Introduction
This document describes how to fix the upgrade manifest authentication error when smart license is enabled in the Virtual Secure Gateway.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- How Smart License works
- Secure Email Gateway (SEG) administration
Components Used
The information in this document is based on these software and hardware versions:
- Secure Email Gateway (SEG) AsyncOS on Version 12.0 or later releases
- Security Management Appliance on Version 12.0 or later releases
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Problem
Email security appliance has smart license enabled and it has a valid license. When upgrade is attempted, this error displays:
"Failure downloading upgrade list: Failed to authenticate with manifest server."
Solution
1. Verify the proper manifest server is configured under updateconfig.
For virtual Secure Email Gateway the correct manifest server is update-manifests.sco.cisco.com on port 443.
Ensure that this is allowed in the firewall rules.
To review the update configuration on the CLI run the command updateconfig then run the hidden command dynamichost:
esa> updateconfig
Service (images): Update URL:
----------------------------------------------------------------------------------------------------------------------
Feature Key updates
DLP Engine Updates Cisco IronPort Servers
PXE Engine Updates Cisco IronPort Servers
Sophos Anti-Virus definitions Cisco IronPort Servers
IronPort Anti-Spam rules Cisco IronPort Servers
Outbreak Filters rules Cisco IronPort Servers
Timezone rules Cisco IronPort Servers
Enrollment Client Updates (used to fetch certificates for URL Filtering) Cisco IronPort Servers
Support Request updates Cisco IronPort Servers
Content Scanner Updates Cisco IronPort Servers
Geo Countries Updates Cisco IronPort Servers
External Threat Feeds updates Cisco IronPort Servers
How-Tos Updates Cisco IronPort Servers
Notifications component Updates Cisco IronPort Servers
Smart License Agent Updates Cisco IronPort Servers
Mailbox Remediation Updates Cisco IronPort Servers
Talos Updates Cisco IronPort Servers
Easy Demo service Updates Cisco IronPort Servers
Cisco IronPort AsyncOS upgrades Cisco IronPort Servers
Service (list): Update URL:
----------------------------------------------------------------------------------------------------------------------
DLP Engine Updates Cisco IronPort Servers
PXE Engine Updates Cisco IronPort Servers
Sophos Anti-Virus definitions Cisco IronPort Servers
IronPort Anti-Spam rules Cisco IronPort Servers
Outbreak Filters rules Cisco IronPort Servers
Timezone rules Cisco IronPort Servers
Enrollment Client Updates (used to fetch certificates for URL Filtering) Cisco IronPort Servers
Support Request updates Cisco IronPort Servers
Content Scanner Updates Cisco IronPort Servers
Geo Countries Updates Cisco IronPort Servers
External Threat Feeds updates Cisco IronPort Servers
How-Tos Updates Cisco IronPort Servers
Notifications component Updates Cisco IronPort Servers
Smart License Agent Updates Cisco IronPort Servers
Mailbox Remediation Updates Cisco IronPort Servers
Talos Updates Cisco IronPort Servers
Easy Demo service Updates Cisco IronPort Servers
Service (list): Update URL:
----------------------------------------------------------------------------------------------------------------------
Cisco IronPort AsyncOS upgrades Cisco IronPort Servers
Update interval: 5m
Alert Interval for Disabled Automatic Engine Updates: 30d
Proxy server: http://64.X.X.X:8080
The proxy server will be used for the following services:
- Feature Key updates
- DLP Engine Updates
- PXE Engine Updates
- Sophos Anti-Virus definitions
- IronPort Anti-Spam rules
- Outbreak Filters rules
- Virus Threat Level updates
- Timezone rules
- Enrollment Client Updates (used to fetch certificates for URL Filtering)
- Support Request updates
- Content Scanner Updates
- Geo Countries Updates
- External Threat Feeds updates
- How-Tos Updates
- Notifications component Updates
- Smart License Agent Updates
- Mailbox Remediation Updates
- Talos Updates
- Easy Demo service Updates
- Cisco IronPort AsyncOS upgrades
- URL Filtering Service
- Shortened URL Support
- Advanced Phishing Protection Support
- Cisco Threat Response
- Cisco Secure Awareness
HTTPS Proxy server: http://64.102.255.40:8080
The HTTPS proxy server will be used for the following services:
- Feature Key updates
- DLP Engine Updates
- PXE Engine Updates
- Sophos Anti-Virus definitions
- IronPort Anti-Spam rules
- Outbreak Filters rules
- Timezone rules
- Enrollment Client Updates (used to fetch certificates for URL Filtering)
- Support Request updates
- Content Scanner Updates
- Geo Countries Updates
- External Threat Feeds updates
- How-Tos Updates
- Notifications component Updates
- Smart License Agent Updates
- Mailbox Remediation Updates
- Talos Updates
- Easy Demo service Updates
- Cisco IronPort AsyncOS upgrades
- SenderBase Network Participation sharing
- URL Filtering Service
- Shortened URL Support
- Cisco Threat Response
Choose the operation you want to perform:
- SETUP - Edit update configuration.
