Field Notice: FN - 72210 - Email Security Appliance Talos Intelligence Connection Update - Software Upgrade Recommended

Available Languages

Updated:September 21, 2021

Document ID:FN72210

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	14-Sep-21	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number
NON-IOS	AsyncOS for Secure Email	10	10.0.1
NON-IOS	AsyncOS for Secure Email	11	11.0.0, 11.0.3, 11.1.0
NON-IOS	AsyncOS for Secure Email	12	12.0.0, 12.1.0, 12.5.0

Defect Information

Defect ID	Headline
CSCvy61108	Talos SDSv2 Infrastructure Migration impact on ESA

Problem Description

A change to the Cisco Talos infrastructure will be implemented on 2022-02-01. This will result in new hostnames and IP addresses that are used for communication between the Cisco Secure Email Appliance (ESA) and the Talos Cloud Services for ESA versions earlier than 13.5. In order to ensure a continuation of service, you are encouraged to upgrade ESAs to the latest version. If an upgrade is not possible, changes to hostnames and your firewall Access Control Lists (ACLs) will be required to avoid service disruption.

Background

Cisco Talos is modernizing its intelligence delivery system to better support Cisco customers. For this reason, an update to the connections to the Cisco Talos Cloud services is required.

Problem Symptom

If an upgrade is not done or the hostname and firewall changes are not made, the customer will experience a loss of the service that provides Sender Domain Reputation (SDR), Web Categorization, and Web Reputation.

Once our Talos team transitions to the new infrastructure for URL Filtering and SDR, the IP addresses in use for these services will change. At that time, if firewall ACLs are in place to only allow outbound access to specific IP addresses from your ESA, URL Filtering and SDR might begin to fail. The specific log entries observed will vary depending on the firewall configuration.

For firewalls that are configured to refuse connections, you will see this error for failed URL Filtering attempts:

Tue Aug 17 15:16:06 2021 Warning: MID 123 Error doing URL lookup: webint: SDS client reports error for request 5087.1629238565 - Request failed with code: 7 (Failed to connect to v2.sds.cisco.com port 443: Connection refused)

If the firewall is configured to drop the connection, the connection will time out and produce this error:

Tue Aug 17 15:22:36 2021 Warning: MID 456 Error doing URL lookup: Request failed with code: 28 (Connection timed out after 5000 milliseconds)

For SDR, both firewall configurations will result in the same error:

Tue Aug 17 15:22:30 2021 Info: MID 456 SDR: Message was not scanned for Sender Domain Reputation. Reason: Unknown error.

In addition to the loss of scanning functionality, work queue performance might also be severely degraded.

You might also encounter degraded SDR performance, with or without firewall ACLs, if the SDR hostname is not changed by the time the transition takes place. Once the transition occurs, the v2.sds.cisco.com hostname will still be available, but it will then point to a service that is no longer optimized for both URL Filtering and SDR. Instead, it will only be optimized for URL Filtering.

Workaround/Solution

Where possible, upgrade your ESA to AsyncOS Version 14.0 or later.

If an upgrade is not possible, these changes ensure continuity of Talos Intelligence connectivity:

Change the current SDR hostname to sdr-rest.sds.cisco.com with the sdradvancedconfig CLI command to configure advanced parameters:

mail.example.com > sdradvancedconfig
Enter SDR query timeout in seconds [5]> 3
Enter the Domain Reputation service hostname
[sdr-rest.sds.cisco.com ]>
Do you want to verify server certificate? [Y]>
Enter the default debug log level for RPC server: [Info]>
Enter the default debug log level for HTTP Client: [Info]>
Do you want exception list matches based on envelope-from domain only? [Y]>

Change the current SDSv2 hostname to v2-sds-esa-pre-13-5.talos.cisco.com with the websecurityadvancedconfig CLI command:

> websecurityadvancedconfig
Enter URL lookup timeout (includes any DNS lookup time) in seconds:
[15]>
Enter the URL cache size (no. of URLs):
[1215000]>
Do you want to disable DNS lookups? [N]>
Enter the maximum number of URLs that should be scanned:
[100]>
Enter the Web security service hostname:
[v2-sds-esa-pre-13-5.talos.cisco.com]>
Enter the threshold value for outstanding requests:
[20]>
Do you want to verify server certificate? [Y]>
Enter the default time-to-live value (seconds):
[30]>
Do you want to include additional headers? [N]>
Enter the default debug log level for RPC server:
[Info]>
Enter the default debug log level for SDS cache:
[Info]>
Enter the default debug log level for HTTP client:
[Info]>

Add these IP addresses to your firewall allow list:

IPv4	IPv6
146.112.59.0/24 146.112.62.0/24 146.112.63.0/24 146.112.255.0/24	2a04:e4c7:fffe::/48 2a04:e4c7:ffff::/48

IPv4

IPv6

146.112.59.0/24

146.112.62.0/24

146.112.63.0/24

146.112.255.0/24

2a04:e4c7:fffe::/48

2a04:e4c7:ffff::/48

Check the connectivity status in order to ensure a successful connection to both SDSv2 and SDR:
1. Check the SDS connection in the GUI. The instructions are shown in Cisco Email Security Appliance - URL Filtering, Step 1:
  - Navigate to Security Services > URL Filtering.
  - Ensure that the “Cisco Web Security Service connection status” shows “Connected”.
2. Check the SDR connection via the sdrdiagnostics CLI command:
```
mail.example.com > sdrdiagnostics
1. Show status of the domain reputation service
[1]> 1
Connection Status: Connected
```

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Secure Email Virtual Gateway