Ironport IEA - PXE Encryption failure

Similar Messages

• Ironport C170 - Outbound encrypted emails hang in PXE encryption queue

  We had a power outage on site, and since the power has been restored, our encrypted emails have not been sending out.  Message tracking on the C170 states ----Message XXXXXX has been enqueued for PXE encryption.------
  We eventually get a bounce with the following info.
  -------Diagnostic code = NoDiagnostic; Reason code = TransferFailed; Status code = 500
  < #5.0.0 smtp; 5.x.3 - Temporary PXE Encryption failure. Please try resending the message. If the problem persists, please contact your administrator. (Encryption operation expired due to key server communication problems or resource constraints.) (delivery attempts: 14)>--------
  I've verified communication from the C170 to https://res.cisco.com  and I've rebooted the C170, but the problem remains. 
  Where to go from here?
  Thanks!
  Aaron

  There are 18 in the queue, and it's showing that there have been 126 hard bounces.    I have a support case opened this morning (SR 632888329), but I've not heard back since the initial email where they asked me to establish a tunnel.  I responded with the requested information.  I'm going to reach out again as people are getting antsy.
  I've included the info from the hard bounces.
  02 Dec 2014 09:10:56 (GMT -05:00) Message 732069 has been enqueued for PXE encryption.
  02 Dec 2014 11:13:07 (GMT -05:00) Message 732069 pending PXE encryption until Tue Dec 2 11:28:07 2014 as per encryption profile APS.
  02 Dec 2014 11:41:09 (GMT -05:00) Message 732069 pending PXE encryption until Tue Dec 2 11:56:10 2014 as per encryption profile APS.
  02 Dec 2014 12:09:12 (GMT -05:00) Message 732069 pending PXE encryption until Tue Dec 2 12:24:12 2014 as per encryption profile APS.
  02 Dec 2014 12:35:13 (GMT -05:00) Message 732069 pending PXE encryption until Tue Dec 2 12:50:14 2014 as per encryption profile APS.
  02 Dec 2014 13:01:16 (GMT -05:00) Message 732069 pending PXE encryption until Tue Dec 2 13:10:57 2014 as per encryption profile APS.
  02 Dec 2014 13:21:17 (GMT -05:00) Message 732069 exceeded maximum queue life time in the encryption queue.
  02 Dec 2014 13:21:17 (GMT -05:00) (DCID 0) Message 732069 to [email protected] bounced by destination server. Reason: 5.x.3 - Temporary PXE Encryption failure. Please try resending the message. If the problem persists, please contact your administrator. (Encryption operation expired due to key server communication problems or resource constraints.) ('000', [])

• Ironport c160 email encryption

  I understand and support the automatic encryption of our outbound emails.  In an attempt to possibly make it better, is there any method using our existing C160 email security appliance that can warn the sender that a message will be automatically encrypted prior to it going out?  Doing so could allow the user to choose to have it encrypted or not.  We have a subject tag "!m" that the user can type to force unsecured... but many times they have to do this after the fact they get an email from the C160 saying that the email was encrypted.

  Yes - 7.3 version of the plug-in supports Outlook 2013:
  (c/o: http://www.cisco.com/c/dam/en/us/td/docs/security/iea/Compatibility_Matrix/IEA_Compatibility_Matrix.pdf)
  Click here for the Plug-in downloads.  You will need a CCO login to access the downloads.
  As for the complaint against "encrypts a message without warning" --- that just really starts to get into end-user education of what is active in the environment.  If you have DLP in play on the appliance, and one of the set defined policy is Privacy Protection -> ABA Routing Numbers, then the appliance is only doing it's job, as you have configured.  If the end-users should be sending through a relay/outbound mail flow policy, and you don't want that group/end-users to be susceptible to the DLP  scanning, you'll need to configure them into an outgoing mail policy that doesn't have DLP enabled... or, has DLP enabled but not ABA Routing Numbers.
  Using the plug-in and allowing the end-users to decide if they want to encrypt/not encrypt is only going to be the initial reaction of that end-user.  With the plug-in, you may be removing the need to use the subject line encryption flag in order to provoke encryption, but any/all mail from that end-user through the ESA will still be susceptible to the configuration and encryption actions set.  
  You should leave the subject line trigger in place (either via message filter or content filter) - but, be sure to re-educate the end-users that may be using the plug-in to fully understand the right/wrong as you intend encryption to be handled.
  -Robert

