from thsi that all systems in the cluster are now running 6.5.1-004, and the cluster is intact?

I ran this past through a support ticket and found the actual problem with another MTAs TLS config. Here we check for TLS and require if available. Outside MTAs is available but broken. Prior to upgrades, unsecure email processed through to my internal users without issue. After the upgrades, all messages failed.

Support reports that they attempted email with this domain using earlier Async OS versions and all comm still failed.

Allegedly no change on outside MTA. They have broken TLS, know it, have experienced it with other MTAs as well. They are not fixing their corrupt TLS deployment. However, unsecure still worked. Outside MTA domain is sigc.us.

By require if available, do you mean TLS preferred-verify? And by all messages, you mean all messages to one domain? It sounds like you should get back in touch with support. They will have access to your configuration.
[quote="jbear"]

Are my tracking logs gone after an AsyncOS upgrade? Can I recover?

Your tracking logs should survive an upgrade. Whether you still have data from prior to the upgrade will depend on your mail volume. The tracking database will purge the oldest records when it gets full.

Was TLS enhanced to fail with broken outside TLS config, from 6.4.x to 6.5.1?

There were no enhancements or bug fixes that would cause the appliance to be more picky about who to send encrypted mail to. If the remote MTA advertises STARTTLS, we will attempt to negotiate a TLS connection. There are a number of reasons this can fail. If you are using TLS Required, the mail will be bounced. If it is TLS Preferred, then it will be delivered plain text.


6.5.1 is a maintenance release? Should I be running it?

Absolutely. If you saw it in early January, you must have been on the early availability list. Just this week we released it to all customers.

Can I get the bound version of the Ironport AsyncOS 6.5 users guide and advanced users guide? Can I download? I have 5.1 literature. I'd really like to get my ironports dialed in to 6.5.x.


You can see all of the Documentation in the online help on your appliance. You can alos download PDFs from the Support Portal. If you prefer the printed copies, I'll check and see how you can order that.

Karl Young
ESA Product Support Engineer


Thanks,

-bear

Community Member

Re: async os 6.5.1

So I take it from thsi that all systems in the cluster are now running 6.5.1-004, and the cluster is intact?


Absolutely. No problems really before or after the upgrade, and once the cluster was recreated after the final 6.5.1-004 push, everything has been characteristcally stable.

By require if available, do you mean TLS preferred-verify?  And by all messages, you mean all messages to one domain?  It sounds like you should get back in touch with support.  They will have access to your configuration.


Actually just prefer. No verify. By all messages, I mean all messages from sigc.us to us (all messages from anyone to us [we listen for a few domains] we prefer TLS). I think support did what they could, and did a great job at that. I'm just stuck in this "it worked/didn't work quandry," with the only definite change being me upgrading. Without the worked/didn't work data slice, everything support provided is spot on. Sigc.us' TLS is broken..that's not in dispute. It's the behaviour now of my ironports, to their error, that appears to have changed. I have added a destination control specifically for this domain, to not use TLS but these one off fixes trouble me.

Your tracking logs should survive an upgrade.  Whether you still have data from prior to the upgrade will depend on your mail volume.  The tracking database will purge the oldest records when it gets full.


OK. I only seem to be going back to my upgrade date. Actually rechecking my tracking history has shrunk. Now only goes back a little more then a week. That's another obstacle, as I haven't been able to confirm the sigc.us report of success prior to the upgrade.



There were no enhancements or bug fixes that would cause the appliance to be more picky about who to send encrypted mail to.  If the remote MTA advertises STARTTLS, we will attempt to negotiate a TLS connection.  There are a number of reasons this can fail.  If you are using TLS Required, the mail will be bounced.  If it is TLS Preferred, then it will be delivered plain text.

There's my problem. It doesn't revert to plain text, it just fails. Like this:

Message 109885282 to email.address@domain.ext.ext received remote SMTP response '2.6.0 <49F384F3EE03C14886B2F0F78A53B5432FB803> Queued mail for delivery'.

I don't even think a hard or soft bounce occurs? Just no one receives it.

Absolutely.  If you saw it in early January, you must have been on the early availability list.  Just this week we released it to all customers.

Whew...

How did this work? We defintitely didn't request anything. What's the early availability list inclusion criteria?

You can see all of the Documentation in the online help on your appliance.  You can alos download PDFs from the Support Portal.  If you prefer the printed copies, I'll check and see how you can order that.

I'd love the printed versions if available for a reasonable price. Downloads are adequate, but there's nothing quite like a well creased and dog-eared bound reference on my bookshelf.

Thanks Karl.

-bear

Community Member

Re: async os 6.5.1

Bear

Sorry, but this has gotten pretty stale. I've replied to your questions below.



By require if available, do you mean TLS preferred-verify?  And by all messages, you mean all messages to one domain?  It sounds like you should get back in touch with support.  They will have access to your configuration.


Actually just prefer. No verify. By all messages, I mean all messages from sigc.us to us (all messages from anyone to us [we listen for a few domains] we prefer TLS). I think support did what they could, and did a great job at that. I'm just stuck in this "it worked/didn't work quandry," with the only definite change being me upgrading. Without the worked/didn't work data slice, everything support provided is spot on. Sigc.us' TLS is broken..that's not in dispute. It's the behaviour now of my ironports, to their error, that appears to have changed. I have added a destination control specifically for this domain, to not use TLS but these one off fixes trouble me.


I reviewed your ticket, and it looks like everything was covered, except for whether the upgrade caused the problem. I was fairly confident that there were no changes in TLS delivery behavior, but to be sure, I set up a test appliance running 6.4.0-273, and sent some test messages to postmaster@sigc.us. I am seeing the same failure mode as in your ticket when sigc.us is configured for TLS preferred, so something clearly changed on their side


Absolutely.  If you saw it in early January, you must have been on the early availability list.  Just this week we released it to all customers.

Whew...

How did this work? We defintitely didn't request anything. What's the early availability list inclusion criteria?


To be clear, Early Availibility is ~not~ like a beta. This is a release that is fully qualified for use in production systems. The Early Availability (or Preview) status is just a stage in our rollout process. If we announce a new release to our entire customer base, we find we get flooded with calls about it, so we provision and notify a small set of customers first. After a couple of weeks, we provision everybody, then notify them over the next couple of weeks.

There is a certain element of randomness to the EA list. For a maintenance release we will always add the customers who have encountered bugs we are fixing. The announcement will always say it is Early Availability, and the Portal flags it as preview.


You can see all of the Documentation in the online help on your appliance.  You can alos download PDFs from the Support Portal.  If you prefer the printed copies, I'll check and see how you can order that.

I'd love the printed versions if available for a reasonable price. Downloads are adequate, but there's nothing quite like a well creased and dog-eared bound reference on my bookshelf.

Thanks Karl.
-bear


I'm told that your sales rep can order the hard bound versions of the User's Guides for you.

I hope this information falls into better late than never category.

Regards

Karl

Community Member

Re: async os 6.5.1



Are my tracking logs gone after an AsyncOS upgrade? Can I recover?



Well, I did loose once my tracking logs and even support didn't help. So I just deleted database.

And now I seems to have database but I can't search anything, as every result is empty. This case is yet open.

So be warned.

193
Views
0
Helpful
4
Replies
CreatePlease to create content