Solution for Security Features Displaying "Not Available" When Feature Keys are Available

Available Languages

Updated:May 31, 2019
Document ID:214485

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to troubleshoot and resolve on the Email Security Appliance (ESA) and Cloud Email Security (CES) when security features are displaying as "Not Available" on the Incoming and Outgoing mail policies despite the feature keys being available on the device.

    Contributed by Alan Macorra and Mathew Huynh Cisco CX Engineers.

    Requirements

    Prerequistes

    • Any ESA/CES on any version of AsyncOS.
    • Device licensed with available feature keys for security services.
    • Understanding of the different levels of cluster configuration and overrides.

    Background

    The ESA/CES device is failing to execute any security scanning from services such as:

    • Anti-Spam
    • Anti-Virus
    • Advanced Malware Protection
    • Graymail
    • Outbreak filters
    • DLP (Outbound only)

    Feature keys are available and able to be verified on the GUI or CLI.

    GUI: System Administration > Feature Keys

    CLI: featurekeys

    On the Incoming and Outgoing Mail Policies, all the security features displaying as "Not Available", when checking the security service itself, it is configured as Enabled.

    Problem

    Feature keys are available on the device, however services are "Not Available" and not executing scans.

    Clicking the "Not Available" link on the mail policies, redirects you to the global settings for that specific security service, which shows enabled and modifying this does not change the "Not Available" status on the mail policies itself.

    Sample output provided:

    Solution

    This issue typically stems from the feature keys on the device getting expired before renewed and license re-installed, when this happens the End User License Agreement (EULA) needs to be re-accepted. Given the devices had them enabled prior to expiry, when initial key reinstall/renewal was done the EULA isn't presented again as the device is set at Cluster level.

    To resolve this, you will need to override the settings on the ESA/CES to machine level to allow the EULA to present for acceptance. In doing so, the device will register the keys renewal and re-activate the features again.

    Note: The configuration mode you are currently logged in with will be displayed on the upper left where it displays Mode -- Cluster/Group/Machine. Depending on the mode, what is displayed may be different from the initial same output provided which is already in Machine Mode.

    Warning: When creating overrides for this solution, ensure you DO NOT select Move configuration, as this will force the cluster level configuration into an unconfigured mode for the specific service. If this was selected, when removing the overrides, the feature will fall back into an unconfigured (not enabled) state.

    On each security service which shows "Not Available":

    1. Click the "Not Available" link from the Incoming or Outgoing Mail Policies Page.
    2. This redirects to the global settings per engine, select Change Modeā€¦ then from the drop-down menu. Select the machine currently logged on.
    3. Click on Override Settings
    4. Select Copy from: Cluster. (This will copy your current enabled settings from the cluster level down to machine).
    5. Click Submit
    6. The configuration will now show it is Enabled, proceed to click on Edit Global Settings...
    7. The EULA will be displayed, read through and accept the EULA.
    8. Commit Changes to save this setting.
    9. Repeat the steps on your other features requiring to be re-enabled. 

    Sample output provided:

    Using the drop down on the right, change it to the machine you're logged into.

    Copying the settings from cluster to machine override.

    Override setting output:

    After clicking on Edit Global Settings... the EULA is displayed.

    Accept the EULA and commit changes.

    The settings for Sophos will now be reflected on the mail policy and no longer show "Not Available".

    Removing machine override to fall back to Cluster level

    To remove the machine override settings:

    1. Go to the Machine mode from the drop down as previously done.
    2. Click to expand Centralized Management Options
    3. Click on Delete Settings
    4. Click the Delete button and the settings will fall back to the higher level (Group or Cluster, whichever is configured). 
    5. Verify the settings are properly configured on the higher level chosen.
    6. Commit Changes to save this setting.

    Sample Output:

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    31-May-2019
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Alan Macorra
      Cisco CX Engineer
    • Mathew Huynh
      Cisco Email Escalation Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products