- VALIDATE_CERTIFICATES - Validate update server certificates
- TRUSTED_CERTIFICATES - Manage trusted certificates for updates
[]> dynamichost
Enter new manifest hostname:port
[update-manifests.sco.cisco.com:443]>update-manifests.sco.cisco.com:443
2. License validation.
The license authorization status must be In Compliance:
esa> showlicense_smart
[]> SUMMARY
Feature Name License Authorization Status
----------------------------------------------------------------------------------------------------
Email Security Appliance Anti-Spam License In Compliance
Email Security Appliance Outbreak Filters In Compliance
Email Security Appliance Graymail Safe-unsubscribe Not requested
Email Security Appliance Advanced Malware Protection Reputation In Compliance
Email Security Appliance Image Analyzer Not requested
Mail Handling In Compliance
Email Security Appliance Sophos Anti-Malware In Compliance
Email Security Appliance PXE Encryption In Compliance
Email Security Appliance Advanced Malware Protection In Compliance
Email Security Appliance McAfee Anti-Malware Not requested
Email Security Appliance Intelligent Multi-Scan Not requested
Email Security Appliance External Threat Feeds In Compliance
Email Security Appliance Bounce Verification In Compliance
Email Security Appliance Data Loss Prevention In Compliance
Run the command showlicense to ensure there is a valid VLN.
The end date must not be expired.
esa> showlicense
Virtual License
===============
vln VLNESA74NNNNN
begin_date dd/mm/yyyy
end_date dd/mm/yyyy
company Cisco Systems, Inc.
seats 1
country MX
serial XXXX
email XXXXXXX
issue 4dXXXXXXXXXXXXXXX
license_version 1.1
If you get the License has Expired output, obtain a new XML file from Global Licensing with a new expiration date and valid certificate. Upload it from the CLI command loadlicense.
esa>showlicense
License has Expired
Error with License.
Please try to re-initialize the system with a new license, or contact customer support for help.
3. Upgrade the Secure Email Gateway.
Run the upgrade command and select the desired image.
esa> upgrade
Are you sure you want to proceed with upgrade? [N]> y
Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
[]> download
Upgrades available.
1. AsyncOS 14.2.3 build 027 upgrade For Email, 2023-08-13. This release is a Maintenance Deployment Refresh
2. AsyncOS 14.2.3 build 031 upgrade For Email, 2023-11-02,This release is a Maintenance Deployment Refresh
3. AsyncOS 15.0.0 build 104 upgrade For Email, 2023-08-10, This is a General Deployment release
4. AsyncOS 15.0.1 build 030 upgrade For Email, 2023-11-22, This release is a Maintenance Deployment
[4]> 3
Download of AsyncOS 15.0.0 build 104 upgrade For Email, 2023-08-10, This is a General Deployment release has started in background.
The upgrade must be successful. In case you encounter another issue please contact Cisco TAC.
Related Information