Introduction:

Thumbprint stale alerts are generated under the following circumstances:

  • The SonicWALL Data Center is down or unreachable;
  • Internet connectivity between your site and the SonicWALL Data Center is interrupted;
  • The Thumbprint database maybe corrupted. 

These alerts will continue until the cause is isolated and fixed. If it is the SonicWALL Data Center, the alerts will stop once the SonicWALL Data Center is back online; However, if the issue is on your end (network change for example), these alerts will continue indefinitely until the issue is resolved.

Thumbprint alerts do not directly affect the mail flow. The Email Security Appliance should still continue to receive and process mail even if the SonicWALL Data Center is down; However, if the ISP or internet connectivity is down, you will not receive e-mail. In the event of a SonicWALL Data Center outage, mail flow will not be affected excepting the spam filter updates. Since thumbprints are not being received, spam filter updates are also not being received, so some spam may slip through during the outage.

Troubleshooting:

The first step to perform is to test Connectivity to SonicWALL's Data Center.
From System>Updates click the Test Connectivity to SonicWALL button.
If this gives the error "Failed to connect to the SonicWALL datacenter" one of the following can be the cause:
-SonicWALL Email Security can not DNS resolve "tp.mailfrontier.net", check teh DNS server configured on System>Host Configuration;
-SonicWALL Email Security can not contact the datacenter using the HTTP protocol. Make sure no upstream device is blocking or filtering HTTP requests from the SonicWALL Email Security. If the SonicWALL Email Security is behind a proxy server, see Proxy Server configuration section below.

The second step to perform is to check the datacenter log.
From the UI go to System>Advanced. On the bottom in the Download System/Log Files find logs:mdc. MDC logs are named mdc[date].log.
If downloads are succesful the entry "2008-05-22 00:03:21 THUMBPRINT OK" will be found, if downloads are unsuccesfull the entry "2008-05-22 00:03:21 THUMBPRINT FAIL" will be found. If downloads are succesful but the Thumbprint is stale alerts are still received the database might be corrupted.

The third step to perform is to check thumbupater log.
From the UI go to System>Advanced. On the bottom in the Download System/Log Files find logs:MlfThumbUpdate.
The main reasons Thumbprint downloads can fail are caused by an upstream firewall:
-Firewall is causing fragmentation issues;
-Firewall is aborting the connection during download.
If the Firewall is a SonicWALL UTM Appliance, please see SonicWALL UTM Configuration section below. A possible solution is to modify the timeout value, see Modifying Time Out Value section below.

Resolutions:

Proxy Server Configuration

Email Security Appliance:
Go to System>Updates, configure proxy server IP Address and port. And if applicable username and password.

Email Security Software:
Create a Service Account (new user) and login as this system account on the Email Security Server. Go to internet Explorer properties and configure proxy server settings. Go to services, Start>Run>services.msc, and configure Tomcat service to Log On using the created Service Account.

SonicWALL UTM Configuration

 Fragmentation Settings:
Go to Network>Interfaces and click the Configure icon behind the WAN port.
On the Advanced Properties of the WAN port:
-Enable "Fragment non-VPN outbound packets larger than this Interface's MTU ";
-Disable "Ignore Don't Fragment (DF) Bit ".

Firewall Access Rule:
Identify the Zone the Email Security is located in.
Go to Network>Address Objects and add a new object of type host with the IP address of the Email Security.
Then go to Firewall>Access Rules, View Style Matrix. Go to From the Zone where Email Security is to Zone WAN. e.g. LAN to WAN or DMZ to LAN.
Add a new rule:
Action: Allow
Service: HTTP
Source: Email Security object
Destination: Any
Users Allowed: All
Schedule: Always on
Allow Fragmented Packets: Enabled
From the Advanced TAB, set TCP Connection Inactivity Timout to 60

IPS/GAV/ASW/CFS Exclusion:
On Security Services>Content Filter, Security Services>Gateway Anti-Virus, Security Serivces>Intrusion Prevention, and Security Services>Anti-Spyware:
Enable Exclusion list and add the IP address of the SonicWALL Email Security.

Modifying Time Out Value
This can only be performed on Email Security Server versions. To have the following altered please contact SonicWALL Support.
Find the file called server.xml, save a copy and open this in notepad.
Find the following lines
<thumbprint>
<update interval="5" type="mins" send="true"/>
alter the last line to:
<update timeout="45" interval="5" type="mins" send="true"/>