THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
14-Sep-21 |
Initial Release |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
AsyncOS for Secure Email |
10 |
10.0.1 |
|
NON-IOS |
AsyncOS for Secure Email |
11 |
11.0.0, 11.0.3, 11.1.0 |
|
NON-IOS |
AsyncOS for Secure Email |
12 |
12.0.0, 12.1.0, 12.5.0 |
Defect ID | Headline |
---|---|
CSCvy61108 | Talos SDSv2 Infrastructure Migration impact on ESA |
A change to the Cisco Talos infrastructure will be implemented on 2022-02-01. This will result in new hostnames and IP addresses that are used for communication between the Cisco Secure Email Appliance (ESA) and the Talos Cloud Services for ESA versions earlier than 13.5. In order to ensure a continuation of service, you are encouraged to upgrade ESAs to the latest version. If an upgrade is not possible, changes to hostnames and your firewall Access Control Lists (ACLs) will be required to avoid service disruption.
Cisco Talos is modernizing its intelligence delivery system to better support Cisco customers. For this reason, an update to the connections to the Cisco Talos Cloud services is required.
If an upgrade is not done or the hostname and firewall changes are not made, the customer will experience a loss of the service that provides Sender Domain Reputation (SDR), Web Categorization, and Web Reputation.
Once our Talos team transitions to the new infrastructure for URL Filtering and SDR, the IP addresses in use for these services will change. At that time, if firewall ACLs are in place to only allow outbound access to specific IP addresses from your ESA, URL Filtering and SDR might begin to fail. The specific log entries observed will vary depending on the firewall configuration.
For firewalls that are configured to refuse connections, you will see this error for failed URL Filtering attempts:
Tue Aug 17 15:16:06 2021 Warning: MID 123 Error doing URL lookup: webint: SDS client reports error for request 5087.1629238565 - Request failed with code: 7 (Failed to connect to v2.sds.cisco.com port 443: Connection refused)
If the firewall is configured to drop the connection, the connection will time out and produce this error:
Tue Aug 17 15:22:36 2021 Warning: MID 456 Error doing URL lookup: Request failed with code: 28 (Connection timed out after 5000 milliseconds)
For SDR, both firewall configurations will result in the same error:
Tue Aug 17 15:22:30 2021 Info: MID 456 SDR: Message was not scanned for Sender Domain Reputation. Reason: Unknown error.
In addition to the loss of scanning functionality, work queue performance might also be severely degraded.
You might also encounter degraded SDR performance, with or without firewall ACLs, if the SDR hostname is not changed by the time the transition takes place. Once the transition occurs, the v2.sds.cisco.com hostname will still be available, but it will then point to a service that is no longer optimized for both URL Filtering and SDR. Instead, it will only be optimized for URL Filtering.
Where possible, upgrade your ESA to AsyncOS Version 14.0 or later.
If an upgrade is not possible, these changes ensure continuity of Talos Intelligence connectivity:
mail.example.com > sdradvancedconfig Enter SDR query timeout in seconds [5]> 3 Enter the Domain Reputation service hostname [sdr-rest.sds.cisco.com ]> Do you want to verify server certificate? [Y]> Enter the default debug log level for RPC server: [Info]> Enter the default debug log level for HTTP Client: [Info]> Do you want exception list matches based on envelope-from domain only? [Y]>
> websecurityadvancedconfig Enter URL lookup timeout (includes any DNS lookup time) in seconds: [15]> Enter the URL cache size (no. of URLs): [1215000]> Do you want to disable DNS lookups? [N]> Enter the maximum number of URLs that should be scanned: [100]> Enter the Web security service hostname: [v2-sds-esa-pre-13-5.talos.cisco.com]> Enter the threshold value for outstanding requests: [20]> Do you want to verify server certificate? [Y]> Enter the default time-to-live value (seconds): [30]> Do you want to include additional headers? [N]> Enter the default debug log level for RPC server: [Info]> Enter the default debug log level for SDS cache: [Info]> Enter the default debug log level for HTTP client: [Info]>
IPv4 | IPv6 |
---|---|
146.112.59.0/24 146.112.62.0/24 146.112.63.0/24 146.112.255.0/24 |
2a04:e4c7:fffe::/48 2a04:e4c7:ffff::/48 |
mail.example.com > sdrdiagnostics 1. Show status of the domain reputation service [1]> 1 Connection Status: Connected
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance