|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Event Stream Analysis (ESA), Security Analytics UI
|Issue||When ESA alerts are triggered in Security Analytics, email notifications are not being sent.|
The /opt/rsa/esa/logs/esa.log file reports errors similar to the example below when alerts are triggered.
2014-12-22 16:59:27,085 [alert-SMTP-dispatch] WARN com.rsa.netwitness.core.alert.dispatch.AbstractDispatcher - An alert of type SMTP could not be sent. java.lang.RuntimeException: javax.mail.MessagingException: Could not connect to SMTP host: mail.example.com, port: 25;; nested exception is:; java.net.ConnectException: Connection timed out; at com.rsa.netwitness.core.alert.dispatch.SmtpDispatcher.dispatch(SmtpDispatcher.java:50);
Issuing the command tcpdump -vv -nn host mail.example.com and port 25 -w esatraffic.pcap (where mail.example.com is the FQDN of the mail server) and examining the file in Wireshark, traffic similar to the following is observed:
|Cause||The issue occurs because the traffic from the ESA appliance is unable to reach the mail server. As demonstrated in the network trace, the connection results in a tcp timeout. This can occur when the ESA appliance and mail server reside on separate subnets and the traffic is not routed correctly or blocked by a firewall or proxy, etc.|
|Resolution||In order to resolve the issue, ensure that the traffic is being routed correctly on the subnet on which the ESA appliance resides.|