Cisco Cisco Email Security Appliance X1070 Troubleshooting Guide

This document describes how to troubleshoot and correct the queues on the Email Security
Appliance (ESA) in an event that an internal user account has been compromised and sent out
unsoliticited emails globally.

The information in this document is based on AsyncOS 7.6 for ESA onwards.

The information in this document was created from the devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.

It is advisable to lock down that account sending the spam if it is known, otherwise lock down the
account once discovered via the investigation on the ESA.

When there is a large numbers of emails in the workqueue counter and the rate of emails entering
the system far exceeds the rate exiting the system, this is indicative that there is an impact on the
workqueue. You can use the workqueue command to perform the check.

C370.lab> workqueue status

Status as of:  Thu Feb 06 12:48:02 2014 GMT

Status:        Operational

Messages:      48654

C370.lab> workqueue rate 5

Type Ctrl-C to return to the main prompt.

Time      Pending    In   Out

12:48:04    48654    48     2

12:48:09    48700    31     0