on Jun 15, 2016Article Content
| Article Number | 000029298 |
| Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: Event Stream Analysis (ESA), Security Analytics UI Platform: CentOS |
| Issue | When ESA alerts are triggered in Security Analytics, email notifications are not being sent. The /opt/rsa/esa/logs/esa.log file reports errors similar to the example below when alerts are triggered. 2014-12-22 16:59:27,085 [alert-SMTP-dispatch] WARN com.rsa.netwitness.core.alert.dispatch.AbstractDispatcher - An alert of type SMTP could not be sent. java.lang.RuntimeException: javax.mail.MessagingException: Could not connect to SMTP host: mail.example.com, port: 25;; nested exception is:; java.net.ConnectException: Connection timed out; at com.rsa.netwitness.core.alert.dispatch.SmtpDispatcher.dispatch(SmtpDispatcher.java:50); Issuing the command tcpdump -vv -nn host mail.example.com and port 25 -w esatraffic.pcap (where mail.example.com is the FQDN of the mail server) and examining the file in Wireshark, traffic similar to the following is observed:  |
| Cause | The issue occurs because the traffic from the ESA appliance is unable to reach the mail server. As demonstrated in the network trace, the connection results in a tcp timeout. This can occur when the ESA appliance and mail server reside on separate subnets and the traffic is not routed correctly or blocked by a firewall or proxy, etc. |
| Resolution | In order to resolve the issue, ensure that the traffic is being routed correctly on the subnet on which the ESA appliance resides. |