Understanding the 'Upload Limit Reached' Error in Cisco ESA with AMP
Introduction
This document explains the "Upload Limit Reached" warning that is thrown by the ESA (Email Security Appliance) when it is configured to use the AMP (Advanced Malware Protection) feature to scan emails.
Prerequisites
It is helpful to have knowledge of the following topics:
- Email Security Appliance
- AMP
Components Used
The information in this document is based on the following software and hardware versions:
- ESA (Email Security Appliance) running software 12.x
The information in this document was derived from devices in a specific lab environment. All devices used in this document started with a clean (default) configuration. You should understand the potential impact of any command before executing it if your network is live. Network operation is assumed.
Background Information
The ESA (Email Security Appliance) uses AMP (Advanced Malware Protection) features, which include two main functions:
- File Reputation
- File Analysis
File Analysis uploads message attachments to the ThreatGrid Cloud server for sandbox analysis.
Understanding the "Upload Limit Reached" Warning
Message Tracking can show emails that were not scanned by AMP (Advanced Malware Protection) due to reaching the upload limit.
Example:
02 Dec 2019 14:11:36 (GMT +01:00) Message 12345 is unscannable by Advanced Malware Protection engine. Reason: Upload Limit Reached
The new ThreatGrid sample limit model restricts the number of samples that a device can upload for file analysis on a per-organization basis. All integrated devices (WSA, ESA, CES, FMC, etc.) and AMP for Endpoints can use 200 samples per day, regardless of the number of devices.
This is a shared limit (not a per-device limit) and applies to licenses purchased after 12/1/2017.
Note: This counter does not reset daily. Instead, it operates on a 24-hour rollover.
Example Scenario:
In a cluster of four ESAs with an upload sample limit of 200, if ESA1 uploads 80 samples at 10:00 AM today, the remaining 120 samples can be uploaded across the four ESAs (shared limit) until 10:00 AM tomorrow, as the first 80 slots are released at 10:01 AM.
How to Check Uploaded Samples in the Last 24 Hours
For ESA: Navigate to Monitor > AMP File Analysis > Files Uploaded for Analysis.
For SMA: Navigate to Email > Reporting > AMP File Analysis > Files Uploaded for Analysis.
Note: If the AMP File Analysis report does not display accurate data, review the "File Analysis Details" in the Cloud Are Incomplete section of the user guide.
Warning: For more details, refer to defect CSCvm10813.
Alternatively, you can count the number of uploaded files by running the grep command in the CLI. This task must be performed on each appliance.
Example:
grep "Dec 20.*File uploaded for analysis" amp -c
grep "Dec 21.*File uploaded for analysis" amp -c
You can use PCRE regular expressions to match dates and times.
How to Extend Upload Limits
Contact your Cisco account manager or sales engineer.