• Ironport WSA reached maximum failures querying DNS server

  I have been seeing an increased number of critical alerts on my Ironport indicating that it has reached the maximum number of failures querying the DNS server. 
  Has anyone seen this alerts before and/or know what causes them? I have not been able to find any information on the alert.
  Thanks

  We are seeing this alert as well, but we haven't had any complaints from the users.
  I had a TAC case in July this year due to "Application Fault Errors", and my TAC engineer told me I was experiencing bug CSCzv44813. The solution was to change to Google DNS and reboot the appliance.
  Now we are getting the "Reached maximum failures querying DNS server" messages from time to time.
  Are you also using Google DNS (8.8.8.8 and 8.8.4.4.) by any chance?

• WEP encryption failure on D-Link 614+ wireless router after 1.1.1 update

  My iPhone was connecting to the Internet via WiFi with a D-Link 614+ wireless router, and with 128-bit WEP encryption on, before I updated the iPhone to 1.1.1. Since that update, connectivity through the D-Link router requires that WEP be disabled. All other features seem to be compatible, including a static IP address and a static DNS address. No amount of network resetting and WiFi network forgetting helps. Apple Technical Support said that 128-bit WEP has been found mostly compatible, but it tends to be incompatible when the router's firmware has not been recently updated. This router's latest firmware is from 2005 (though the manufacturer dates it 2006), and the manufacturer has issued an end-of-life notice on it. My conclusion is that the router is obsolete if an iPhone is to be used with it. I have ordered an Apple Airport Extreme Base Station, so if anything goes wrong there's no doubt about which company is responsible. Meanwhile, I have turned off router encryption and turned on MAC filtering so only our own devices can use the router. Has anybody found that WEP encryption on this router actually works on the iPhone post-1.1.1?

  Shortly after posting, it occurred to me to search for "614". I found some other people's solutions for this router that involved disabling 4x mode and enabling the long preamble in the D-LINK UI (Advanced > Performance):
  http://discussions.apple.com/thread.jspa?messageID=3897747?
  Doing this caused my packet loss issue to go away, but now my connection is extremely sluggish and browsing is even slower than before.
  I'll keep tweaking settings to see if I can improve things.
  MacBook Mac OS X (10.4.9) http://www.everymac.com/systems/apple/macbook/stats/macbook-core-2-duo-2.0-black -13-specs.html

• Ironport WSA online backup failure

  Our online backup started to fail connection to the vendor's server about a month ago. In grepping the server in question, I can see a lot of messages with the destination server listed but I am not sure what they mean.
  Can someone explain what this means or point me in the right direction?
  1412602184.000 5788 X.X.X.X TCP_DENIED/502 0 TCP_CONNECT 38.81.66.191:443 - DIRECT/38.81.66.191 - DECRYPT_ADMIN_2-NONE-AllNetworks-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> -
  I think that the TCP_Denied/502 means bad gateway although it is a valid address and I can access it and telnet to port 443 but I don't know what the rest means DECRYPT_ADMIN_2=NONE
  Thanks in advance

  Its going through the HTTPS proxy, the bad gateway message is what's killing it.
  If I were you, I'd put the IP of your on-premise backup box in the Bypass list so the WSA doesn't see it at all.  You KNOW where that box is going, and you know what its doing, little need to filter it through the WSA.  That's putting a ton of load on the WSA you don't need.

• IRONPORT e-mail security, encrypted e-mails problem

  Hi there,
  we have recently purchased CISCO Ironport E-mail and web security devices.
  I have configured e-mail security, and I want to encrypt an outgoing e-mail. When I send that e-mail I receive a reply:
  #< #5.0.0 smtp; 5.x.3 - PXE Encryption failure. (Message could not be encrypted due to a system configuration issue. Please contact your administrator.) (delivery attempts: 0)> #SMTP#
  I checked internet but couldn't find anything useful. Can someone point me in a good direction please? I don't know where to look now.
  Regards,

