I have an issue with my Support Contract Status—what can I do?


Article ID: 166585


Updated On:




Starting with PacketWise version 8.6, PacketShaper displays the unit’s support contract status. You can see the status as a banner message in the CLI, Legacy UI, and Sky UI; it is also visible in the top status bar on the UI.

Note: URL category-based classification will not work properly if you do not have a valid support contract.

The contract status can be one of the following:

Active:      PS was able to validate that your unit has a valid support contract.

Expired:    PS was able to validate that your unit does not currently have a valid support contract. You will have to renew the contract.

Unknown:  PS was not able to validate your unit’s contract status. This indicates a network connectivity issue to the Blue Coat contract server. Please see the troubleshooting steps below.

1.    Can PS resolve the IP for updates.bluecoat.com?
       dns lookup updates.bluecoat.com
2.    Make sure the security settings on the PS allows connectivity to the IP address for updates.bluecoat.com.
3.    Make sure that there is no other device in your network blocking the HTTPS/SSL connection to updates.bluecoat.com.
4.    If the PS has to go through an explicit proxy server to go to the Internet, you have to add the Web proxy settings on the PS and also edit the proxy rules to allow connections to/from the PS.

    LAN Switch-->PacketShaper-->Proxy--->Router-->Internet

    setup web-proxy server
    setup web-proxy on|off
    setup web-proxy show
(to check the setting)

5.    You can use the command setup support update to update the contract status.

6.    If you are still having issues, get the packet capture on the Localhost class while you run the setup support update command and look for SSL/HTTPS packets from the PS IP address. Hopefully, the packet trace will clearly show you whether the problem is with DNS or Web request or something else.

Note: If you are analyzing the packet trace from a Web proxied network, keep in mind that the DNS queries will go to the DNS servers but HTTP/HTTPS packets will not go to the end server addresses. They will go to the proxy server, so you will not see the flows going to the server’s IP address that DNS resolved to. Instead, you will see it going to the proxy’s IP address. Also, the contract validation request may no longer be using the SSL destination port number; it will be using the port number for the Web proxy. Therefore, applications like Wireshark may not show the connection as SSL.