Service point connection failure. Cannot connect to remote service point.

book

Article ID: 166889

calendar_today

Updated On:

Products

PacketShaper

Issue/Introduction

On the Info tab and the ouput of the banner show command, the PacketShaper is displaying the following error message:

Service point connection failure. Cannot connect to remote service point.

Resolution

 

This is a known issue, for which there are two solutions.

SOLUTION A

The URL categorization feature has the following deployment requirements:

  • The PacketShaper must have Internet access to connect to the WebPulse service.
  • A DNS server must be configured on the PacketShaper.
  • The PacketShaper hardware must have a valid support contract, although there is a 30-day grace period. 
  • If you want to secure access to the outside interface, do not use the secure option because the URL category feature requires access to a number of outside web servers. Instead, use the list security option and add the IP addresses of the following servers to the exception list:
    • WebPulse service points (Use the "setup urlcategory show service" CLI command to see the IP addresses of the servers; add one or two fastest servers.)
    • Category map update server (sitereview.bluecoat.com)
    • Support update server (updates.bluecoat.com)
    • Heartbeat server (hb.bluecoat.com)

Note: To find the IP address associated with each of these servers, use the nslookup command (such as the "dns lookup" CLI command).

The URL categorization feature has the following limitations:

  • Because the PacketShaper gives higher priority to flow delivery than to classification, it will never hold up flows to wait for a response from WebPulse. Therefore, the first few packets of a flow may get classified into a web or default class until WebPulse sends the URL category to the PacketShaper.
  • Packet processing takes precedence over URL categorization. If the PacketShaper is under load, category requests may get queued, and some requests may be dropped.
  • Behavior for asymmetrically applied redirect policies is non-deterministic for URL category-based classes since URL categorization is done out of path. Therefore, when applying never-admit policies with the redirect option, be sure to apply the policy to the category classes in both directions (Inbound and Outbound).

SOLUTION B

If everything mentioned above seems to be ok, then use the following method:

  1. Reboot the unit.
  2. If the issue still persists, get a packet trace. Copy and paste the following commands in the PacketShaper CLI:

 

sys e set all default

sys e clear all

packet remove all

packet add class:/Inbound/localhost

packet add class:/Outbound/localhost

packet on

set url webpulse off

set url off

set url on

set url webpulse on

set urlcat map-download

packet off

sys e d

The packetcapture commands will create a .DMP file under the 9.258/pktlog directory (or the 9.1026/PKTLOG/ directory for image versions 8.6.x and above). Download this file to your desktop using  the PacketShaper File Browser. Also copy the output of the last command (sys e d) and paste in a text file. Then upload these files to your case.