Sharefile Downloads Service Unavailable Try Again Later
This document describes the alert attributed to the Cisco E-mail Security Apparatus (ESA) with Avant-garde Malware Protection (AMP) enabled, where the service is unable to communicate over port 32137 or 443 for File Reputation.
AMP was released for use on the ESA in AsyncOS Version eight.5.5 for Electronic mail Security. With AMP licensed and enabled on the ESA, administrators receive this message:
The Alert message is:The File Reputation service is not reachable.
Last message occurred 2 times between Tue Jul 26 10:17:fifteen 2015 and Tue Jul 26 x:18:16 2016.
Version: 12.5.0-066
Series Number: 123A82F6780XXX9E1E10-XXX5DBEFCXXX
Timestamp: 07 Oct 2019 xiv:25:thirteen -0400
The AMP service might be enabled, merely probably does not communicate on the network via port 32137 for File Reputation.
If that is the case, the ESA administrator can cull to accept File Reputation communicate over port 443.
In lodge to practice and then, run ampconfig > advanced from the CLI and be sure that Y is selected for Do you desire to enable SSL advice (port 443) for file reputation? [N]>:
(Cluster case.com)> ampconfigChoose the functioning you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- Avant-garde - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add together this appliance to the group of appliances that can share File Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
- CLUSTERSET - Prepare how advanced malware protection is configured in a cluster.
- CLUSTERSHOW - Display how avant-garde malware protection is configured in a cluster.
[]> advancedEnter deject query timeout?
[xv]>Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.cisco.com)
two. AMERICAS(Legacy) (cloud-sa.amp.sourcefire.com)
3. EUROPE (cloud-sa.eu.amp.cisco.com)
four. APJC (cloud-sa.apjc.amp.cisco.com)
5. Private reputation cloud
[1]>Do you desire apply the recommended analysis threshold from cloud service? [Y]>
Enter heartbeat interval?
[15]>Do you want to enable SSL advice (port 443) for file reputation? [N]> Y
Proxy server detail:
Server :
Port :
User :Do you want to change proxy particular [Northward]>
Practice you desire to suppress the verdict update alerts for all messages that are non delivered to the recipient? [Due north]>
Choose a file assay server:
1. AMERICAS (https://panacea.threatgrid.com)
2. EUROPE (https://panacea.threatgrid.eu)
3. Individual analysis cloud
[1]>
If you use the GUI, chooseSecurity Services > File Reputation and Analysis > Edit Global Settings > Avant-garde (drop-down) and ensure the Utilize SSL checkbox is checked as shown here:
Commit whatever and all changes to the configuration.
Finally, review the electric current AMP log in order to see the service and connectivity success or failure. You tin can achieve this from the CLI with tail amp.
Prior to changes made to ampconfig > advanced, yous would have seen this in the AMP logs:
Mon January 26 10:11:16 2015 Warning: amp The File Reputation service in the deject
is unreachable.
Monday Jan 26 ten:12:15 2015 Alert: amp The File Reputation service in the cloud
is unreachable.
Mon Jan 26 10:13:15 2015 Alarm: amp The File Reputation service in the cloud
is unreachable.
Later the change is made to ampconfig > avant-garde, you see this in the AMP logs:
Mon January 26 10:19:xix 2015 Info: amp stunnel procedure started pid [3725]
Mon January 26 10:19:22 2015 Info: amp The File Reputation service in the cloud
is reachable.
Mon January 26 10:19:22 2015 Info: amp File reputation service initialized
successfully
Mon Jan 26 10:nineteen:22 2015 Info: amp File Analysis service initialized
successfully
Mon Jan 26 10:19:23 2015 Info: amp The File Assay server is reachable
Mon January 26 10:20:24 2015 Info: amp File reputation query initiating. File Proper noun =
'amp_watchdog.txt', MID = 0, File Size = 12 bytes, File Type = text/plain
Mon January 26 x:xx:24 2015 Info: amp Response received for file reputation query
from Cloud. File Name = 'amp_watchdog.txt', MID = 0, Disposition = file unknown,
Malware = None, Reputation Score = 0, sha256 = a5f28f1fed7c2fe88bcdf403710098977
fa12c32d13bfbd78bbe27e95b245f82, upload_action = 1
The amp_watchdog.txt file as shown in the previous case will run every 10 minutes and exist tracked in the AMP log. This file is function of the keep-alive for AMP.
