ProxySG & Advanced Secure Gateway

Hi

 

I have upgraded software version for ASG S400-30 from 6.6.5.13 to 6.7.3.14 and found the error in Content Analysis > Services > AV Patterns at Downloads topic. After I click update, status for Engine and Patterns has been successful update and then change to Not modified status. But then the status change to Error peer not authenticated. I'm not sure what does this mean and I can't find any article mention about this error. 

I found error log in clp_service.log that have an error like this:

Mar 20 05:00:42 2019-03-20 05: 00:42,114 [main] ERROR com.bluecoat.clp.auth.LocalRealmAuthenticator- LoginName null does not exist in CDB for the given Realm name local-realm
Mar 20 05:00:42 2019-03-20 05: 00:42,116 [main] ERROR com.bluecoat.clp.auth.AuthValidator- ClpException raised during CLI login process. : ErrorCode -16106
Mar 20 05:00:42 localhost.localdomain ErrorCode=-16106: ErrorMessage=Invalid Login.  
Mar 20 05:00:42 localhost.localdomain     at com.bluecoat.clp.auth.LocalRealmAuthenticator.validateUserInRealm(LocalRealmAuthenticator.java:104)
Mar 20 05:00:42 localhost.localdomain     at com.bluecoat.clp.auth.LocalRealmAuthenticator.validateLogin(LocalRealmAuthenticator.java:43)
Mar 20 05:00:42 localhost.localdomain     at com.bluecoat.clp.auth.AuthValidator.main(AuthValidator.java:51)

Note: I also have experienced the configuration lost in Content Analysis after upgrade from 6.6.5.13 to 6.7.3.14 but I have re-configured it all again.

 

Any help would appreicated.

Dear Hongthong,

 

refr this KB article.

 

https://www.symantec.com/docs/TECH251011

Hi,

                Normally this is related to Certificate trust. Is your CAS update requests also going through a proxy or does it have direct access? Try to increase the logging level of the "Pattern Updates" and attempt a download. See the log which will give more clarity of the error

 

Hi,

 

This proxy have 2 interfaces with different gateway. One gateway can direct access to internet (Default gateway) and one gateway is behind firewall. I try to packet capture this connection but I still don't know the exacly destination.

Dear Hongton, Refer this kb article for list of url https://www.symantec.com/docs/TECH245065

Hi

 

I try to pcap with filter "host subscription.es.bluecoat.com" while I force update CAS. There is an error like "Encrypted Alert" in pcap file. I'm not sure if this is a problem from SSL or something.

I also try this KB and it still not work.

https://support.symantec.com/en_US/article.TECH245964.html

Dear Hongton, Yes it is related to ssl error please disable ssl interception for all the bluecoat url on firewall. Also share pcap with me.

Hi

 

Our firewall is not enable ssl interception and here's full stream of a connection that connect to subscription.es.bluecoat.com

Dear Hongton, Share full pcap

Hi

 

Here's in attached file.

Dear Hongthon,

 

Can you check from F5 team if they are doing any SSL Interception on it.

 

I can see encrypted alert from F5.

Hi

 

I also take care of F5 and no SSL intercept on it. Just forwarding traffic and do loadbalancing.

Dear Hongton, Try to restart anto virus service from cas and try to download pattern and share the pcap. Also update the ASG default certificate . https://www.symantec.com/docs/TECH244738

Dear Honghton,

 

Refr this KB article too:

 

https://support.symantec.com/en_US/article.TECH251011.html

Hi

 

I have try these

- CAS > Utilities > Services > Refresh Antivirus Engines and Signatures

- CAS > Services > AV Patterns > Force Update All Now

- Proxy > Configuration > SSL > Appliance Certificates > Request appliance certificate

#Ref. https://support.symantec.com/en_US/article.TECH244738.html

Error still show that "Error peer not authenticated" and firewall does not enable SSL interception feature

 

I have attached pcap while I force update antivirus

Dear Hongton, Still i can see fin packet from F5.Have you check real time logs on firewall for that ip. Sometimes i observed application base rule on firewall also cause the issue. This time i see certificate from different asg S/N.

Hi

 

I have 2 ASG (one in production env. and one in test env.) which have the same problem. In the pcap file, the one who sent Encrypted Alert is destination ip 46.235.158.204 which you mention that it may be some device next to proxy to the internet cause this problem. So next I'll try pcap packet from the device behind the ISP router and I'll share pcap to you again.

 

In the meantime, could you please tell me what impact cause from this error? 

Dear Hongthon,

 

No impact on CAS just make sure to disable ssl intercept to resolve that error.

 

 

What is the solution for this issue, I am also having same "error peer not authenticated"  while updating Symantec Content Analysis Antivirus.

It is not updating.

I have reset proxy to the factory default and re-config again. This problem resolved after that.

Hi,

We had same kind of issue and it was fixed by this article:
https://knowledge.broadcom.com/external/article?legacyId=TECH245964

Actually this command was enough to update the certificate:

CAS# request-appliance-certificate
  ok

After that, able to activate AV engine and download pattern.

Original Message:
Sent: 09-10-2019 11:24 PM
From: Kriangkrai Hongthong
Subject: Error peer not authenticated in Content Analysis

I have reset proxy to the factory default and re-config again. This problem resolved after that.