search cancel

Investigating the Subscription error - 14403_Forbidden which prevented the download and update of the ABRCA_root Certificate on Content Analysis


Article ID: 224845


Updated On:


CAS-S400 Content Analysis Software ISG Content Analysis


Investigating the Subscription error - 14403_Forbidden which prevented the download and update of the ABRCA_root Certificate on Content Analysis


Release :

Component :


Having investigated the "Sep 21 01:11:05 tsb-1edg-nh-cf04 updater-daemon[13722]: Notifying client that subscription update for the service ma-patterns encountered error -14403 : Forbidden" error reported, we see that this is usually caused by the appliance's non-communication, at the time the error was seen, with the subscription server in Symantec/Broadcom.

There are various scenarios where the Content Analysis (CAS) fails to update the license/subscriptions or download the latest anti-virus (AV) and Malware Analysis (MA) patterns. These include but are not limited to:

  • The CAS device is located behind a firewall
  • The CAS device does not have direct access to the Internet
  • The CAS device can only access to the internet via a ProxySG or ASG device

Please, verify that the CAS is allowed to access the required URLs on your Firewall and/or Proxy. The required URLs are:


Please collect a PCAP from the CAS appliance with the filter below, for investigation, so we can validate communication between the CAS appliance and these backend servers. For guidance on collecting the PCAP, please refer to the Tech. Article with URL below. run the PCAP for only 10s duration. Please collect the capture and upload the same to the case.

Utilize the filter: host or host or host or port 53

See sample capture in the snippets below. It's important to see successful standard DNS queries/responses, for and We assume the communication with should be fine, since the appliance is able to successfully request new appliance certificate.

It is important that the CAS appliance is able to communicate with the and we should see the conversation on the PCAP, as shown in the snippet below.

Each antivirus vendor provides pattern file updates that necessarily contain portions (or descriptions) of viruses. Generally, these virus segments are encoded and are too small to be mistaken as a true virus by other AV vendors. But occasional false positives occur. These can be prevented by exempting virus pattern update locations from scanning, as the following example policy illustrates (place this policy after all other ICAP policies on the ProxySG):

<cache> response.icap_service(no) response.icap_service(no)

With the standard DNS  queries/responses and communication with the requisite backend URLs (servers) verified to be established, please run the CLI command highlighted in the snippet below, to download the ABRCA_root certificate and also run the subsequent command to validate the status of the certificate, on the CAS We expect this to work on this version.