Replace Faulty IronPort ESA in a Cluster

Similar Messages

• IronPort ESA - HA and Dual Homing

  Hello, i have a customer that want to do HA and Dual Homing implementation. I want to ask what is the best way to implement HA for IronPort ESA? As i know the cluster configuration only used so the policy can be distributed equally. And what about dual-homing scenario? Is it supported with IronPort, and how do it works ?
  Regards
  Alkuin Melvin

  What exactly do you mean by multi-homing? Ironport email appliances support configuration of multiple interfaces (physical or vlan) , to which you can then attach Listeners (SMTP processes). You could thus configure your servers to receive or send email on multiple IP addresses, depending on your network config.
  Sent from Cisco Technical Support iPad App

• How do i change the $Date variable format on an Ironport ESA to be DD/MM/YYYY

  I have an Ironport ESA running ASyncOS 7.6 and i use the $Date variable in notification emails.  It is currently formatted in the US way of MM/DD/YYYY but we need it to be formatted as DD/MM/YYYY.  Is there any way to do this?  The time zone is correct but i can't find anywhere to modify system variables.

  There doesn't appear to be any way to change the formatting of that variable.  Perhaps you can make use of $Timestamp or $GMTimeStamp instead?

• Has anyone upgraded the Ironport ESA to 8.5.6-074 and had the issues of Raid status showing unknown?

  Has anyone upgraded the Ironport ESA to 8.5.6-074 and had the issues of Raid status showing unknown? After we upgraded our appliances we are having issues with our ESA appliances showing the RAID status as unknown. When we reported the issue to CISCO we were updated there were no issues reported at all. Could anyone please confirm if you have experienced the same issue. 

  You should see OPTIMAL - meaning the drives in the C170 are in good health/status:
  myc680.local> version
  Current Version
  ===============
  UDI: C680 V FCH1611V0B2
  Name: C680
  Product: Cisco IronPort C680 Messaging Gateway(tm) Appliance
  Model: C680
  Version: 8.5.6-074
  Build Date: 2014-07-21
  Install Date: 2014-07-29 11:16:34
  Serial #: xxx-yyy1611Vzzz
  BIOS: C240M3.1.4.5.2.STBU
  RAID: 3.220.75-2196, 5.38.00_4.12.05.00_0x05180000
  RAID Status: Optimal
  RAID Type: 10
  BMC: 1.05
  There are times post-reboot, that you'll see and get notification of RAID sub-optimal --- meaning that the appliance is running through on a health-check of the appliance's RAID.  You should be getting a notification once RAID status has returned to OPTIMAL, or as per the older OS revisions, READY:
  myc170.local> version
  Current Version
  ===============
  UDI: C170 V01 FCH1428V06A
  Name: C170
  Description: Cisco IronPort C170
  Product: Cisco IronPort C170 Messaging Gateway(tm) Appliance
  Model: C170
  Version: 7.6.3-019
  Build Date: 2013-06-09
  Install Date: 2014-09-12 13:52:24
  Serial #: xxxxxxD87B39-yyyyyy8V06A
  BIOS: 9B1C115A
  RAID: 02
  RAID Status: READY
  RAID Type: 1
  BMC: 2.01

• IronPort ESA 170 Upgrade Failed

  Hi All,
  We have just got two IronPort ESA 170 appliances delivered.
  I started off with upgrading the firmware from version 7.5.2-101 to 7.6.3-019. One of the appliances got upgraded fine. However, I am getting an error on the other one. Exactly when the upgrade reaches at 72% it throws the error " The following error occured during upgrade: Upgrade exited without success. Please attempt upgrade again after clearing the error". Attached is the screnshot.
  I tried upgrade three times and got the same error all the time. Just wanted to know if anyone else has faced anything similar before raising a TAC. Is it because of disk space issue?
  Please assist.
  Thanks in advance.
  Faiz

  If you try to upgrade more than once and you keep getting the same error at the same time, then you could think about bandwidth control in the network or web traffic redirection.
  A packet capture could help finding more info about what can be the case or you may want to go through TAC. With remote access to your appliance they can identify if the issue is with your appliance or not. And if it is not, they may be able to assist you identifying the cause.
  Last but not least, you can try Local Upgrade. Please refer to the Technical Article below.
  =============================================
  Comprehensive Guide to Local Upgrade Servers
  Knowledge Base Answer ID: 1558
  http://tools.cisco.com/squish/212fd
  I hope this helps. If that is the case, please mark the question as answered.
  Regards,
  -Valter

• Replacing a TFTP server in a cluster

  Replacing a TFTP server in a cluster and with everything else being the same minus the MAC address on the NIC, are there any issues I could possibly run into here?
  Thank you for the help the server is an MCS7845H2.

  No issues, MAC address is irrelevant on TFTP as it only matters on the Pub, simply install CUCM on the new server assigning the same IP and hostname and then restore from backup.

