Content Security Appliance Network Connectivity Issues

Introduction

This document describes how to troubleshoot a problem that is encountered when you are unable to connect to the Cisco Email Security Appliance (ESA) or the Cisco Security Management Appliance (SMA) over the network.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Cisco ESA
• Cisco SMA
• AsyncOS

Components Used

The information in this document is based on these software and hardware versions:

• Cisco ESA AsyncOS all Versions
• Cisco SMA AsyncOS all Versions

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Problem

You are unable to connect to your ESA or SMA over the network. You attempt to connect through the web interface and the CLI via Secure Shell (SSH), but the appliance does not appear to answer the requests.

Caution: It is very important that you do not power cycle the system unless advised to do so by Cisco Technical Support. If you power cycle the appliance, it can cause data corruption that can result in lost messages, database corruption, lost logging data, or damage to the file system. When you power cycle the appliance, it is not able to unmount the file systems cleanly. For this reason, Cisco recommends that you use the shutdown or reboot command from the CLI, or the Shutdown/Reboot option that is listed in the system administration tab of the appliance GUI.

Solution

In most cases, the appliance is not actually locked up. It might simply be in a state that does not allow it to respond to network requests in the usual manner. This section provides guidelines that you can use in order to diagnose the problem and possibly recover your system so that it runs or is in a workable state.

If you reboot the appliance correctly and still cannot gain access via the network, verify the indicator lights and audible codes on the appliance:

• Check the indicator lights on the appliance. Are any lights on?
  
  
• Are the lights for the hard drives on? Are they flashing?
  
  
• Are there any status codes on the front of the appliance?
  
  
• Did the appliance issue any audible codes when it started up (beeps)?
  
  

In many cases, you can simply replace the network cable or move to another port on the switch in order to resolve the connectivity issue:

• Check the status of the indicator lights on the switch port if they are available.
  
  
• Check the status of the lights on the appliance. Are they on? Are they flashing?
  
  
• Are you able to connect directly to the appliance with a network crossover cable?
  
  

A network crossover cable allows you to connect directly to the Ethernet ports on the appliance. However, you must configure the connecting host so that it is on the same subnet as the interface to which you connect. The use of a network crossover cable can be helpful with the diagnosis of situations that are related to your LAN, such as when another host has the same IP address on the same subnet. Verify if your appliance responds to network requests:

• Does your appliance not respond to network requests or does it simply not respond to service requests? You can use a ping in order to determine this: if you can ping the appliance but you cannot SSH to it, then you know that it listens via Internet Control Message Protocol (ICMP) and the SSH service does not respond or is not accessible.
  
  
• Have you tested all of the network interfaces? Verify if you can connect to one of the other interfaces on the appliance with the previously-described process.
  
  

If your system does not respond to network requests and immediate access is required, you can connect to the serial port that is located on the rear of your appliance. This port is a standard DB9 connector and can be utilized with the serial cable that came with your appliance. If you do not have the serial cable that came with your appliance, you must obtain one that is configured as a null modem cable.

Optionally, you can use a standard serial cable with a null modem adapter. Once you connect the cable to the appliance, you can then connect the other end of the cable to another system, such as a laptop. You must use a terminal program such as Hyperterm or Procom. You also must configure your terminal program for 9600 Baud 8N1. Once you start your terminal program, you should be able to connect and log in. If the serial port does not respond, you might want to verify that the cable is connected and that the unit is powered on. If you still cannot log in, Cisco recommends that you contact Customer Support for further assistance.

Network-Related Commands

If you are able to obtain access via the serial port, enter the status detail command in order to verify that the appliance status shows Online:

     mail.example.com > status detail

     Status as of:                  Mon Jan 04 12:48:31 2010 CST
     Up since:                      Tue Jul 14 16:50:50 2009 CDT (173d 20h 57m 41s)
     Last counter reset:            Never
     System status:                 Online
     Oldest Message:                24 weeks 16 hours 30 mins 48 secs
     Feature - Centralized Tracking: 833 days
     Feature - Centralized Reporting: 833 days
     Feature - IronPort Centralized Configuration Manager: 60 days
     Feature - Incoming Mail Handling: Perpetual
     Feature - Centralized Spam Quarantine: 833 days

Note: If the status detail command does not respond or produces an error, contact Cisco Customer Support.

