Overview
Kerio Control IPS Plugin is not updated due to a download error: Couldn't connect to server error.
Antivirus updates, GeoIP database updates, Product updates may also report connection timeouts and failures.
Example Log:
[11/Feb/2018 20:42:06] IPS rules update: Download error, Couldn't connect to server. [12/Feb/2018 08:30:40] GeoIP database update check failed: Couldn't connect to server. [12/Feb/2018 08:38:36] (2) Product update failed. Error: Check failed (Failed to connect to prod-update.kerio.com port 443: Connection refused) [12/Feb/2018 08:44:37] Antivirus Server error:(PID: 17086) Cannot find update location: Failed to connect to bdupdate.kerio.com port 443: Connection timed out. Download failed. [12/Feb/2018 08:44:37] Unable to perform Kerio Antivirus update. Error: Cannot find update location: Failed to connect to bdupdate.kerio.com port 443: Connection timed out. Download failed.
Solution
-
Verify DNS Server Configuration:
- Access the Interfaces section in your Kerio Control Administration.
- Ensure DNS servers are assigned on your Internet-facing interfaces.
- Correct DNS configuration is crucial for resolving server names like
prod-update.kerio.com.
-
Check and Adjust Traffic Rules:
- This issue could happen due to a traffic rule blocking the Kerio update servers for IPS, Antivirus etc. You can resolve this issue by having an exclusion in place for the update servers of Kerio, by configuring a traffic rule allowing traffic from the following Destination Addresses, with the Services as HTTP and HTTPS:
- 52.32.0.0 - 52.63.255.255
*kerio*bdupdate-cdn.kerio.combdupdate.kerio.comcontrol-update.kerio.comids-update.kerio.comprod-update.kerio.comregister.kerio.com
- This issue could happen due to a traffic rule blocking the Kerio update servers for IPS, Antivirus etc. You can resolve this issue by having an exclusion in place for the update servers of Kerio, by configuring a traffic rule allowing traffic from the following Destination Addresses, with the Services as HTTP and HTTPS:
-
Test Connectivity From Kerio Control:
- Use the built-in IP tools to perform a DNS lookup and ping to
prod-update.kerio.comandregister.kerio.com. - Confirm if the appliance can reach these servers.
- Use the built-in IP tools to perform a DNS lookup and ping to
-
Reboot or Re-Enable Services (if necessary):
- For components like Intrusion Prevention (IPS), disable the feature, apply changes, reboot Kerio Control, then re-enable and attempt an update.
-
Consider Temporary Server Outages:
- If all steps fail, a temporary outage on the update server side may be the cause. These issues usually resolve automatically.
<supportagent>
Support Agent Only
If you have verified that the above steps do not work for the customer, the root cause may be an AWS outage. You can check for recent outages under the Central Project with type SaaS Incident. The issue description will contain a list of impacted schemas which will list kerio, e.g. CENTRAL-125182 (Old JIRA) or CENTRAL-122919 (New JIRA). The issue will be resolved once the AWS db resumes normal functioning, you can test this and inform the customer.
</supportagent>
Frequently Asked Questions
- 1. How do I know if this error applies to my situation?
- You'll see the error messages "Failure during update" and "Cannot resolve update server or proxy server address" in your Kerio Control system state.
- 2. What should I do if the updates still fail after following the steps?
- Ensure all DNS and firewall configurations are correct. If issues persist, consider the possibility of a temporary server outage and try again later.
Ciprian Nastase
Comments