Introduction
This document provides the instructions for restoring the Vault service on your Cisco Secure Email Gateway.
Requirements
Cisco recommends that you have knowledge of AsyncOS for Secure Email Gateway version 15.0.2, 15.5.1 and later versions.
Components Used
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
This Techzone article describes common scenarios encountered in the field that could impact the Cisco AsyncOS for Secure Email Gateway. This article also guides you to perform troubleshooting steps to restore functionality.
The Secure Email Gateway AsyncOS 15.5.1 and above generates alerts stating, “The vault is down, and some of the services may not work correctly.” Or “The vault health check has failed.”
On AsyncOS 15.0.2, errors would be seen during commit of changes to the appliance as well as within error logs stating "Vault Error". Alerts would not be generated on AsyncOS 15.0.2.
Note: If the device command line is accessible, use the fipsconfig -> encryptconfig CLI command to determine if the encryption is enabled. The vault failure alerts also contain this information.
Scenario 1: Cisco Secure Email Gateway (SEG) vault is not initialized, and encryption is disabled.
1. Log in to the Secure Email Gateway through a direct SSH connection using the mentioned credentials:
username: enablediag
password: admin user's password
After successful authentication, the enablediag menu is displayed.
Note: These steps are also applicable to Async OS 15.0.1 when encryption is not enabled.
2. From the menu, enter command recovervault. Confirm with 'Y' and press Enter.
3. Enter 2, if encryption is disabled to perform a Vault Recovery process. It can take a few seconds to complete.
4. Log in to Secure Email Gateway with admin user credentials after the process is complete and reboot the appliance. Monitor your email gateway for a couple of hours for any vault alerts.
Note: If you require assistance at any point or if the steps provided do not fix the issue, contact the Cisco Technical Assistance Center (TAC).
Scenario 2: Cisco Secure Email Gateway (SEG) vault is not initialized, and encryption is enabled.
Note: For appliance's running AsyncOS 15.0.1 encountering vault errors with encryption enabled, Graphical User Interface (GUI) or Command Line Interface (CLI) of Secure Email Gateway can become inaccessible. If this occurs, access the Secure Email Gateway using serial console with enablediag user and contact TAC with service access details.
If the device is accessible through CLI, perform the following steps:
1. Log in to the Secure Email Gateway through a direct SSH connection using the mentioned credentials:
username: enablediag
password: admin user's password
After successful authentication, the enablediag menu is displayed.
Caution: Ensure you have a copy of the device’s saved configuration with encrypted passwords available that can be loaded back into the device. Using the vault recovery command on systems with encryption enabled resets encrypted variables to their default factory value and needs to be reconfigured.
2. From the menu, enter command recovervault. Confirm with 'Y' and press Enter.
3. Enter 1, if encryption is enabled to perform a Vault Recovery process. It can take a few seconds to complete.
4. Log in to Secure Email Gateway with admin user credentials after the process is complete and reboot the appliance. Monitor your email gateway for a couple of hours for any vault alerts.
5. Load a copy of the device's saved configuration to restore encrypted variables.
Note: If you require assistance at any point or if the steps provided do not fix the issue, contact the Cisco Technical Assistance Center (TAC).
Related Information