search cancel

Investigating the Subscription error - 14403_Forbidden which prevented the download and update of the ABRCA_root Certificate on Content Analysis

book

Article ID: 224845

calendar_today

Updated On:

Products

CAS-S400 Content Analysis Software ISG Content Analysis

Issue/Introduction

Investigating the Subscription error - 14403_Forbidden which prevented the download and update of the ABRCA_root Certificate on Content Analysis

Environment

Release : 2.4.2.1

Component :

Resolution

Having investigated the "Sep 21 01:11:05 tsb-1edg-nh-cf04 updater-daemon[13722]: Notifying client that subscription update for the service ma-patterns encountered error -14403 : Forbidden" error reported, we see that this is usually caused by the appliance's non-communication, at the time the error was seen, with the subscription server in Symantec/Broadcom.

There are various scenarios where the Content Analysis (CAS) fails to update the license/subscriptions or download the latest anti-virus (AV) and Malware Analysis (MA) patterns. These include but are not limited to:

  • The CAS device is located behind a firewall
  • The CAS device does not have direct access to the Internet
  • The CAS device can only access to the internet via a ProxySG or ASG device

Please, verify that the CAS is allowed to access the required URLs on your Firewall and/or Proxy. The required URLs are:

  • subscription.es.bluecoat.com
  • abrca.bluecoat.com
  • appliance.bluecoat.com

Please collect a PCAP from the CAS appliance with the filter below, for investigation, so we can validate communication between the CAS appliance and these backend servers. For guidance on collecting the PCAP, please refer to the Tech. Article with URL below. run the PCAP for only 10s duration. Please collect the capture and upload the same to the case.

https://knowledge.broadcom.com/external/article/168557/how-to-perform-a-packet-capture-on-conte.html

Utilize the filter: host subscription.es.bluecoat.com or host abrca.bluecoat.com or host appliance.bluecoat.com or port 53

See sample capture in the snippets below. It's important to see successful standard DNS queries/responses, for appliance.bluecoat.com and subscription.es.bluecoat.com. We assume the communication with abrca.bluecoat.com should be fine, since the appliance is able to successfully request new appliance certificate.

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=Mx9jkK6OUIHawCfAQoyUlw==

It is important that the CAS appliance is able to communicate with the subscription.es.bluecoat.com and we should see the conversation on the PCAP, as shown in the snippet below.

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=gUx1uuU6Wc91drBJiA6E6g==

Each antivirus vendor provides pattern file updates that necessarily contain portions (or descriptions) of viruses. Generally, these virus segments are encoded and are too small to be mistaken as a true virus by other AV vendors. But occasional false positives occur. These can be prevented by exempting virus pattern update locations from scanning, as the following example policy illustrates (place this policy after all other ICAP policies on the ProxySG):

<cache> 
  url.host=download.bluecoat.com response.icap_service(no) url.host=av-download.bluecoat.com response.icap_service(no)

With the standard DNS  queries/responses and communication with the requisite backend URLs (servers) verified to be established, please run the CLI command highlighted in the snippet below, to download the ABRCA_root certificate and also run the subsequent command to validate the status of the certificate, on the CAS 2.4.2.1. We expect this to work on this version.

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=6DWjyEmjSGSjZNs5ArLGTQ==