2 x Ironport C170s(In cluster) - rejecting connections on port 25

Hi,
Earlier this morning, both our C170's stopped accepting incoming connections on 25...Incoming mail has a public listener (port 25), interface is correct (data 2 / External)...any suggestions/ideas what could have caused both to stop accepting connections at the same time?
Thanks

Hi - Thanks for the reply....this is now resolved...the above steps were performed yesterday, and nothing was running on port 25 on both....listernerconfig revealed why: no listerners configured?
Cause - "Someone" had changed the clusterlevel config...cluster was configured with listerns, but someone had changed both C170's to manually override the cluster with machine level config....checking the logs (gui_log and cli_log), I can see "someone"(We only have 3 staff who login to these devices, but all with "admin" and all from the same nat IP), had edited the listeners 3 days ago, a commit was applied 2 days ago, and another commit was done yesterday morning...so it really doesn't add up..If the listeners were changed 3 days ago, and commit done 2 days ago, why didn't both boxes stop listening on port 25, 2 days ago....Is the logging on these devices not reliable, or doesn't log "everything".....It's now resolved (forced both 170's to use the cluster settings for listeners)...but Im still very interested in how to accurately audit when it was changed, and by who....as it's not something that is "easily/accidentally" done...

Similar Messages

  • How to install renewed feature key to cluster Ironport C170

                       Our email gateway use two Ironport C170 cluster, recently the feature key expired on both C170 and we are in the process of getting this feature key renewed.
    I am new to this cisco ironport, I would like to know once we get this renewed feature key how can we install it on both Ironport C170. the feature currently expired is: "Centralized Management, IronPort Anti-Spam, Sophos Anti-Virus, Outbreak Filters".
    After the feature key expired several changes has been made to ironport incoming content filters, because the "centralized management" feature expired these changes are made to both C170 ironport, does this have any impact on installing the renewed feature key?
    Thanks.

    Hi Rugang,
    You can manually install the keys via Web UI or CLI.
    In the Web UI, please log in as admin and go to :
    System Administration -> Feature Keys -> Section named: Feature Activation
    Paste the key string you received in the field named: Feature Key: then hit the button Submit key. You may need to accept the User Agreement. After that the system will validate the key and if everything goes well, you will have the feature ready to use.
    In the CLI, please log in ad asmin and run:
    > featurekey
    then run:
    activate
    then paste the string for the key you want to install
    There is no need to commit changes. You can finish the featurekey command by pressing the ENTER key in your keyboard.
    It would be advisable to do not make changes witht he boxes not running Centralized Management due to key expiration, but it seems you already did that. The devices will try to synchronize the settings and it is possible that you will find inconsistencies. You can use the command:
    > clustercheck
    to view/fix the inconsistencies. This command/action can only be executed via CLI.
    I would recommend that you save the configuration from both devices; apply the keys and save the configuration again. Run a diff (linux/unix) or windiff on the files (before and after installing the keys) to see if you find anything which requires your intervention.
    As always, please contact our customer support in case you have any questions or have any issues with the whole process.
    I hope this helps.
    Regards,
    -Valter

  • Ironport C170 Central Management Feature...

    We have a SINGLE Ironport C170 that was set up by an IT Services group here over 6 years ago- before I was hired. We have been getting the following message e-mailed to us recently:
    The Warning message is:
    Your "Centralized Management" key will expire in under 5 day(s).  Please contact your authorized Cisco sales representative.
    Our concern here is this:
    We do not use "Centralized Management"- we only have one office, one E-mail Security appliance. Should we worry about this feature expiring? Is this a Feature Key that we will need to purchase a renewal for? I appreciate any insight into this issue.
    Q.M. Quiney
    Network Admin
    Precision Payroll of America

    Centralized management key was separate (non-free) feature key for connecting multiple appliances in the cluster. Now this license key is included in all newer SW versions in the base license.
    If you're not using multiple appliances you don't need this feature and you can ignore this warning.
    Just to be sure you're not using a single appliance in a cluster check cluster status with CLI->clusterconfig.