• Ironport ESA behind a NAT address

  I know it is recomended to give an ironport ESA a public IP on a dedicated interface to take advantge of the reputation checking etc.  I believe this is so it recieves the email frmo the original sender IP and if you put a relay between the Ironport and the original sender you break this.  I know there is some things you can turn on in this case but my question is if I NAT from an external IP to the ironports internal IP this shouldnt loose the feature becuase the origin IP doesnt change and the connection is still direct to the ironport, not via a relay.  Is this correct?  Will i loose any functionality if I NAT the Ironport?  Reason im asking is I dont have a free IP to give just to the Ironport but have others I can reuse since SMTP is not in use on these IP's.                  

  Hi Lance,
  Using NATed IP address does not break any of the ESA functionality including reputation filtering. The ESA is only looking at the source IP address for inbound connections and if the firewall is not changing the source IP, ESA will be able to perform reputation filtering without issues.
  Using another MTA before the ESA will include a little bit of complexity. However, even with that it is possible to perform reputation filtering using combination of "Incoming Relay" feature and content/message filters.
  Regards,
  Rehan Latif

• Replacing Faulty FWSM module in Cluster

  Hi,
  We have a faulty FWSM module in Cisco 6509 switch in Active/Standby cluster mode
  We have purchased a refurbished FWSM module to replace it. It has the same FWSM OS 4.0 (4) and is in factory default configuration
  What procedures should I follow to make this unit live and sync the config between the current active unit to this one.
  Can one of you please explain me the steps and if an link to an article which explains this will be great
  Thanks,
  Chandru

  Hi Bro
  Firstly, insert the newly purchased refurnished Cisco FWSM module into the slot, where the fault Cisco FWSM module was originally located. Second, paste into the configuration from the working unit to this newly purchased refurnished Cisco FWSM module. Note: Please do ensure under the failover commands, one side is primary and the other side is secondary. Lastly, issue the command show failover, to ensure the failover status i.e. NORMAL, is in good working condition.
  I’ve done this countless times, you should do just fine. This is easy.
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html
  Regards,
  Ram

• Replace faulty iPod - now some vodcasts in my Library no longer sync to Pod

  My iPod was in use for a day when I realized it had a faulty switch. Apple replaced it with no problem.
  There had been on the first Pod a number of free Vodcasts, but I had actually played only two of them before exchanging for the new iPod.
  Now, I cannot get these two vodcasts to get onto the iPod, although they are in my podcast Library. I have deleted and re-downloaded them. That did not solve it.
  Since I began with a clean iPod, the problem must reside with some file in iTunes that "knows" I played these vodcasts, and assumes I don't want them synced. How do I fix this cleanly?
  PowerBookG4   Mac OS X (10.4.3)  

  Hello jingle101,
  Congratulations on your new computer, and thank you for providing the details of the issue you are experiencing with your purchased audiobooks.  I recommend following the steps in this article:
  iTunes repeatedly prompts to authorize computer to play iTunes Store purchases
  http://support.apple.com/kb/ts1389
  Thank you for using Apple Support Communities.
  Best,
  Sheila M.

• Does Apple replace faulty MacBook Pro with retina in Asia?

  I bought a MacBook Pro with retina display in July 2012. Recently my MBPr developed some issues. I feel like something moves (or slides to and fro) inside the Mac when I take out the computer from the bag and hold it in my hand. I don't know whether I have been able to explain the issue as I'm not a native English speaker. I contacted the retailer I bought the Mac from. They told me they can only change the faulty parts if there are any, but they cannot replace the Mac for a new one because  Apple does not replace any Mac in Asia. The prerogative is only in Asia, Europe, Australia and the US. Is it really the case? If things turn out that Apple cannot make good on its warranty without replacing the Mac what shall they do in that case? Could you pls explain?

  As best I know, after 14 days Apple will repair your MBP if it is within the warranty period for free.  In rare instances, if they have not been able to repair it after several attempts, they may replace it.  I suggest contacting Apple and ship your MBP to the for inspection/repair or bring it to an Apple store or an Apple reseller.
  Ciao.

• How to replace bad sup in 4500 VSS cluster

  I have a Supervisor 7-E on its way to replace a bad one in a 4500 VSS cluster that handles my executive row and I've just realized I only have the foggiest idea what config is required to make it join the VSS cluster.
  I've looked and not found anything on point. Does anyone have a quick cheat sheet on how to do this?

  I actually was able to read between the lines of some different docs and came to the exact same conclusion. There is one BIG caveat that is not mentioned in your document and that is licensing.
  First, Cisco TAC is totally ill-equipped to understand how VSS affects commands output on the 4500 and was little to no help in the process. I figured out the other issues below on my own and basically told them what I needed
  The RMA'd unit will not have the correct license on it, it will only have LAN base which does not support VSS
  4500's are licensed per chassis, not per supervisor HOWEVER the supervisor(s) are where the license resides (on 4500 sup7/8)
  The "show license udi" and "license install <location>" command only run on the active supervisor. There is NO WAY that I could find to update the license on the inactive supervisor. If you replace a chassis or supervisor and add it to the VSS cluster before doing licensing, you will have to reboot the current active chassis before putting the correct license on it
  You are FAR better off getting the licensing straight before adding an RMA replacement supervisor/chassis added to the VSS cluster then after.