A normal query in the AMP log against a message with the configured file type(s) for File Reputation and File Assay would exist similar to this:
Wed Jan 14 fifteen:33:01 2015 Info: File reputation query initiating. File Name =
'securedoc_20150112T114401.html', MID = 703, File Size = 108769 bytes, File
Blazon = text/html
Wed Jan 14 15:33:02 2015 Info: Response received for file reputation query from
Cloud. File Name = 'securedoc_20150112T114401.html', MID = 703, Disposition = file
unknown, Malware = None, Reputation Score = 0, sha256 = c1afd8efe4eeb4e04551a8a0f5
533d80d4bec0205553465e997f9c672983346f, upload_action = 1
With this log information, the administrator should exist able to correlate the Bulletin ID (MID) in the mail service logs.
Review firewall and network settings in order to ensure that SSL communication is opened for these:
| Port | Protocol | In/Out | Hostname | Description |
|---|---|---|---|---|
| 443 | TCP | Out | As configured in Security Services > File Reputation and Assay, Advanced section. | Access to deject services for file analysis. |
| 32137 | TCP | Out | Equally configured in Security Services > File Reputation and Analysis, Advanced section, Avant-garde section, Deject Server Pool parameter. | Access to deject services in order to obtain file reputation. |
Y'all tin can test basic connectivity from your ESA to the cloud service over 443 via Telnet in society to ensure that your appliance can successfully achieve the AMP services, File Reputation, and File Analysis.
Note: The addresses for File Reputation and File Analysis are configured on the CLI withampconfig > advanced or from the GUI with Security Services > File Reputation and Analysis > Edit Global Settings > Advanced (driblet-down).
Note: If utilizing a tunnel proxy between the ESA and File Reputation server(s), you may exist required to enable the option to Relax Document Validation for Tunnel Proxy.This option is provided to skip standard document validation if the tunnel proxy server'south certificate is non signed by a root authority trusted by the ESA. For instance, select this option if using a self-signed certificate on a trusted internal tunnel proxy server.
File Reputation case:
x.0.0-125.local> telnet deject-sa.amp.sourcefire.com 443Trying 23.21.199.158...
Connected to ec2-23-21-199-158.compute-1.amazonaws.com.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
File Analysis example:
10.0.0-125.local> telnet panacea.threatgrid.com 443Trying 69.55.five.244...
Connected to 69.55.v.244.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
If the ESA is able to telnet to the file reputation server, and at that place is not an upstream proxy decrypting the connection, so the applaince may need to be re-registered with Threat Filigree. On the ESA CLI there is a hidden control:
10.0.0-125.local> diagnosticChoose the operation you want to perform:
- RAID - Disk Verify Utility.
- DISK_USAGE - Check Disk Usage.
- NETWORK - Network Utilities.
- REPORTING - Reporting Utilities.
- TRACKING - Tracking Utilities.
- RELOAD - Reset configuration to the initial manufacturer values.
- SERVICES - Service Utilities.
[]> ampregisterAMP registration initiated.
- ESA Advanced Malware Protection (AMP) Test
- ESA User Guides
- ESA FAQ: What is a Message ID (MID), Injection Connexion ID (ICID), or Commitment Connection ID (DCID)?
- How do I search and view the mail logs on the ESA?
- Technical Support & Documentation - Cisco Systems
Source: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118785-technote-esa-00.html
0 Response to "Sharefile Downloads Service Unavailable Try Again Later"
Post a Comment