  • Proper TLS Config for IronPort C170

    I inherited an infrastructure a little bit ago that uses an IronPort C170 cluster for email security. I have been tasked with configuring TLS connections with our new medical benefits provider and have some issues doing so. We have 3 MX records, let's call them mail1, mail2 and mail3. Mail1 and mail2 are configured normally on our firewall to pass SMTP traffic on port 25 to the MailListener port on the IronPort which is 25. Mail3, however, is configured on the firewall to translate SMTP traffic on port 25 to port 3600 which is sent to the TLS Listener port 3600 on the IronPort. The IronPort MailInterfaces are configured as such (25,3600) Reverse configuration on the firewall takes any port 3600 traffic from the IronPort and translates it to port 25 traffic for the rest of the world.
    I configured the IronPort with a new Sender Group named TLS_ACCEPT,  added all the medical provider domain names/IPs to it and assigned it to  the ACCEPTED Mail Flow Policy where TLS is set to Required. Likewise,  for outgoing, I specified the same domain names/IPs within the  Destination Controls to require TLS for sending purposes.
    I replaced the guy who originally configured this so I am not too sure how it is setup on the other end for TLS connections already established. We do have a few in place that are active. I am assuming that the other end is configured to send email only to the mail3 MX record. This configuration, however, is not possible with our medical provider so I need an alternative. They have verified that they cannot contact us on mail1 or mail2 via TLS but can with mail3.
    The obvious problem is if a sender from these new domains tries to send TLS_required emails to us over the mail1 and mail2 MX IPs, they will receive an NDR. If I configure the firewall to translate mail1 and mail2 incoming connections from port 25 to 3600, any email sent with TLS not prefered/required will get an NDR. This was actually tested and domains like Yahoo and Hotmail could not send to us.
    Are there any options for me on the IronPort to allow these connections to be sent from all our MX IPs without having to translate the ports? If not, what would happen if I changed the TLS Listener port on the IronPort to 25 instead of 3600 and disabled all the NAT rules on the firewall for mail3? I am only to assume this translation was another security step added by the previous admin here but am not too sure what would happen if I eliminated it.
    Any advice, help, questions, assistance or fun-poking would be greatly appreciated!! Thank you in advance!

    Kevin,
    OMG there's so much unneeded complication here...You can totally ditch the port translation
    Here's what I did:
    Under Network/IP interfaces, I have 3 interfaces:  managment, Public, Private.
         Public is exposed to the net, only port 25 allowed in/out, with 1 A  record for a Domain1 which I have a certificate for.
    Under Network/Listener I have 2 Listeners: 
         Outbound on the Private interface not really relavent for the rest of this discussion
         Inbound on the Public interface
              listening on port 25
              using an Accept query pointed at my Active Directory (all the various email domains in 1 AD)
              using a cert that matches the hostname on the Public interface
              Mail flow polices in HAT all set to TLS preferred with an address list configed for the "required" ones
    Mail Policies/Destination Controls to force sending as TLS
    In my external DNS
         Domain1
              A  mail.domain1.com  x.x.x.
              mx domain1.com  mail.domain1.com pref 10 weight 10 TTL 86400
         Domain2-10
              mx domain2.com mail.domain1.com
              mx domain3.com mail.domain1.com
         etc....
    Hope that helps...
    Ken    

  • My Ironport C170 delay to send the email to some domain

    I found the problem at my IronPort C170, It always cannot sent email to some domain and show message detail code 4.4.0 or 4.4.2, then put in the queue. But I try to set to use as relay to another SMTP server, it can send mail very smoothly. Do you have any ideas that I misconfigure?
    Thank you

    Hi Billy, if you move mouse cursor over the number of spam messages on page Monitor>Spam quarantine, what URL address you see?
    Something like https://www.domain.com:83/Search?auth=13900f1d2a029b017464c596a88bb7a8?
    Can you resove "www.domain.com" to correct IP address of your ESA server?
    Are Spam Quarantine>Spam Quarantine HTTP & Spam Quarantine HTTPS enabled at Network>IP Interfaces>Interface page? Do interface's IP address & spam quarantine ports match to URL address (does www.domain.com resolve to this IP address) at Monitor>Spam quarantine?
    Is there any firewall blocking this connection?

  • TCP Extend (DefaultCacheServer rejects connections)