• Cisco Ironport ESA System setup wizard

  Hi all,
  i'm installing a Cisco ESA. I configured IP of Data1 and Management and Hostname with temporary data to enable feature keys.
  Now i have to migrate those parameter to final configuration except management. IF i run again the system setup wizard does it blow up
  the features installed and activated? 
  Thanks
  smaikol

  If you re-run systemsetup again from the CLI - it will reset the IP and listeners you have configured, along with the network information associated.  You are presented the warning message from the CLI:  
  WARNING: The system setup wizard will completely delete any existing 'listeners' and all associated settings including the 'Host Access Table'
  - mail operations may be interrupted.
  </warning>
  The features themselves are still present and licensed, and should not change.  During the setup wizard prompts - you are asked if you want to use and enable the features - such as Anti-Spam, Anti-Virus:
  Do you want to use Anti-Spam scanning in the default Incoming Mail policy? [Y]> 
  Would you like to enable the Spam Quarantine? [Y]> 
  1. IronPort Anti-Spam
  2. Intelligent Multi-Scan
  3. Cloudmark Service Provider Edition
  Enter the number of the Anti-Spam engine you would like to use on the default Incoming Mail policy.
  []> 1
  IronPort selected for DEFAULT policy
  Do you want to use Anti-Virus scanning in the default Incoming and Outgoing Mail policies? [Y]> 
  1. McAfee Anti-Virus
  2. Sophos Anti-Virus
  Enter the number of the Anti-Virus engine you would like to use on the default Incoming and Outgoing Mail policies.
  []> 2
  Sophos selected for DEFAULT policy
  Do you want to use Anti-Malware scanning in the default Incoming Mail policies? [Y]> 
  Advanced Malware Protection selected for DEFAULT policy
  Do you want to enable Outbreak Filters? [Y]> 
  Outbreak Filters enabled.
  Allow the sharing of limited data with SenderBase? [Y]> 
  You have successfully configured Outbreak Filters and SenderBase.
  </setup>
  Usually, it is just simpler if you are re-IPing the ESA from a temporary IP to permanent IP to just change the information associated via ifconfig and modify the interface as needed, or on the GUI use Network > IP Interfaces.  
  -Robert

• How to replace faulty Flex 7510 WLC on HA

  Hi guys,
  I have a faulty secondary 7510 controller (on HA) and going to replace with a new one. How do I go about this?
  What steps should I take?
  Anyone done this before?
  Thanks in advance.

  You need the new WLC and configure as seconder with few basic configuration which i auto via start-up script. Make sure the settings are same on new WLC as before on secondary.
  Mobility mac , redundancy port and MG are the same and remaining info will be sync on the secondary WLC and failover occurs when primary goes down.
  More detail is given as below.
  Ref: http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1130-ag-series/qa_c67-714540.html

• Ironport ESA queue question?

  Greeting Expert
  Can anyone tell me how big is the ESA queue size? let say my exchange server is down and i`m still receiving emails from the outside, ironport will intercept these messages but since Exchange is down the message will stay in the queue to be delivered? How the ESA manage these messages?
  Thanks

  See the following eKB article --->
  https://ironport.custhelp.com/app/answers/detail/a_id/695
  By default, mail is queued for 72 hours (259200 seconds) OR 100 retry attempts before it bounces to the original sender. 
  This setting is configurable from the command line (CLI): type "bounceconfig" and edit the "default" settings.  Also, you can modify this from the GUI interface by going to "Network > Bounce Profiles" and click on the Default profile.
  Also, the queue could fill up if there is too much mail. However, if the system reaches its storage limit, it will soft bounce further attempts by other mail servers to deliver more messages. This ensures that no messages will get lost, as these mail servers will reattempt message delivery as well until the ESA accepts messages again.
  Note: If you plan to shut down your internal mail server for maintenance for a longer period (more than a couple hours), best practice is to suspend the incoming listeners on your Email Security Appliances as well (CLI: suspendlisteners). As mentioned before, in this case any connection attempts will be soft bounced, and retried later. This way, you leave the task of storing the messages to the sending mail server, which will prevent the mail queue on your email appliances filling up quickly. No messages will be lost however, once you got your internal mail server back into service, also resume the listeners on your Email Security Appliances (CLI: resume), to allow delivery from remote hosts again.
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• IronPort ESA SOX DLP

  I understand that the SOX DLP Policy on the ESA is configured for Corporate Financials, but what all does that entail? I am having a hard time discerning what all it catches.
  Can anyone provide a good idea of how to set the scale for the Severity Settings for that policy?

  Dan,
  Check your External DLP for any disconnects or network issues with the Ironport.  The load-balance is only for multiple external DLP servers and not multiple Ironports.
  Try to increase the reconnection attempts (10) to see if it helps.  It would be best to find out why the Ironport can't reach the DLP servers during such time frames. Check for any symptoms around such times, like load or other service kicking off.  Does it happen on exact time? These can give good hints as to why.