Restoring Vault Service on AsyncOS 15.0.2, 15.5.1 and later for Secure Email Gateway (SEG)

Available Languages

Download Options

  • PDF     (169.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (239.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (211.5 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 20, 2024
Document ID:221803

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document provides the instructions for restoring the Vault service on your Cisco Secure Email Gateway.

    Requirements

    Cisco recommends that you have knowledge of AsyncOS for Secure Email Gateway version 15.0.2, 15.5.1 and later versions.

    Components Used

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    This Techzone article describes common scenarios encountered in the field that could impact the Cisco AsyncOS for Secure Email Gateway. This article also guides you to perform troubleshooting steps to restore functionality.

    The Secure Email Gateway AsyncOS 15.5.1 and above generates alerts stating, “The vault is down, and some of the services may not work correctly.” Or “The vault health check has failed.

    On AsyncOS 15.0.2, errors would be seen during commit of changes to the appliance as well as within error logs stating "Vault Error". Alerts would not be generated on AsyncOS 15.0.2.

    Note: If the device command line is accessible, use the fipsconfig -> encryptconfig CLI command to determine if the encryption is enabled. The vault failure alerts also contain this information.

    Scenario 1: Cisco Secure Email Gateway (SEG) vault is not initialized, and encryption is disabled.

    1. Log in to the Secure Email Gateway through a direct SSH connection using the mentioned credentials:

    username: enablediag

    password: admin user's password

    After successful authentication, the enablediag menu is displayed.

    enablediag

    Note: These steps are also applicable to Async OS 15.0.1 when encryption is not enabled.

    2. From the menu, enter command recovervault. Confirm with 'Y' and press Enter.

    recovervault

    3. Enter 2, if encryption is disabled to perform a Vault Recovery process. It can take a few seconds to complete.

    4. Log in to Secure Email Gateway with admin user credentials after the process is complete and reboot the appliance. Monitor your email gateway for a couple of hours for any vault alerts.

    NoteIf you require assistance at any point or if the steps provided do not fix the issue, contact the Cisco Technical Assistance Center (TAC).

    Scenario 2: Cisco Secure Email Gateway (SEG) vault is not initialized, and encryption is enabled.

    Note: For appliance's running AsyncOS 15.0.1 encountering vault errors with encryption enabled, Graphical User Interface (GUI) or Command Line Interface (CLI) of Secure Email Gateway can become inaccessible. If this occurs, access the Secure Email Gateway using serial console with enablediag user and contact TAC with service access details.

    If the device is accessible through CLI, perform the following steps:

    1. Log in to the Secure Email Gateway through a direct SSH connection using the mentioned credentials:

    username: enablediag

    password: admin user's password

    After successful authentication, the enablediag menu is displayed.

    enablediag

    CautionEnsure you have a copy of the device’s saved configuration with encrypted passwords available that can be loaded back into the device. Using the vault recovery command on systems with encryption enabled resets encrypted variables to their default factory value and needs to be reconfigured.

    2. From the menu, enter command recovervault. Confirm with 'Y' and press Enter.

    recovervault

    3. Enter 1, if encryption is enabled to perform a Vault Recovery process. It can take a few seconds to complete.

    4. Log in to Secure Email Gateway with admin user credentials after the process is complete and reboot the appliance. Monitor your email gateway for a couple of hours for any vault alerts.

    5. Load a copy of the device's saved configuration to restore encrypted variables.

    NoteIf you require assistance at any point or if the steps provided do not fix the issue, contact the Cisco Technical Assistance Center (TAC).

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    19-Mar-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Aaron Vega
      Cisco Engineering
    • Libin Varghese
      Cisco Engineering

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products