Investigating and resolving the "% Failed to connect to subscription.es.bluecoat.com" CRITICAL database download error.

book

Article ID: 237836

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

status is critical...

content filter communication status ... download fails...

Error: % Failed to connect to subscription.es.bluecoat.com

 

 

 

Resolution

Cause

Having investigated the reported "% Processing Accumulative" Update" content Filtering message, please be informed that that is caused by potentially corrupt contents in the database. 

From the logs, we see the below.

Resolution

To resolve the issue, a purge of the impacted databases and a full download of the same will be required. To proceed with this, the customer has been guided to, please, execute the following CLI commands shown in the snippets below.

Disable Blue Coat as a content provider

ProxySG#config t
Enter configuration commands, one per line. End with CTRL-Z.
ProxySG#(config)content-filter
ProxySG#(config content-filter)provider bluecoat disable 
  ok

 

Disable Application Classification

Disable Application Attribute and click the Apply button. To do this, access the feature from the management console, as shown in the snippet below. 



ProxySG#(config)application-classification
ProxySG#(config application-classification)disable
ok

Purge the previous content filtering database and download a new one

ProxySG#(config content-filter)bluecoat
ProxySG#(config bluecoat)purge
ok

ProxySG#(config bluecoat)download get-now
This may take a few minutes. Please wait...
loading database....................................................................
....................................................................................
....................................................................................
....................................................................

Download log:
  Blue Coat download at: 2009/05/29 10:42:26 -0600
  Downloading from http://list.bluecoat.com/bcwf/activity/download/bcwf.db
  Download size:      187584768
  Database date:      Fri, 29 May 2009 16:05:28 UTC
  Database expires:   Sun, 28 Jun 2009 16:05:28 UTC
  Database version:   291490400
  Database format:    1.1
  ok

Re-enable content filtering provider

ProxySG#(config bluecoat)exit
ProxySG#(config content-filter)provider bluecoat enable
loading database...
ok

Purge the previous application classification database and download a new one

ProxySG#(config application-classification)purge
  ok
ProxySG#(config application-classification)download get-now
This may take a few minutes. Please wait...
loading database....................................................................
‚Äč....................................................................................

Re-enable application classification

ProxySG#(config)application-classification
ProxySG#(config application-classification)enable
  ok

Re-enable Blue Coat Application Attribute and click the Apply button. See the snippet below, for guidance.

Do the same for the geolocation database. See the snippet below, for guidance.

Do the same for the Threat Risk Communication Database. See the snippet below, for guidance.

Note: As we investigated the logs, we saw that a number of potentially harmful categories are allowed in police, on the Proxy. See the attached spreadsheet. A phishing attack can be perpetrated by a remote attacker via malicious and Phishing sites. You may want to consider denying access to potentially malicious and Phishing sites.

Additionally, for the "% Failed to connect to subscription.es.bluecoat.com" error, please refer to the Tech. Article with URL below, for detailed guidance on the possible causes and resolution.

https://knowledge.broadcom.com/external/article/171662/symantec-intelligence-services-download.html

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Further investigation was done and the following steps were completed.

Renewed the appliance certificate

SG#config t
SG#(config)ssl
SG#(config ssl)request-appliance-certificate
SG#(config ssl)show ssl keyring appliance-key

Repeated the process to purge and download the Content Filtering database and received the output below.

% Failed to connect to subscription.es.bluecoat.com

Investigating the PCAP, we confirmed that while the appliance was able to communicate with subscription.es.bluecoat.com, it was attempting to exchange an expired SSL, appliance certificate. See the snippets below.

Frame 1939 reported an SSL Fatal failure for an expired certificate. Investigating further, we confirmed that this was the appliance certificate that had expired, and even though we had renewed this certificate, in the course of the session, we still had this error. Further checks revealed that the appliance may have kept a cache of the old, expired appliance certificate and would have utilized it for the key exchange with the backend, hence the Fatal failure reported.

To clear the cached appliance certificate information, a restart of the appliance was recommended and done. With the restart, the content filtering, and the other three, database downloads happened successfully and we have received your confirmation also.