  Do you have a valid CRES account created for your company/domain, and the appliance SN tied to that CRES account?
  If not -
  In order to provision encryption profile(s), please initiate an email request to [email protected] with the following information:
  1. Name of account: [Please specify the exact company name, as you require this to be listed.]
  *If this is for a Hosted customer account, please notate the account name to end as ["<Account Name> HOSTED"]
  2. Email address(es) to be used for the Account Admin: [Please specify the corresponding admin email address]
  3. The complete serial number of ESA appliance(s): [ANY/ALL SERIAL NUMBER(s)]
  4. Any/all domains for the customer account that should be mapped to the CRES account for administration purposes.
  *If there is an already provisioned CRES account, please provide the company name or CRES account number previously used. This will assure that any new appliance serial numbers are added to the correct account, and avoid any duplication of company information and provisioning.
  Appliance serial numbers can be located from the GUI 'System Administration -> Feature Keys', or appliance CLI by running the command 'version'.
  Requests sent to [email protected] will be handled within normal business hours. A confirmation email will be sent once the serial numbers are registered or new CRES account provisioning is completed.
  Once completed - from the GUI, revisit 'Security Services -> Cisco IronPort Email Encryption -> Email Encryption Profiles', and re-click "Re-provision". This will then complete as "Provisioned".
  Also - have you stepped through the following?
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117863-configure-esa-00.html
  -Robert

• CRES Outage?

  Was there an issue with the CRES service after 4pm EST yesterday? A few users reported bouncebacks that have the message:
  #< #5.0.0 smtp; 5.x.3 - Temporary PXE Encryption failure. Please try resending the message. If the problem persists, please contact your administrator. (Encryption operation expired due to key server communication problems or resource constraints.) (delivery attempts: 19)> #SMTP#
  I tried doing a test encrypted message this morning at 7:30am and it behaved normally. Just wondering if there was an issue yesterday.

  Yesterday - we did experience issues with an PXE engine upgrade that was pushed out.  The resulting error you list was the main focus from many other customers.  We did resolve the issue yesterday afternoon with a rollback of the engine upgrade.  We are pending further information at this time.  
  If you are still experiencing issues with encryption through CRES via your ESA(s) - please open a support case.
  I'll post further information as I have it provided.
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• Maximum encrypted message size

  Hi all,
  What is the largest size message that can be encrypted by the IronPort ESA PXE engine?  Is this a configurable parameter?
  Thanks very much,
  - Steve

  I came to this thread after one of my users had a message bounce that was only about 7.2MB.
  I understand Cisco wants to cut down on support calls and costs but this seems like a drastic reduction.  We're a very small shop and rarely send out messages of any kind over 10MB but it's the big ones that are usually the most sensitive, yes?  I would very much like to see this limit at least somewhat configurable in the future, even if it's capped at, say, 20MB, or even maybe see it indexed on throughput but effectively cutting the limit of what can be protected by 75% or more puts a huge dent in the value argument for IronPort.  The ability to easily encrypt anything from any device is the prime reason we have IronPort versus numerous other options.
  We renewed this year but if this is not addressed it will put a serious damper on our enthusiasm to spend the extra cash next year.

• Configuring Cisco/IronPort plugin for Outlook with CRES

  With the discontinuation of the IronPort IEA appliances we are getting ready to move from our on-premise IEA appliances to CRES.  I have a demo key for Encryption that I am running on my C660s and I have an Outlook client configured with the Email Security Plug-In version 7.2.0.39.  Currently the Outlook Plug in is configured to point to our on premise IEA appliances for the Server URL attribute in Desktop Encryption Options and is working great.
  My question is, what do I use to connect it to CRES for desktop encryption?
  The Admin guide "Cisco IronPort Email Security Plug-in 7.2 Administrator Guide" page 4-46 just says "Server URL Enter the URL for your  Encryption server."
  Thanks

  Hi Jason,
  Thanks for your question.  The short answer is https://res.cisco.com:443 HOWEVER please note the following two points.  First, you will need a CRES account, so that you can download a token to use with the plugin, to authenticate to CRES; you cannot use the default token which you have probably been using with your IEA.  Second, using the current Outlook plug-in version 7.2 with CRES is not supported; it works, but it is not supported.  There are plans to release a supported version.

• Can I password protect attachment to prevent incorrect encryption?

  I have a tech support case open with a company and in one of our correspondence, I had to get the vmware logs for a particular virtual machine.  I zipped up 7 log files using winrar (saved in zip format), attached it and sent it off.  Of course I get a bounce back that says it was sent encrypted due to ABANumbers policy.  ABA numbers???!!!  WHAT? 
  Anyway I have a code to override it  (we use a subject tag that will ensure e-mail is not encrypted for these situations).  So I was able to send it out again.  But this got me thinking.  If I would of password protected the archive itself, IronPort C160 wouldn't of been able to open it and INCORRECTLY read text based log files thinking it was aba numbers, correct?
  The reason I didn't want this encrypted is because
  1) it goes to a generic e-mail support box for the company.  THEY route it based on the ticket ID in the subject.  if it sent to a [email protected], what rep is going to know the CRES password, or take the time to create one and share it with hundreds of other support reps?
  2) theres no increminating data.  No ABA numbers, no bank account numbers, etc..  Its bull- that it was detected as such. 

