DLP Enforce Email Quarantine Sync failure occurs where re-authentication is required by the proxy

search cancel

DLP Enforce Email Quarantine Sync failure occurs where re-authentication is required by the proxy

book

Article ID: 275400

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite Data Loss Prevention Enforce

Issue/Introduction

We are getting Email Quarantine Sync failures almost everyday with error code 5402 - Email quarantine sync failed:

Error Message: Failed to invoke email quarantine API.

Url: https://api.eu.quarantine.symantec.com/v1/mails/audit?filter_type={filter_type}&admin_domain={admin_domain}&before={before}&after={after}&sort_order={sort_order}&page_size={page_size},

Request parameters: {filter_type=DLP, admin_domain=ALL, before=1691446678596, after=1691446378564, sort_order=asc, page_size=1000}
Quarantine error code: null

Environment

Release : 16.0

Enforce.

DLP Cloud Detector for Email.

DLP Quarantine API configured with Email Security.cloud.

Cause

The email quarantine sync times out when this authentication cannot be done as the error in the tomcat logs shows.

File: Enforce\logs\tomcat\localhost.2023-08-20.log
Date: 20/08/2023 19:08:45
Thread: 182
Level: SEVERE
Source: com.symantec.dlp.emailquarantine.client.EmailQuarantineApiClientImpl
Message: Failed to invoke email quarantine API. Url: https://api.eu.quarantine.symantec.com/v1/mails/audit?filter_type={filter_type}&admin_domain={admin_domain}&before={before}&after={after}&sort_order={sort_order}&page_size={page_size}, Request parameters: {filter_type=DLP, admin_domain=ALL, before=1692554878634, after=1692490678679, sort_order=asc, page_size=1000}
Cause:
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://api.eu.quarantine.symantec.com/v1/mails/audit": Connection timed out: connect; nested exception is java.net.ConnectException: Connection timed out: connectorg.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://api.eu.quarantine.symantec.com/v1/mails/audit": Connection timed out: connect; nested exception is java.net.ConnectException: Connection timed out: connect
                at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:746)
..
Caused by: java.net.ConnectException: Connection timed out: connect
                at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)
…
java.net.ConnectException: Connection timed out: connectjava.net.ConnectException: Connection timed out: connect
                at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)

On running a Wireshark packet capture trace and reviewing the content we can see that the third party proxy is asking for authentication:

HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.5.20
Mime-Version: 1.0
Date: Sun, 20 Aug 2023 18:28:03 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3767
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
X-Cache: MISS from ip-xx-xx-xx-xx.<domain>.<domain>.internal
X-Cache-Lookup: NONE from ip-xx-xx-xx-xx.<domain>.<domain>.internal:<port>
Via: 1.1 ip-xx-xx-xx-xx.<domain>.<domain>.internal (squid/3.5.20)
Connection: keep-alive

The third party proxy requires re-authentication which DLP does not support at this time.

Resolution

Workarounds:

1. Request unauthenticated access for the quarantine synchronization.

2. Restart the DLP services on the Enforce server will temporarily work as authentication is initiated after the restart.

Additional Information

Article ID: 222001 - DLP Enforce Server and Email Security.cloud Quarantine integration

Feedback

thumb_up Yes

thumb_down No