Enter the Version command in order to verify the RAID status:

     mail.example.com > version

     Current Version
     ===============
     Model: M660
     Version: 6.5.2-101
     Build Date: 2009-05-28
     Install Date: 2009-07-14 17:04:32
     Serial #: 002C999999-J999999
     BIOS: 2.4.3I
     RAID: 1.21.02-0528, 2.01.00, 1.02-014B
     RAID Status: Optimal
     RAID Type: 10
     BMC: 1.77

If the RAID is degraded, it is possible that the appliance has encountered another fault that might not be related to the apparent lock up.

Note: If the Version command does not respond or provide any data, contact Cisco Customer Support.

Enter the etherconfig command in order to verify your network configuration:

     mail.example.com > etherconfig

     Choose the operation you want to perform:
     - MEDIA - View and edit ethernet media settings.
     - VLAN - View and configure VLANs.
     - LOOPBACK - View and configure Loopback.
     - MTU - View and configure MTU.
     []> media

     Ethernet interfaces:
     1. Data 1 (Autoselect: <link is down>)) 00:22:19:b0:03:c4
     2. Data 2 (Autoselect: <link is down>)) 00:22:19:b0:03:c6
     3. Management (Autoselect: <1000baseTX full-duplex>) 00:10:18:4e:29:88

     Choose the operation you want to perform:
     - EDIT - Edit an ethernet interface.
     []>

     Choose the operation you want to perform:
     - MEDIA - View and edit ethernet media settings.
     - VLAN - View and configure VLANs.
     - LOOPBACK - View and configure Loopback.
     - MTU - View and configure MTU.
     []> MTU

     Ethernet interfaces:
     1. Data 1 default mtu 1500
     2. Data 2 default mtu 1500
     3. Management default mtu 1500

     Choose the operation you want to perform:
     - EDIT - Edit an ethernet interface.
     []>

Recent network changes can have an impact on connectivity to the appliance. Enter the interfaceconfig command in order to verify your interface settings:

     mail.example.com > interfaceconfig


     Currently configured interfaces:
     1. Management (192.168.1.33/24 on Management: downside.hometown.net)
     2. outbound_gloop_ISQ_notify (192.168.1.34/24 on Management: inside.hometown.net)

     Choose the operation you want to perform:
     - NEW - Create a new interface.
     - EDIT - Modify an interface.
     - GROUPS - Define interface groups.
     - DELETE - Remove an interface.

     []>

Enter the diagnostic command in order to flush out all the network-related cache:

     mail.example.com > diagnostic


     Choose the operation you want to perform:
     - RAID - Disk Verify Utility.
     - DISK_USAGE - Check Disk Usage.
     - NETWORK - Network Utilities.
     - REPORTING - Reporting Utilities.
     - TRACKING - Tracking Utilities.
    []> network


    Choose the operation you want to perform:
    - FLUSH - Flush all network related caches.
    - ARPSHOW - Show system ARP cache.
    - SMTPPING - Test a remote SMTP server.
    - TCPDUMP - Dump ethernet packets.
    []> flush

    Flushing LDAP cache.
    Flushing DNS cache.
    Flushing system ARP cache.
    10.92.152.1 (10.92.152.1) deleted
    10.92.152.18 (10.92.152.18) deleted

    Network reset complete.

    Choose the operation you want to perform:
    - FLUSH - Flush all network related caches.
    - ARPSHOW - Show system ARP cache.
    - SMTPPING - Test a remote SMTP server.
    - TCPDUMP - Dump ethernet packets.
    []>

Note: If any of the network-related commands fail to respond, contact Cisco Customer Support. If you perform the troubleshooting steps that are described in this document and are still unable to gain access via the network, contact Cisco Customer Support for further assistance.