    Hi guys
    Have been trying to setup TCP Extend to make a Linux box use cache configured on a windows box and the DefaultCacheServer rejects TCP connections. The config files I'm using are attached. Can anyone help ?
    The DefaultCacheServer comes up nicely
    SafeCluster: Name=n/a
    Group{Address=224.3.2.0, Port=32367, TTL=1}
    MasterMemberSet
    ThisMember=Member(Id=1, Timestamp=2007-03-29 16:07:16.026, Address=147.114.162.160:54321, MachineId=17312)
    OldestMember=Member(Id=1, Timestamp=2007-03-29 16:07:16.026, Address=147.114.162.160:54321, MachineId=17312)
    ActualMemberSet=MemberSet(Size=1, BitSetCount=2
    Member(Id=1, Timestamp=2007-03-29 16:07:16.026, Address=147.114.162.160:54321, MachineId=17312)
    RecycleMillis=120000
    RecycleSet=MemberSet(Size=0, BitSetCount=0
    Services
    TcpRing{TcpSocketAccepter{State=STATE_OPEN, ServerSocket=147.114.162.160:54321}, Connections=[]}
    ClusterService{Name=Cluster, State=(SERVICE_STARTED, STATE_JOINED), Id=0, Version=3.2, OldestMemberId=1}
    DistributedCache{Name=DistributedCache, State=(SERVICE_STARTED), Id=1, Version=3.2, OldestMemberId=1, LocalStorage=enabled, PartitionCount=257, Bac
    upCount=1, AssignedPartitions=257, BackupPartitions=0}
    but when I run the client, I get this
    2007-03-29 16:09:42.698 Tangosol Coherence DGE 3.2/367 <D4> (thread=TcpRingListener, member=1): Rejecting connection to member 649 using TcpSocket{Sta
    te=STATE_OPEN, Socket=Socket[addr=/172.26.102.115,port=36952,localport=54321]}<br><br> <b> Attachment: </b><br>cluster-side-config.xml <br> (*To use this attachment you will need to rename 516.bin to cluster-side-config.xml after the download is complete.)<br><br> <b> Attachment: </b><br>client-side-config.xml <br> (*To use this attachment you will need to rename 517.bin to client-side-config.xml after the download is complete.)

    Hi pandeyv,
    You need to configure an instance of the ProxyService in your cluster-side cache configuration file. Coherence*Extend clients connect to the ProxyService over TCP/IP and not the TcpRingService. The TcpRingService is only used by cluster members for death detection.
    See the following for instructions on configuring the cluster and client-side configuration files:
    http://wiki.tangosol.com/display/COH32UG/Configuring+and+Using+Coherence*Extend
    Additionally, I noticed that you are using an old release of Coherence 3.2. Please upgrade to the latest 3.2 service pack (3.2.2):
    http://www.tangosol.com/product-downloads.jsp
    Regards,
    Jason

  • Ironport C170 Config file restore

    Hi Team,
    We have 2 clustered Ironport server with AsyncOS 7.5.2  with site 1 and now we are building new DR site for Exchange 2010 and buiding Ironport on DR site.
    We have one ironport AsyncOS 7.6.2 for Cisco IronPort C170 build 201 at DR site.
    We have to restore configuration file from Site 1 to DR site.
    Can you please provide me the steps to restore the file from site 1 to DR site
    I have removed the one node from ironport cluster from site 1 and taken the backup of the configuration file.
    Regards,
    Pravin

    Pravin -
    You will need to upgrade all appliances to the same revision in order to have the configuration used from site 1 to the DR.  Also, 7.5.2 and 7.6.2 are EOL, and you would be strongly suggested to upgrade to the minimum of 7.6.3-019 for all appliances.
    After that - it would just be a matter of looking at this two ways - while upgrading the appliances at site 1, just save the configuration copy once upgraded as needed to 7.6.3-019.  Make a copy and modify the Network Configuration section: Hostname, Interface <IP>, Routing Table... and then load that copy on the DR site.
    Or - the other way to look at it would be to just join the DR site to the cluster.  That way all configuration is shared among the three appliances.
    I hope this helps!
    -Robert
    (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

  • Forwarding all mail from one ironport C170 to another (C160)

    Good Morning,
    Could someone tell me how to forward all mail which hits my ironport c170 at one site to another c160 at the other please?  I have tried adding SMTP routes but this doesnt seem to work.
    many thanks,
    Dave                  

    Hi,
    Yes we have done this.
    Message tracking log as follows...
    09 Apr 2013 14:58:41 (GMT +01:00)
    Protocol SMTP interface Data 2 (IP x.x.x.x) on incoming connection (ICID 59) from sender IP x.x.x.x. Reverse DNS host None verified no.
    09 Apr 2013 14:58:41 (GMT +01:00)
    (ICID 59) RELAY sender group Incoming Relay match [sendmail_server_ip] SBRS not enabled
    09 Apr 2013 14:58:41 (GMT +01:00)
    Start message 1114 on incoming connection (ICID 59).
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 enqueued on incoming connection (ICID 59) from [email protected]
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 on incoming connection (ICID 59) added recipient ([email protected]).
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 incoming relay (sendmail_server): Header Received found, IP address 127.0.0.1 being used, SBRS not enabled
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 contains message ID header '<'">201304091358.r39Dwe8Z004098@sendmail_server>'.
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 (658 bytes) from [email protected] ready.
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 matched per-recipient policy DEFAULT for outbound mail policies.
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 scanned by Anti-Virus engine. Final verdict: Negative
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 queued for delivery.

