search cancel

Investigating the "CAS(config)# request-appliance-certificate % Failed" error

book

Article ID: 229616

calendar_today

Updated On:

Products

CAS-S400 CAS-S500

Issue/Introduction

Investigating the "CAS(config)# request-appliance-certificate % Failed" error

Environment

Release : 3.1.2.6

Resolution

The "CAS(config)# request-appliance-certificate % Failed" error would always indicate that there isn't communication between the CAS appliance and the appliance.bluecoat.com, hence the appliance's inability to retrieve a new appliance (birth) certificate from the backend.

To demonstrate how this should work and how the PCAP should be collected, and what to look out for on the PCAP, to validate successful communication with the requisite backend servers. See the steps below.

  • Ensure DNS query and responses are available for abrca.bluecoat.com and subscription.es.bluecoat.com. The second destination is optional and is included as a safeguard. See sample snippet below.
  • Once the DNS resolution has been verified, as shown above, the next and really important step would be to check for the IPv4 conversations, from the Wireshark capture, for the requisite backend servers. To do this, please go to Statistics > Conversation, on the Wireshark. See the sample below. 

 

  • If the CAS appliance communicates with the Internet through the the ProxySG appliance. With this setup, we informed you that the filter for the PCAP, on the ProxySG appliance, sould be in the form below.

ip host <IP address of the CAS appliance> or port 53

It is expected the "request-appliance-certificate" CLI command, on the CAS would be successful, once the communication with the abrca.bluecoat.com and subscription.es.bluecoat.com backend servers is established. Also, with this, it is expected that the CAS AV license(s) would then be available on the CAS appliance, for activation. From the Broadcom entitlement portal, it should be confirmed that the license is valid and available and would sync with your asset (the CAS appliance), once the communication with the backed is established. 

If after the required communication with the requisite backend servers is validated and the "request-appliance-certificate" CLI command on the CAS still fails, this will then be a challenge with the backend licensing server, not being able to sync the license ton the asset. In this case, a GCA licensing ticket should be created, in line with Support procedure, to have the licensing team investigate further. To get to this point, you should have received all the necessary evidences from the customer, as guided above. See further guidance in the Tech, Article with URL: https://knowledge.broadcom.com/external/article/170623/troubleshooting-cas-antivirus-licensing.html