Troubleshoot External Threat Feeds Top Reasons for Failure

Available Languages

Download Options

  • PDF     (201.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (245.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (172.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 25, 2023
Document ID:220420

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes several reasons for failure during External Threat Feed implementation, error analysis and actions for resolution.

    Prerequisites 

    There are no specific requirements, hence Cisco recommends that you have knowledge of these topics:

    • Cisco Secure Email Gateway (ESA)
    • External Threat Feeds (ETF)

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco Secure Email Gateway (ESA) running software 12.x or later version

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Reason For Failures:

    The ETF Service is Either Disabled or There is no Valid Feature Key for Service

    (Machine esa03.taclab.krk) (SERVICE)> tail threatfeeds

    Press Ctrl-C to stop.
    Wed Sep 8 16:15:26 2021 Info: THREAT_FEEDS: A delta poll is scheduled for the source: Test_Poll_Path
    Machine: ‘esa03.taclab.krk'. A failure was encountered for the source 'Test_Poll_Path'. 
    Reason for failure: The ETF service is either disabled or there is no valid feature key for the service.

    Solution

    Ensure that:

    1. ETF Feature key installed properly.
    2. EULA accepted and Feature key enabled globally.
    3. Applied licenses on machine level. 

    Note: If there is a cluster-level, then it needs to copy the setting into machine level.

    Failed to Establish a New Connection: [Errno 110] Connection Timed Out

    (Machine esa03.taclab.krk) (SERVICE)> tail threatfeeds

    Press Ctrl-C to stop.
    Reason for failure: Taxii Error: HTTPSConnectionPool(host= otx.alienvault.comport, port=443): Max retries exceeded with url:  /taxii/poll/ (Caused by NewConnectionError('<requests.packages....
    Failed to establish a new connection: [Errno 110] Connection timed out',))

    Note: Connection timed out typically indicates a network related issue, which prevents ESA to get a response. Firewall/ Proxy checks are recommended and packet capture for deeper analysis.

    Solution

    1. Confirm Firewall and Proxy do not block the traffic.
      Proxy can be checked under GUI > Security Services > Service Updates.
    2. Confirm connectivity with Packet Capture. Navigate to GUI > Help and Support > Packet Capture.

    Tip: When there are indications of network relates issues, it is prudent to run packet captures in order to confirm that connection has been established properly.

    Reason for Failure: "400"

    (Machine esa03.taclab.krk) (SERVICE)> grep "Sep 6 13:38" threatfeeds
    Mon Sep 6 13:38:16 2021 Debug: THREAT_FEEDS: Failed to fetch observables from the source: Test_Poll_Path. Reason for failure: '400'
    Mon Sep 6 13:38:55 2021 Info: THREAT_FEEDS: The source 'Test_Poll_Path' is currently in a polling state and therefore a poll for this source cannot be initiated at this time.

    Note: RFC7231 Error 400 (Bad Request), indicates that server cannot or does not process the request due to something that is perceived to be a client error. Most of the times it appears due to malformed request syntax, or invalid request message framing.

    Solution

    Error "400” indicates that this Polling Path exists, but it points to a different service that TAXII server offers.

    1. Confirm Polling Path Configuration is configured with Poll request and not Discovery request.
    2. Confirm HTTPS is enabled under GUI > Mail Policies > External Threat Feeds Manager > Use HTTPS.

    Caution: Typically this issue occurs when Polling Path is misconfigured with discover request, such as: /api/v1/taxii/taxii-discovery-service/
    Polling Path can be configured to use Poll request for the feeds, for instance: /api/v1/taxii/poll

    Note: Difference between Poll and Discovery request: 
    - Polling URL is actually where you consume the feeds from.
    - Discovery Service URL is used to find what services the Taxii service offers. 

    Polling Path Configuration

    HTTP Error: Status Code 401 Authentication Failure

    (Machine esa03.taclab.krk) (SERVICE)> grep "Sep 8 16:35" threatfeeds
    Wed Sep 8 16:35:39 2021 Debug: THREAT_FEEDS: Updating the timestamp: 2021-09-08 16:31:36.071684 for the last attempted poll for the source: ETF_Source_Name
    Wed Sep 8 16:35:39 2021 Info: THREAT_FEEDS: Job failed with exception : Source: ETF_Source_Name. Reason for failure: Taxii Error: HTTP Error: status code 401 authentication failureurce not available

    Solution

    This error code indicates that it lacks valid authentication credentials for the target resource.

    Confirm that Credentials are configured properly.
    There is an option also not to configure credentials for users.

    Taxii Error: HTTP Error: Status Code 404 Requested Resource not Available

    (Machine esa03.taclab.krk) (SERVICE)> grep "Aug 27 08:51" threatfeeds
    Fri Aug 27 08:51:16 2021 Warning: THREAT_FEEDS: Unable to fetch the observables from the source: Test after 3 failed attempts. Reason for failure: Taxii Error: HTTP Error: status code 404 requested resource not available
    Fri Aug 27 08:51:16 2021 Info: THREAT_FEEDS: Job failed with exception : Source: Test. Reason for failure: Taxii Error: HTTP Error: status code 404 requested resource not available

    Note: The 404 (Not Found) status code indicates that the origin server did not find a current representation for the target resource, or is not willing to disclose that one exists. This reveals that there can be an Invalid URL and in majority of the cases, that the occurred due to resource path is not found.