  The only solution I have found for this to work reliably is to add a bypass PXE encryption policy above all other policies and then add the domain of the recipient company to this list. You will then need to disable the PXE encryption for this outbound policy.
  Curtis
  Sent from Cisco Technical Support iPad App

• Cisco IronPort AsyncOS 7.0.1-010 for Email GA Notification

  Cisco, is pleased to announce the General Availability (GA) of a new major release of AsyncOS 7.0.1-010 for Email to all customers. This release applies to all our Email Security Appliances (C- and X-Series). Code named "Bally's" internally (yes, after the Casino), this release is packed with major new functionality. We have completed our usual, extensive Beta test process as well as a 2 month FCS time period; over 500 customers have already upgraded.  Though we always recommend customers test out new releases before upgrading all of your production servers, we have great confidence in this release. Please upgrade and tell us what you think!
  Note for Security Management Appliance (SMA) customers. To report on the new features in 7.0.1, you'll need to upgrade your M-Series to AsyncOS 6.7.6-068.
  New Features and Enhancements in AsyncOS 7.0.1-010 for       Email
  New Feature: RSA Email Data Loss Prevention (requires Feature         Key)
  New Feature: Guaranteed Secure Delivery (requires PXE         Encryption Feature Key)
  New Feature: Unwanted Marketing Message Detection
  Enhanced: Prioritized SMTP Routes
  Enhanced: RADIUS Groups and Protocols for External         Authentication
  Enhanced: Quarantined Messages Attachments Enhancements
  Enhanced: PXE Encryption Enhancements
  PXE Encryption Enhancements
  AsyncOS 7.0 provides the following enhancements to IronPort         Email Encryption:
  Guaranteed Secure Delivery
  Encrypt on Delivery
  Encrypt on Quarantine Exit
  Multi-Envelope Branding
  Automatic PXE Engine Updates
  Fixes in AsyncOS 7.0.1-010
  Fixed: TLS/SSL Man-in-the-Middle Vulnerability [Defect ID:         55972]
  Fixed: Reporting Engine Stops Allocating Memory, Stops         Processing Data, and Causes an Application Fault When the         Housekeeper Thread Stops [Defect ID: 52048]

  Thanks!
  Since started on Ironport ESA 3 years ago, UCE handling has always be problematic (basically, UCE is never treated as spam).
  I hope the new Unwanted Marketing Message Detection feature fixes that!

• IronPort Encyrption and Spoofing?

  We just recently deployed two IronPort IEA boxes. With our current configuration external recipients can login to our IEA boxes to send encrypted e-mail. When they use the "Automatically Blind Carbon Copy Me" option the system will send an e-mail to their real mail account so that they have a record of the e-mail.
  The problem that I am just now learning about is some of the recipients e-mail systems block these e-mails because we are spoofing their e-mail domain.
  Is there a "best practice" to apply here? I am currently advising the recipients to have their IT staff whitelist our IP addressess for spoofing but wanted to see what everyone else thinks.
  Thanks...

  Jason- Some mail gateways are configured to check SPF records and others block inbound mail with domain spoofing. Its a tough task to get the bcc messages through. I'm sure some other folks in the forum might have a work around (temp).
  Since you host your own keys (IEA) with push method (envelopes), why not use the manage messages section on the left pane for external users to retrieve their sent mail?
  Cheers,
  Kishore

• Encrypted/Unscannable Messages

  Good Afternoon,
  We have a sender that is sending PGP Encrypted .pdf files to us.  The e-mail and attachment "pass" the test for Encrypted Messages because Ironport allows PGP encryption.  The problem is our next step in the Anti-Virus process.  The Unscannable rule "flags" this e-mail because it can't scan the attachment because of the encryption.
  Is there a "workaround" that we could implement so this wouldn't happen?
  Thanks,
  Doug

  Since the attachment is encrypted it cannot be intelligently scanned.
  The only option I can see in the ironport C-Series is to change the Incoming Mail Policy, Antivirus, Encrypted and/or Unscannable Messages Action to Deliver. If you don't want to do this for everyone, create a separate policy group for this sender where the above is done.
  I'm not too familiar with Ironport Encryption Appliance. Some systems of that type allow managing keys for specific external email addresses, though they are generally geared for outbound email flow they do handle replies.

