Unable to get Secure ICAP working between ProxySG and Symantec DLP or ProxyAV


Article ID: 168844


Updated On:


Data Loss Prevention ProxyAV Software - AVOS ProxySG Software - SGOS


In some configurations, you may see that the ICAP heath check fails as soon as a Secure ICAP service is enabled.

Showing the error:

proxySG#(config external-services)edit ProxyAV1
proxySG#(config icap ProxyAV1)health-check perform
    Enabled      Check failed      DOWN
    Last status: Certificate validation failed.
    Successes (total): 121100      (last): Fri, 06 Nov 2015 16:07:47 GMT      (consecutive): 0
    Failures  (total): 7833      (last): Fri, 06 Nov 2015 17:38:39 GMT      (consecutive): 545      (external): 0
    Last response time: 14 ms      Average response time: 15 ms
    Minimum response time: 13 ms      Maximum response time: 24 ms

% Health check has failed.
proxySG#(config icap ProxyAV1)exit
proxySG#(config external-services)exit


The possible root cause of the issue could be the following:

  1. The CN of the DLP or the ProxyAV certificate does not match the ICAP URL host name or IP address destination used for the DLP or AV under the ProxSGy ICAP settings.
  2. The Certificate may be expired.



Assuming that the proper steps have been taken on generating the certificate on the DLP or on the AV, and later importing it in to the proxy following the steps provided in Integrating the ProxySG and ProxyAV Appliances Guide (https://bto.bluecoat.com/sites/default/files/tech_pubs/SG_AV_Integration.pdf)

To solve the issue you must disable the function of "Verify Peer", on the proxy WebUI under the Configuration->SSL->Device Profile->select the secure ICAP that you created earlier and Edit.

User-added image