    Solution

    Confirm Polling Path/Collection Name on the Source under ESA GUI> Mail Policies > External Threat Feeds Manager > Choose the proper Source Name

    Confirm Polling Path/Collection Name

    Reason for Failure: "405"

    (Machine esa03.taclab.krk) (SERVICE)> grep "Sep 13 00:2" threatfeeds
    Mon Sep 13 00:20:21 2021 Debug: THREAT_FEEDS: Failed to fetch observables from the source: Anomali. Reason for failure: '405’

    Note: Per RFC7231, Error 405 (Method Not Allowed) indicates that the method received in the request-line is known by the origin server, but not supported by the target resource.

    Solution

    This is a Syntax Error due to the missing Trail “/” Slash at the end of the Polling Path.
    Add trail Slash at the end of the path /taxii/poll/.

    Polling Path Syntax Error

    HTTP Error: Status Code 503 Service Unavailable

    (Machine esa03.taclab.krk) (SERVICE)> grep "Nov 10 13:45" threatfeeds
    Sun Nov 10 13:45:21 2020 Info: THREAT_FEEDS: Job failed with exception : Source: ETF_Source_Name. Reason for failure: Taxii Error: HTTP Error: status code 503 service unavailable
    Sun Nov 10 13:45:22 2020 Info: THREAT_FEEDS: A delta poll is scheduled for the source: ETF_Source_Name

    Note: Per RFC7231, error 503 "Service Unavailable” is an HTTP response status code and indicates that a server is temporarily unable to handle the request.

    Solution

    Error code indicates an issue with destination TAXII server, which needs to be investigated further.
    This could happen when server is overloaded. Contact Vendor for further information.

    NOT_FOUND: The Requested Collection Could not be Found

    (Machine esa03.taclab.krk) (SERVICE)> grep "Sep 7 12:53" threatfeeds
    Tue Sep 7 12:53:16 2021 Warning: THREAT_FEEDS: Unable to fetch the observables from the source: Test_Poll_Path after 3 failed attempts. Reason for failure: Taxii Error: NOT_FOUND: The requested collection could not be found
    Tue Sep 7 12:53:16 2021 Debug: THREAT_FEEDS: Updating the timestamp: 2021-09-07 12:49:12.648625 for the last attempted poll for the source: Test_Poll_Path

    Solution

    This error indicates that Collection name has the correct spelling, however, there is an issue on TAXII server under Collection, which rejects the request.


    Possible cause could be an expiration timer on Collection Name.
    Contact Vendor to check for this kind of inconsistency.

    Collection Name Configuration

    [SSL: CERTIFICATE_VERIFY_FAILED] Certificate Verify Failed (_ssl.c:590)

    (Machine esa03.taclab.krk) (SERVICE)> grep "Sep 8 16:35" threatfeeds
    Wed Sep 8 16:35:26 2021 Info: THREAT_FEEDS: A delta poll is scheduled for the source: ETF_Source_Name
    Wed Sep 8 16:35:33 2019 Warning: THREAT_FEEDS: Unable to fetch the observables from the source: ETF_Source_Name after 3 failed attempts. Reason for failure: Taxii Error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

    Solution

    This error indicates Certificate failure.


    To resolve the issue, import the Certificate in Certificate Authority (CA) list.
    Navigate to GUI > Network > Certificates > Edit Settings > Custom List >
    Choose Enable mode and upload the Certificate.

    Certificate Upload

    XML Parising Error: No Element Found (line 0)

    (Machine esa03.taclab.krk) (SERVICE)> grep "Aug 21 02:39" threatfeeds
    Fri Aug 21 02:39:37 2021 Warning: THREAT_FEEDS: Unable to fetch the observables from the source: ETF_Source_Name after 3 failed attempts. Reason for failure: Taxii Error: XML Parising Error: no element found (line 0)
    Fri Aug 21 02:39:37 2021 Info: THREAT_FEEDS: Job failed with exception : Source: ETF_Source_Name. Reason for failure: Taxii Error: XML Parising Error: no element found (line 0)

    Solution

    Reduce the value Time Span of Poll Segment from ESA configuration to 3-4 days.

    Note: This is an inconsistency with Anomali servers for some specific feeds, where no end of data flag is sent to stop the feeds.
    In this case, ESA that is configured with an ETF source from Anomali, is not able to poll data for a time span over 5 days.
    A valid workaround would be to reduce the value Time Span of Poll Segment from ESA configuration.

    Time Span of Poll Segment

    Failed to Establish a New Connection: [Errno 111] Connection Refused

    (Machine esa03.taclab.krk) (SERVICE)> tail threatfeeds

    Press Ctrl-C to stop.
    Reason for failure: Taxii Error: HTTPSConnectionPool(host=otx.alienvault.comport=443): Max retries exceeded with url: /taxii/poll/ (Caused by NewConnectionError('<requests.packages..
    Failed to establish a new connection: [Errno 111] Connection refused',))

    Note: "Connection refused" indicates that client cannot connect to the port on the running Server. Typically, this occurs when the server listens in on the wrong port, or port is unavailable.

    Solution

    1. Use telnet or netstat command via CLI to verify the appropriate port is listening.
    2. Verify that Firewall does not block the port.
    3. Ensure there is no Port Misconfiguration/ Stale port on running service.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    25-Apr-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Evangelos Triantis
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products