USG firewall can't connect to URL Category Server

Publication Date:  2016-06-26 Views:  1308 Downloads:  0
Issue Description
Customer can't connect USG6330 to URL Category Server. Status is all the time as disconnected.
Alarm Information
none.
Handling Process

1. Firstly we will check if the firewall has an active license of URL filtering.

===================================================
  ===============display license===============
===================================================
13:18:29  2016/05/23
Device ESN is: xxxxxxxxxxxxxxxxx
The file activated is: hda1:/LICSecospaceUSG6300V100R001_201604sssssssss.dat
The time when activated is: 2016/04/27  10:24:11
The time when expired is: 2016/07/26

Virtual System: 50

SSL VPN Concurrent User: 500

Content Security Group: Enabled

Encryption Function: Enabled

IPS        : Enabled;   service expire time: 2016/07/26

Anti Virus : Enabled;   service expire time: 2016/07/26

URL Filter : Enabled;   service expire time: 2016/07/26

 

2. Secondly we will need to check if DNS configuration is correct and if it's working well, by trying to ping sec.huawei.com.

dns resolve
dns transparent-proxy enable
dns server bind interface GigabitEthernet1/0/0 preferred 8.8.8.8

Ping was succesfull the domain is correctly translated into IP address.

 

3. Ping to dispatch server is succesfull.

54.217.248.140
54.155.38.208

 

4. Country code is correctly set:

#
country PL
#

 

5. Check the security policy configuration:

#
security-policy
default action permit
#

6. Request customer to perform debugging while is trying to reconnect the system manually to url category server.

<R5_U13_USG6650>debugging  url-filter all                                                                                          
23:00:38  2016/05/23                                                                                                               
<R5_U13_USG6650>                                                                                                                   
<R5_U13_USG6650>t m                                                                                                                
23:00:39  2016/05/23                                                                                                               
Info: Current terminal monitor is on                                                                                               
                                                                                                                                   
<R5_U13_USG6650>t d                                                                                                                

The debugging shows the following data:

*0.73762000 USG6300 URL/7/INFO:Connect to dispatch server(54.217.248.140:12612) expire(1970-01-01 07:07:28)(25648 seconds).
*0.73762000 USG6300 URL/7/EVENT:Try TCP connect [1] time(s).
*0.73762000 USG6300 URL/7/INFO:Connect to remote:
*0.73762000 USG6300 URL/7/INFO:Connect return: -36, EINPROGRESS=-36, EINTR=-4
*0.73762000 USG6300 URL/7/EVENT:Agent -Msg(135)-> NGE(  0) -Msg( 60)- nge-id(  0)
*0.73762000 USG6300 URL/7/EVENT:Recv query state: nge-id(0), state(0), new state(1).
*0.73762000 USG6300 URL/7/VENT:Current nge-id(0).*0.73762000 USG6300 URL/7/EVENT:Current agent query-server state: CONNECTING.
*0.73766960 USG6300 URL/7/INFO:Connect select return: 0
*0.73766960 USG6300 URL/7/ERROR:Select error or timeout!
*0.73766960 USG6300 URL/7/ERROR:Connect to remote failed!
*0.73767950 USG6300 URL/7/EVENT:Try TCP connect [2] time(s).
*0.73767950 USG6300 URL/7/INFO:Connect to remote:
*0.73767950 USG6300 URL/7/INFO:Connect return: -37, EINPROGRESS=-36, EINTR=-4
*0.73767950 USG6300 URL/7/ERROR:Connect failed!
*0.73767950 USG6300 URL/7/ERROR:Connect to remote failed!
*0.73768950 USG6300 URL/7/EVENT:Try TCP connect [3] time(s).
*0.73768950 USG6300 URL/7/INFO:Connect to remote:
*0.73768950 USG6300 URL/7/INFO:Connect return: -37, EINPROGRESS=-36, EINTR=-4
*0.73768950 USG6300 URL/7/ERROR:Connect failed!
*0.73768950 USG6300 URL/7/ERROR:Connect to remote failed!
*0.73769980 USG6300 URL/7/ERROR:TCP connect failed, socket(311).
*0.73769980 USG6300 URL/7/ERROR:TCP connect with dispatch server failed.
*0.73769980 USG6300 URL/7/INFO:SSL and SSL-CTX clean.
*0.73769980 USG6300 URL/7/EVENT:Ssl Close socket(311).

*0.73769980 USG6300 URL/7/ERROR:Communicate: create ssl channel failed, dispatch server(54.217.248.140:12612).
*0.73769980 USG6300 URL/7/ERROR:Connecting to the dispatch server failed, return code (1).
*0.73769980 USG6300 URL/7/EVENT:Query server state changed from (CONNECTING) to (DISCONNECTED).

Root Cause

According from the debugging data, the TCP socket fails, this tell us that some of the ports required to establish the TCP socket with the URL category server are blocked by some device in uptream.

 

Solution

I've asked customer to allow the following ports on the upstream firewall and the connection with URL category server was established.

12600 and 12612

Suggestions
none.

END