This is a known issue, for which there are two solutions.
The URL categorization feature has the following deployment requirements:
- The PacketShaper must have Internet access to connect to the WebPulse service.
- A DNS server must be configured on the PacketShaper.
- The PacketShaper hardware must have a valid support contract, although there is a 30-day grace period.
- If you want to secure access to the outside interface, do not use the secure option because the URL category feature requires access to a number of outside web servers. Instead, use the list security option and add the IP addresses of the following servers to the exception list:
- WebPulse service points (Use the "setup urlcategory show service" CLI command to see the IP addresses of the servers; add one or two fastest servers.)
- Category map update server (sitereview.bluecoat.com)
- Support update server (updates.bluecoat.com)
- Heartbeat server (hb.bluecoat.com)
Note: To find the IP address associated with each of these servers, use the nslookup command (such as the "dns lookup" CLI command).
The URL categorization feature has the following limitations:
- Because the PacketShaper gives higher priority to flow delivery than to classification, it will never hold up flows to wait for a response from WebPulse. Therefore, the first few packets of a flow may get classified into a web or default class until WebPulse sends the URL category to the PacketShaper.
- Packet processing takes precedence over URL categorization. If the PacketShaper is under load, category requests may get queued, and some requests may be dropped.
- Behavior for asymmetrically applied redirect policies is non-deterministic for URL category-based classes since URL categorization is done out of path. Therefore, when applying never-admit policies with the redirect option, be sure to apply the policy to the category classes in both directions (Inbound and Outbound).
If everything mentioned above seems to be ok, then use the following method:
- Reboot the unit.
- If the issue still persists, get a packet trace. Copy and paste the following commands in the PacketShaper CLI:
sys e set all default
sys e clear all
packet remove all
packet add class:/Inbound/localhost
packet add class:/Outbound/localhost
set url webpulse off
set url off
set url on
set url webpulse on
set urlcat map-download
sys e d
The packetcapture commands will create a .DMP file under the 9.258/pktlog directory (or the 9.1026/PKTLOG/ directory for image versions 8.6.x and above). Download this file to your desktop using the PacketShaper File Browser. Also copy the output of the last command (sys e d) and paste in a text file. Then upload these files to your case.