Cisco Cisco Email Security Appliance X1070 Technical Manual

This document describes when a Cisco Email Security Appliance (ESA) experiences "timed out"
errors when trying to create or join a cluster, if DNS pointer (PTR) records are not available, and
how to workaround the issue.

The information in this document is based on these software and hardware versions:

AsyncOS for Email Security version 8.0 and newer

●

When using Cluster Communication Security (CSS) or Secure Shell (SSH) to join the cluster with
the IP address, the PTR record is required, otherwise the ESA will prompt "timed out" errors, and
the cluster join will fail.

There are times when DNS record changes may not be possible or allowed in order to properly
create PTR records.

The following situations may apply:

IP addresses of the appliances use internal IP addresses

●

There are no PTR records for both appliances

●

Root DNS or Local DNS cannot resolve both local host names

●

Root DNS or Local DNS cannot be edited or modified

●

Both port 22 (SSH) and port 2222 (CSS) are opened on both sides

●

Getting "timed out" errors on both sides

●

Cannot configure NXDOMAIN on the root DNS for those IP addresses

●

There is a workaround which uses the local ESA as the DNS source.  From the appliance CLI, add
a local DNS resolution. For instance if there was appliance esa1.example.com (192.168.10.1) and
esa2.example.com (192.168.10.2) for which the PTR record cannot be resolved perform
the following:

> dnsconfig