• PXE-E61 error, but my HD is OK

  My laptop is a Satellite A55-S306 which, until yesterday, has given little trouble in the past.  I have not added new hardware, nor have I modified the boot order.
  I am getting a PXE-E61 Media Test Failure when I power up the machine.  It also says that the \WINDOWS\SYSTEM32\CONFIG\SYSTEM file is missing or corrupted, but this message only appears after the PXE-E61 failure message.  The problem occurred while I was out of town and the system hibernated, but it probably came awake to service an automated JungleDisk backup.  When I returned, the system was powered up with the "SYSTEM file corrupted" message on the screen.
  I don't remember with certainty how to get into the boot order menu, and have not been able to.  I am able to get into the pre-boot setup menu using Esc, and it has lots of options, not including boot order.  I have tried various F keys, including F2, F8, F10, F12, but these seem to do nothing.
  In any case, I think the boot order is working, because I am able to load a CD and boot from it.
  I have SeaTools on CD, and I used this to test the hard drive (long test).  It passed with no errors detected, so I believe that the disk drive is available and the formatting is OK.
  I also have an Acronis recovery CD, with their Disk Director and backup applications on it.  Booting from this, I am able to see the C: partition on the hard drive.  Using the backup application, I am able to explore the various directories and they look normal.  I even commanded a full backup of the C: partition to an external USB drive, and this completed without error.
  About the only thing I can think of is that there is a problem with the boot sector on the hard drive, or the Windows system files have been corrupted somehow.  I have not been able to command an fsck on the drive, because I don't have that on bootable CD and haven't been able to get far enough on the HD to do so.  I tried using Acronis restore to copy the old version of the SYSTEM file, but this failed with some wierd messsage.
  I can restore C: with an Acronis full backup from last month (made with the Acronis bootable CD), but is there a way to avoid rolling back that far?  And I'm not positive even this will solve the problem.
  Suggestions would be appreciated!
  Solved!
  Go to Solution.

  Thank  you very much, anarchy_1024, for your advice -- it was most helpful.  Now for the rest of the story:
  I attempted to restore the entire \WINDOWS\SYSTEM32\CONFIG folder from Acronis full backup, but it insisted (correctly) that the folder was corrupted.  So I went looking for a chkdsk that I could run from CD, since I could not get XP up to command it from there.
  I ended up downloading and building an Ultimate Boot CD for Windows (UBCD4WIN), and ISO Recorder to allow me to burn the resulting ISO file to CD.  This took a while, but gave me an XP system on CD with lots of diagnostics, including chkdsk.
  Using the A43 File Management Utility to view C:, a spot check revealed no problems *except* for the \WINDOWS\SYSTEM32\CONFIG folder, which couldn't be viewed because it was corrupted.  I ran chkdsk and it found several index errors and recovered 22 "orphaned" files, which appear to be the contents of the corrupted directory.  Finally, I ran MemTest86, which found no errors.  After all of this, I rebooted to the hard drive and it came up fine!  It has been an arduous odyssey, but the bottom line is that the system is recovered (crossing my fingers when I say that), and I did not have to fall back to a 3-week-old backup state.  I still have no idea what caused the folder to be corrupted, but it probably should reinforce the notion that one should run chkdsk on the system disk periodically.
  One anomaly is that the PXE-E61 error is still there, but then XP boots up fine.  I expect this is because my boot device order includes some device, USB or CD, before the HD, which causes the error, but then the boot sequence finds the HD and all is well.  I just never noticed this error message before, since it never caused a problem.
  At this point, I would recommend anyone build and keep a UBCD4WIN CD around, just in case.  I will mention 2 glitches in building it:
    1.  Like probably most consumers, my system didn't include a Windows Install CD.  BUT all the install files are on the hard drive, in C:\I386 (this is an old Compaq system).  All I had to do, in the UBCD4WIN build program, was to specify "C:\" as the Windows source directory, and all went well.
    2. My first build of UBCD4WIN was too big for a CD.  Since I didn't have a DVD burner handy, I did another build, disabling stuff I didn't plan on using (Firefox and Spyware software, mostly), bringing down the ISO size to under 600 MB, and that worked fine.  It is very easy to do consecutive builds, customizing between builds, since the builder stays up until you close it.