This document describes how to troubleshoot and resolve on the Email Security Appliance (ESA) and Cloud Email Security (CES) when security features are displaying as "Not Available" on the Incoming and Outgoing mail policies despite the feature keys being available on the device.
Contributed by Alan Macorra and Mathew Huynh Cisco CX Engineers.
Requirements
Prerequistes
- Any ESA/CES on any version of AsyncOS.
- Device licensed with available feature keys for security services.
- Understanding of the different levels of cluster configuration and overrides.
Background
The ESA/CES device is failing to execute any security scanning from services such as:
- Anti-Spam
- Anti-Virus
- Advanced Malware Protection
- Graymail
- Outbreak filters
- DLP (Outbound only)
Feature keys are available and able to be verified on the GUI or CLI.
GUI: System Administration > Feature Keys
CLI: featurekeys
On the Incoming and Outgoing Mail Policies, all the security features displaying as "Not Available", when checking the security service itself, it is configured as Enabled.
Problem
Feature keys are available on the device, however services are "Not Available" and not executing scans.
Clicking the "Not Available" link on the mail policies, redirects you to the global settings for that specific security service, which shows enabled and modifying this does not change the "Not Available" status on the mail policies itself.
Sample output provided:
Solution
This issue typically stems from the feature keys on the device getting expired before renewed and license re-installed, when this happens the End User License Agreement (EULA) needs to be re-accepted. Given the devices had them enabled prior to expiry, when initial key reinstall/renewal was done the EULA isn't presented again as the device is set at Cluster level.
To resolve this, you will need to override the settings on the ESA/CES to machine level to allow the EULA to present for acceptance. In doing so, the device will register the keys renewal and re-activate the features again.
Note: The configuration mode you are currently logged in with will be displayed on the upper left where it displays Mode -- Cluster/Group/Machine. Depending on the mode, what is displayed may be different from the initial same output provided which is already in Machine Mode.
Warning: When creating overrides for this solution, ensure you DO NOT select Move configuration, as this will force the cluster level configuration into an unconfigured mode for the specific service. If this was selected, when removing the overrides, the feature will fall back into an unconfigured (not enabled) state.
On each security service which shows "Not Available":
- Click the "Not Available" link from the Incoming or Outgoing Mail Policies Page.
- This redirects to the global settings per engine, select Change Modeā¦ then from the drop-down menu. Select the machine currently logged on.
- Click on Override Settings
- Select Copy from: Cluster. (This will copy your current enabled settings from the cluster level down to machine).
- Click Submit
- The configuration will now show it is Enabled, proceed to click on Edit Global Settings...
- The EULA will be displayed, read through and accept the EULA.
- Commit Changes to save this setting.
- Repeat the steps on your other features requiring to be re-enabled.
Sample output provided:
Using the drop down on the right, change it to the machine you're logged into.
Copying the settings from cluster to machine override.
Override setting output:
After clicking on Edit Global Settings... the EULA is displayed.
Accept the EULA and commit changes.
The settings for Sophos will now be reflected on the mail policy and no longer show "Not Available".
Removing machine override to fall back to Cluster level
To remove the machine override settings:
- Go to the Machine mode from the drop down as previously done.
- Click to expand Centralized Management Options
- Click on Delete Settings
- Click the Delete button and the settings will fall back to the higher level (Group or Cluster, whichever is configured).
- Verify the settings are properly configured on the higher level chosen.
- Commit Changes to save this setting.
Sample Output:
Related Information