  • My Firefox no longer works, it will not go to any website and offers the message "The proxy server is rejecting connections". I had the same problem in IExplorer but was able to fix it. I did not choose a proxy server, ever. How do I fix this in Firefox?

    I changed out my wireless router, from a Linksys to a Netgear. Everything seemed to work fine, but shortly afterward Firefox could not be used to find any websites, and gave me the message above. The same happened with Internet Explorer, but a tech representative for my ISP directed me to the page where "proxy server" was incorrectly checked and it fixed the problem. I don't know where to go in Firefox to find the same or a similar page. My laptop continued to work fine for some time after, but eventually developed the same problem. I uninstalled and reinstalled Firefox, with no luck, and all desktop shortcuts based on Firefox are inoperative. I just keep getting the message that the proxy server is rejecting connections. Since I did not select a proxy server, I don't know how to deselect it.

    No idea what "tried everything" means.
    Here is how you troubleshoot a password problem.
    Go to your email providers web mail page and verify that you have a working username and password by logging into your account there. If you cannot log in there, look for the link to reset your password. Your email password is administered with your email provider.
    Once you have a working password you need to remove any stored passwords in Thunderbird and replace with the new, working password.
    From the menu bar select''' Tools-Options-Security-Passwords-Stored Passwords'''
    Remove the passwords for the problem account. Close Thunderbird and restart it. You will be asked for a password. Enter the new password.
    No menu bar with Tools? Press the '''alt '''key.
    FYI: Thunderbird settings are stored in a different file from the program. Removing the program and reinstalling just keeps you busy for a little while and rarely fixes anything. As you have seen the old settings are picked up when Thunderbird is reinstalled.

  • Configure the ADMIN and CLUSTER service connections to be SSL

    Can you configure the ADMIN and CLUSTER service connections to be SSL
    rather than tcp?
    I was wondering about the present or future ability to secure other
    connection services with SSL. Can you now or are there future plans
    to configure the ADMIN and CLUSTER service connections to be SSL
    rather than tcp? I suppose I should add the PORTMAPPER to that list.
    My primary interest is for an SSLCLUSTER service in the case where
    two brokers are connected over a non-trusted network. It may
    not be too difficult to secure all the services the same way, but
    perhaps that is on the TODO list.
    A related question is if there are plans to add SSL with client
    authentication as a stronger authentication mechanism than 'simple'
    username and password. I believe you could get the username from
    the client certificate's DN and continue to use the same LDAP user
    repository for access control. I think this is similar to the way
    that BEA's Weblogic server does it.
    Finally should it be possible to deploy the HTTP tunnel servlet to
    a webserver (such as iPlanet Web Server) configured to do SSL with
    client authentication as a work-around to get stronger authentication
    with the current release of the product? Or am I perhaps missing some
    obvious and important detail? :) I guess I would like to know it's been
    done already or is at least possible before I try and do it myself.

    3 scenarios involving SSL are:
    1: JMS client <------- SSL -------> iMQ broker
    2: iMQ admin <------- SSL -------> iMQ broker
    3: iMQ broker <------- SSL -------> iMQ broker (i.e clusters)
    (1) is currently supported in iMQ 2.0
    (2) and (3) is not supported in iMQ 2.0. No concrete plans yet to support
    it in the near future but we'll definitely consider doing it if we
    hear a lot of demand for it.
    ]A related question is if there are plans to add SSL with client
    ]authentication as a stronger authentication mechanism than 'simple'
    ]username and password. I believe you could get the username from
    ]the client certificate's DN and continue to use the same LDAP user
    ]repository for access control. I think this is similar to the way
    ]that BEA's Weblogic server does it.
    This is on our todo list, but due to other more pressing issues we
    have not been able to address it. We will continue to keep it
    on our potential list of new features.
    Sorry if I sound pretty wishy-washy in my responses above, but the fact
    is that the things you mentioned above had to take a backseat
    to other more critical features. That and the usual time/resource
    constraints caused them not to be implemented.
    ]Finally should it be possible to deploy the HTTP tunnel servlet to
    ]a webserver (such as iPlanet Web Server) configured to do SSL with
    ]client authentication as a work-around to get stronger authentication
    ]with the current release of the product? Or am I perhaps missing some
    ]obvious and important detail? :) I guess I would like to know it's been
    ]done already or is at least possible before I try and do it myself.
    Yes, this should be possible (although I don't believe we've tried it here).
    The client authentication here is really only between the JMS client and the
    web server (not between the tunnel servlet and the iMQ broker) and should
    be similar in setup to any other java application talking to iPlanet Web
    Server.

