Content Filter communication Status gets warning and critical with disk issue.
search cancel

Content Filter communication Status gets warning and critical with disk issue.

book

Article ID: 245220

calendar_today

Updated On:

Products

SG-VA ProxySG Software - SGOS ISG Proxy

Issue/Introduction

Content Filter communication Status warning and critical at all of sudden. 

Example of Warning in Web Console.

Example of Critical in sysinfo.

Stat: Content Filter Communication Status
Current State                 : CRITICAL
Last Transition               : xxxxxxxxxxx
Current Value                 : Categorization has 553 update errors
Unit of Measurement           : update errors
Warning Threshold             : 10
Warning Interval              : 0
Critical Threshold            : 200
Critical Interval             : 0
Notification Method           : log

In eventlog

"CFS: Categorization database: New update available"  0 0:FF  is_subscription_loader_impl.cpp:425
"CFS: Categorization database: Extracting: 423360300-423370000.cat"  0 0:FF  is_subscription_loader_impl.cpp:291
"CFS: Categorization database: Processing differential"  0 0:FF  is_subscription_loader_impl.cpp:332
"Failed trying to extract and activate the Categorization payload file"  0 AF0000:1  loader_impl.cpp:347

 

Environment

All version of Edge Secure Web Gateway software.

 

Cause

This is caused by disk full and switching to the other disk to be master disk while new content filter database is being installed.

SG founds new database and start installing it.
"CFS: Categorization database: New update available"  0 0:FF  is_subscription_loader_impl.cpp:425
"CFS: Categorization database: Waiting for install"  0 0:FF  is_database_subscription_loader_impl.cpp:48

Dis3 is no more space, and switching Disk2 as master.
"Disk 3 is invalid because there is no more free space IO status is 0x0
"Disk 2 has been chosen as the master."  0 4802C:64 Mailed ceddset.cpp:798

It then fails to install new database.
"Failed trying to extract and activate the Categorization payload file"  0 AF0000:1  loader_impl.cpp:347

continue to errors.

Disk full is usually related to ICAP temporally file. So It is needed to bypass streaming site. For more information, see below.
Bypass Scanning for Large Files with The ICAP Best Practices Policy

Content Analysis Best Practic

 

Resolution

Purge DB. and re-take DB.

Web console, Configuration -> Content filtering -> General, uncheck  Blue coat.
login with ssh to "Edge Secure Web Gateway", and get into config mode.

#conf t
#(config)content-filter
#(config content-filter)bluecoat
#(config bluecoat)purge 
  ok

Web console, Configuration -> Content filtering -> General, check  Blue coat. Database is start downloading.

 

Additional Information

In eventlog, disk has only few spaces messages would have shown up before disk initialization. It can be expected to occur Content Filter DB installing fail.

"Disk 3 has only 4 free space (701439 blocks free out of 15600780) for 216771 objects."  

The message might have seen 1~2 days before disk initialization but this time-lag can not be calculated, and not 100% sure . Monitoring eventlog all day is not realistic as well.  However, it is possible to send entire eventlog to the syslog. 
How to backup proxySG eventlog onto diffrent system or system component

Then, monitoring the message in syslog and application would be possible.

 

---------------------------
Version 7.3 has an ability to automatically clean up temporary objects, which means there would be few chances to get disk full. 

#(config)ce
#(config ce)view
transient-object-cleanup          : enabled 

 

Powered by Wolken Software