Smarts NCM: Cannot pull PacketShaper device, getting errors: Jul 26 04:09:19 -2075227840/ssh#1: RCV-TMEOUT>PacketShaper support contract has expired. Jul 26 04:09:19 -2075227840/ssh#1: RCV-TMEOUT>WebPulse queries stopped
search cancel

Smarts NCM: Cannot pull PacketShaper device, getting errors: Jul 26 04:09:19 -2075227840/ssh#1: RCV-TMEOUT>PacketShaper support contract has expired. Jul 26 04:09:19 -2075227840/ssh#1: RCV-TMEOUT>WebPulse queries stopped

book

Article ID: 331310

calendar_today

Updated On:

Products

VMware Smart Assurance

Issue/Introduction

Symptoms:


Cannot successfully run a pull config for Packetshaper devices

Pull Config of Bluecoat Packetshaper device not completing, errors seen in session logs:
Jul 26 04:09:19 -2075227840/ssh#1: RCV-TMEOUT>PacketShaper support contract has expired.
Jul 26 04:09:19 -2075227840/ssh#1: RCV-TMEOUT>WebPulse queries stopped


Environment

VMware Smart Assurance - NCM

Cause

Log into the device, if you see the errors on the command line :

PacketShaper support contract has expired.
WebPulse queries stopped

as per screeenshot:



Then you know the issue is as detailed on the Bluecoat (device vendor) website:
 
https://kb.bluecoat.com/index?page=content&id=FAQ1193&actp=RSS
 
This error will block NCM from retrieving data from these devices. 
 


Resolution

As per the Bluecoat website:
 
https://kb.bluecoat.com/index?page=content&id=FAQ1193&actp=RSS
 
 
Read through the steps carefully and particularly to point 4 (as outlined below) onwards and contact the vendor, Bluecoat regarding this error. 
 
The following is from the Blucoat website:
 
4. Make sure that the PS has a valid support contract. In the banner message or on the Info page, you may see something like the following:
PacketShaper support contract has expired.
WebPulse queries will stop after 12 days
 
or 
 
No response from Support Server.
WebPulse queries will not work
5. If your support contract has expired, you need to renew the support contract. If you are not getting a response from the support server, then you need to check your network connectivity.
 
a. Make sure that you do not have a firewall or something blocking the HTTP/HTTPS/SSL queries going out from the PS.
 
b. If the PS has to go through an Explicit Proxy Server to go to the Internet, you will have to add the WebProxy settings on the PS and also edit the Proxy rules to allow connections to/from the PS.
In the example below, 10.9.66.12 is the proxy server and 8000 is the port it is listening on.
 
    LAN Switch-->PacketShaper-->Proxy--->Router-->Internet
 
    setup web-proxy server 10.9.66.12:8000
    setup web-proxy on|off
    setup web-proxy show (to check the setting)
PS will do a HTTPS/SSL query to check the support contract status to updates.bluecoat.com. Make sure that you can ping updates.bluecoat.com.
 
Manual way of viewing or updating the support contract status:
 
PacketShaper# setup support update
 
Updating support status for this PacketShaper...DONE!
 
PacketShaper Support Contract Status: *** expired *** <====== means your HTTPS query workedit was able to get the status from the update server as expired. If there is a network connectivity issue, the status will be unknown.
 
Last status update was on Tue Nov 23 13:52:06 2010
Expired on Mon Oct  4 12:48:06 2010
WebPulse queries will stop after 12 days
 
 
PacketShaper# setup support update
 
Updating support status for this PacketShaper...DONE!
PacketShaper Support Contract Status: *** unknown *** <====== means there is network connectivity issue; you will also notice a few seconds delay when you run the above command.
 
Last status update was on Tue Nov 23 14:09:03 2010
Status check failed since Mon Oct  4 12:48:06 2010
WebPulse queries will stop after 12 days
 
If the contract status is unknown, you need to resolve the network connectivity issue. The most common issues are due to firewall or proxy/security devices blocking the contract validation query. (Also see PS security settings.) If the PS has to go through the explicit proxy server to get to the Internet, you need to enable webproxy on the PS and also edit the rules in the proxy to accept connections from PS. 
 
You will have to get the packet capture on the Localhost class while you run the setup support update command and look for SSL/HTTPS packets from the PS IP address.
Note: If you are analyzing the packet trace from a Web proxied network, keep in mind that the DNS queries will go to the DNS servers, but HTTP/HTTPS packets will not go to the end server addresses; they will go to the proxy server. Therefore, you will not see the flows going to the servers IP address that DNS resolved to. Instead, you will see it going to the proxys IP address. Also the request may no longer be using an SSL destination port number; it will be using the port number for the Web proxy. Applications like Wireshark may not show the connection as SSL.
 
6. If you have a valid support contract and still have problems, run the following command and look for any obvious errors.
 
    setup urlcat map-download
    setup urlcat show service
    setup urlcat update <URL>
    setup show
 
If you still have problems, please open a case with Blue Coat Support.