  • Backup and restore quarantines cisco ironport c170

    Hello,
    Is there anyway to backup and restore the spams quarantine to another ironport c170?
    Thanks in advance.
    Alexandre

    You have the wrong forum... Try posting it on this forum:
    https://supportforums.cisco.com/community/netpro/security/ironport

  • Backup and restore logs, quarantines cisco ironport c170

    Hello,
    Is there anyway to backup and restore logs and quarantine to another ironport c170?
    Thanks in advance.
    Alexandre

    Hello Alexandre,
    logs can easily be downloaded via FTP or SCP, there is a folder per logs subscription, i.e.
    /mail_logs
    /system_logs
    /error_logs
    Each folder contains multiple logs, thos e are with extention .s are the ones that have rolled over, while .c and .current are the ones currently written to. I would not recommend to upload them to another appliance, as this may cause problems or at least confusion. Quarantines cannot be backed up, that functionality is limited to SMAs (M-series).
    Hope that helps,
    Andreas

  • Ironport C170 Relay outgoing Email to External Server

    We have a new Ironport C170 and am only using the appliance for Encryption/DLP.  We wish to have incoming and outgoing Email to flow through this appliance.  All incoming Email will be relayed to our Exchange Server and all outgoing Email will be relayed to our SAAS Email Filtering System for processing and delivery.  The incoming part I believe is configured correctly but am having issues figuring out how to relay all outgoing to a specific domain in the cloud.
    Any assistance would be greatly welcomed,
    Stephen

    Hi Stephen,
    You can control all the outgoing mail from SMTP Route configuration, if is in GUI menu > Netowork > SMTP Route.
    You can define the route to next hop based on destination domain, as for default - all other domains (this is the one that goes to SaaS) you can enter your cloud SMTP address and the port number there.
    Hope this helps.
    Thanks,
    Donny

  • Creative Clouds rejects connection while dialog to connet for a CC applicaiton,

    Creative Clouds rejects connection while dialog to activate a CC applicaiton,
    messages says computer off-line or clock not up to date.
    The internet connection works fine, and I reset the syncronisation of the clock.
    The message persists.
    I went through the checks proposed by adobe in such situation all are OK
    I was deconnected twice during writing this mesage with adobe message from the server indicationg failure.
    On my other computers this did worked fine.
    Any idea ?
    PS this badly affects me since i am out of office at country side with work for the WE on my computer with premiere pro and photoshop.
    Aditionnaly the very same computer, in the very same location did worked fine just like WE, and before.
    (windows 7, Internet explorer).

    Since you describe a Cloud problem, not a Premiere Pro problem, you might try the below links
    Cloud Forum http://forums.adobe.com/community/creative_cloud
    -and http://forums.adobe.com/community/creative_cloud/creative_cloud_connection

  • I have a cisco ironport c170, i want set up URL redirect? But i don't khow how to ? Can you help me?

    I have a cisco ironport c170, i want set up URL redirect? But i don't khow how to ? Can you help me?

    The C170 does not support URL redirection prior to OS release 8.5. What exactly do you need to accomplish?

Maybe you are looking for

  • Error FRM-30312 while compiling a custom pll library on forms 11g weblogic

    hi, this is my case: Im trying to upgrade a forms 10g application to 11g, using FORMS 11g v11.1.1.3 and WEBLOGIC server v10.3.3. Forms files compiled correctly, also webutil.pll was correctly compiled. but if I try to compile my custom pll I can see

  • Bridge doesn't recognize Quad Processor

    When I bring up adobe bridge I get a warning: "This application requires a Pentium 4, Celeron, Core Duo or Core 2 compatible processor. 0/6/5898." I have a brand new Dell 32-bit Vista with Intel Core 2 Quad CPU Q9400 @ 2.66 GHz with 8 GB Memory RAM.

  • Internal Order: Change Co Code and Controlling Area

    Hi, We have setup internal order -> <i><b>customised</b></i> order type, to store data regarding our projects. The setup involves choosing a Controlling Area which will inherit the Company Code (1:1 mapping between controlling area & co code) once we

  • MS Publisher to PDF

    I've just converted 48 pages created in MS Publisher into PDF to send to a Printers - it's for a Rugby Club Match Programme. The MS Publisher pages are all created in A5. They have ben converted using the Press Quality setting. However, when I look a

  • Conversion of Integer to decimal??

    hi all is there any way i can convert integer into decimal? Thanks Srikant