Introduction
This document describes when a Cisco Email Security Appliance (ESA) experiences "timed out" errors when trying to create or join a cluster, if DNS pointer (PTR) records are not available, and how to workaround the issue.
Prerequisites
The information in this document is based on these software and hardware versions:
- AsyncOS for Email Security version 8.0 and newer
Background Information
When using Cluster Communication Security (CSS) or Secure Shell (SSH) to join the cluster with the IP address, the PTR record is required, otherwise the ESA will prompt "timed out" errors, and the cluster join will fail.
There are times when DNS record changes may not be possible or allowed in order to properly create PTR records.
The following situations may apply:
- IP addresses of the appliances use internal IP addresses
- There are no PTR records for both appliances
- Root DNS or Local DNS cannot resolve both local host names
- Root DNS or Local DNS cannot be edited or modified
- Both port 22 (SSH) and port 2222 (CSS) are opened on both sides
- Getting "timed out" errors on both sides
- Cannot configure NXDOMAIN on the root DNS for those IP addresses
Configure
There is a workaround which uses the local ESA as the DNS source. From the appliance CLI, add a local DNS resolution. For instance if there was appliance esa1.example.com (192.168.10.1) and esa2.example.com (192.168.10.2) for which the PTR record cannot be resolved perform the following:
esa1.example.com> dnsconfig
Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server
- DELETE - Remove a server
- SETUP - Configure general settings.
[]> new
Currently using the local DNS cache servers:
1. Priority: 0 192.168.1.53
Do you want to add a new local DNS cache server or an alternate domain server?
1. Add a new local DNS cache server.
2. Add a new alternate domain server.
[]> 2
Please enter the domain this server is authoritative for. (Ex: "com").
[]> 2.10.168.192.in-addr.arpa [enter the in-addr-arpa which serves as PTR, in this example for esa2]
Please enter the fully qualified hostname of the DNS server for the domain
"1.10.10.10.in-addr.arpa".
(Ex: "dns.example.168.192.in-addr.arpa").
[]> esa1.example.com [enter the hostname of the ESA you are configuring this on]
Please enter the IP address of machinea.example.com.
[]> 192.168.10.1 [enter the IP of the ESA you are configuring this on]
esa2.example.com> dnsconfig
Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server
- DELETE - Remove a server
- SETUP - Configure general settings.
[]> new
Currently using the local DNS cache servers:
1. Priority: 0 192.168.1.53
Do you want to add a new local DNS cache server or an alternate domain server?
1. Add a new local DNS cache server.
2. Add a new alternate domain server.
[]> 2
Please enter the domain this server is authoritative for. (Ex: "com").
[]> 1.10.168.192.in-addr.arpa [enter the in-addr-arpa which serves as PTR, in this example esa1]
Please enter the fully qualified hostname of the DNS server for the domain
"1.10.10.10.in-addr.arpa".
(Ex: "dns.example.168.192.in-addr.arpa").
[]> esa2.example.com [enter the hostname of the ESA you are configuring this on]
Please enter the IP address of machinea.example.com.
[]> 192.168.10.2 [enter the IP of the ESA you are configuring this on]
Hit <Enter> until you get to the main prompt and run commit to save and activate the configuration changes.
Note: In the above examples, the domain entered above for Please enter the domain this server is authoritative for is the reverse DNS lookup or IP address 192.168.10.1 and 192.168.10.2. Make certain that the IP addresses are configured on esa1.example.com and esa2.example.com and reachable.