Socket connect error when downloading a content filter database

book

Article ID: 166926

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Socket connect error when downloading a content filter database
ERROR:  Socket connect error
Download failed

Resolution

If you are getting a socket connect error when downloading the content filter database you may have a corrupt SSL client. The error message suggests that the process responsible for performing the download was unable to access the ssl-client data structure in memory. This is caused when specific changes are made to the "SSL Client" though Bluecoat Management console and the ProxySG is restarted. A proxy Event log should show “ssl-client not found”. This issue is not confined to BCWF database download failure only. This issue can be experienced if ...

  • A Content Filter vendor is using HTTPS to download the database.
  • System image downloads over HTTPS.
  • SSL communication with authentication servers (LDAP, IWA).
  • HTTPS Reverse Proxy when it talks SSL to the origin server.

The symptom of the problem looks as follows:

ProxySG4#(config bluecoat)download get-now
This may take a few minutes. Please wait...
loading database..
https://list.bluecoat.com/bcwf/activity/download/bcwf.db?installed_versi...
ERROR: Socket connect error
Fetching:
https://list.bluecoat.com/bcwf/activity/download/bcwf.db
ERROR: Socket connect error
Download failed
Previous download:
Blue Coat download at: Tue, 21 Feb 2006 00:19:05 UTC
Downloading from https://list.bluecoat.com/bcwf/activity/download/bcwf.db
Requesting differential update
Differential update applied successfully
Download size: 151489760
Database date: Mon, 20 Feb 2006 00:28:36 UTC
Database expires: Wed, 22 Mar 2006 00:28:36 UTC
Database version: 2006051

Because the database is downloaded using SSL, your SSL client could be corrupt or be experiencing a problem. First, verify that you have a valid SSL client created:

ProxySG4#(config ssl)view ssl-client
SSL-Client Name Keyring Name Protocol
-------------------- -------------------- ------------
default <None> SSLv2v3TLSv1

If you have an ssl-client configured but the issue persists then please delete and recreate ssl-client.

ProxySG4#(config)ssl
ok
ProxySG4#(config ssl)delete ssl-client default
ok
ProxySG4#(config ssl)create ssl-client default
defaulting protocol to SSLv2v3TLSv1
ok

Another source of this error can be from DNS.  If the SG is unable to resolve the hostname "list.bluecoat.com", or if the cached DNS response is no longer current then the content filter download can have the same error. 

From the SG management console, navigate to Maintenance > System and Disks > Tasks, and click Clear DNS cache.  After clearing the DNS cache, try downloading the content filter database again.



Note:  If you are still failing with the "ERROR: Socket Connect error" after following these steps, please check your Device Profiles as the proxy may be trying to negotiate an unsupported protocol.  Due to POODLE, SSLv2 and SSLv3 are no longer supported on our server, and if the proxy attempts to open a connection using these protocols.  This will result in the same failure message.  Go to Device Profiles (Configure -> SSL -> Device Profiles), and check to make sure that the proxy is not attempting to use SSLv2 or SSLv3 and modify this to be TLSv1 or above.  You can edit the device profile which you will be able to set to the appropriate SSL protocol to include TLSv1 or greater.