Investigating and resolving the "% Failed to connect to subscription.es.bluecoat.com" CRITICAL database download error.
Article ID: 237836
Updated On:
Products
Issue/Introduction
status is critical...
content filter communication status ... download fails...
Error: % Failed to connect to subscription.es.bluecoat.com
Resolution
Cause
Having investigated the reported "% Processing Accumulative" Update" content Filtering message, please be informed that that is caused by potentially corrupt contents in the database.
From the logs, we see the below.
Resolution
To resolve the issue, a purge of the impacted databases and a full download of the same will be required. To proceed with this, the customer has been guided to, please, execute the following CLI commands shown in the snippets below.
Disable Blue Coat as a content providerProxySG#config t
Enter configuration commands, one per line. End with CTRL-Z.
ProxySG#(config)content-filter
ProxySG#(config content-filter)provider bluecoat disable
ok
Disable Application Classification
Disable Application Attribute and click the Apply button. To do this, access the feature from the management console, as shown in the snippet below.
ProxySG#(config)application-classification
ProxySG#(config application-classification)disable
ok
Purge the previous content filtering database and download a new one
ProxySG#(config content-filter)bluecoat
ProxySG#(config bluecoat)purge
ok
ProxySG#(config bluecoat)download get-now
This may take a few minutes. Please wait...
loading database....................................................................
....................................................................................
....................................................................................
....................................................................
Download log:
Blue Coat download at: 2009/05/29 10:42:26 -0600
Downloading from http://list.bluecoat.com/bcwf/activity/download/bcwf.db
Download size: 187584768
Database date: Fri, 29 May 2009 16:05:28 UTC
Database expires: Sun, 28 Jun 2009 16:05:28 UTC
Database version: 291490400
Database format: 1.1
ok
Re-enable content filtering provider
ProxySG#(config bluecoat)exit
ProxySG#(config content-filter)provider bluecoat enable
loading database...
ok
Purge the previous application classification database and download a new oneProxySG#(config application-classification)purge
ok
ProxySG#(config application-classification)download get-now
This may take a few minutes. Please wait...
loading database....................................................................
....................................................................................
Re-enable application classificationProxySG#(config)application-classification
ProxySG#(config application-classification)enable
ok
Re-enable Blue Coat Application Attribute and click the Apply button. See the snippet below, for guidance.
Do the same for the geolocation database. See the snippet below, for guidance.
Do the same for the Threat Risk Communication Database. See the snippet below, for guidance.
Note: As we investigated the logs, we saw that a number of potentially harmful categories are allowed in police, on the Proxy. See the attached spreadsheet. A phishing attack can be perpetrated by a remote attacker via malicious and Phishing sites. You may want to consider denying access to potentially malicious and Phishing sites.
Additionally, for the "% Failed to connect to subscription.es.bluecoat.com" error, please refer to the Tech. Article with URL below, for detailed guidance on the possible causes and resolution.
https://knowledge.broadcom.com/external/article/171662/symantec-intelligence-services-download.html
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Further investigation was done and the following steps were completed.
Renewed the appliance certificate
SG#config t
SG#(config)ssl
SG#(config ssl)request-appliance-certificate
SG#(config ssl)show ssl keyring appliance-key
Repeated the process to purge and download the Content Filtering database and received the output below.
% Failed to connect to subscription.es.bluecoat.com
Investigating the PCAP, we confirmed that while the appliance was able to communicate with subscription.es.bluecoat.com, it was attempting to exchange an expired SSL, appliance certificate. See the snippets below.
Frame 1939 reported an SSL Fatal failure for an expired certificate. Investigating further, we confirmed that this was the appliance certificate that had expired, and even though we had renewed this certificate, in the course of the session, we still had this error. Further checks revealed that the appliance may have kept a cache of the old, expired appliance certificate and would have utilized it for the key exchange with the backend, hence the Fatal failure reported.
To clear the cached appliance certificate information, a restart of the appliance was recommended and done. With the restart, the content filtering, and the other three, database downloads happened successfully and we have received your confirmation also.
Feedback
