Had an absolute nightmare of an upgrade, and all this after following the Symantec TAC recommended upgrade path to go to 188.8.131.52 > 184.108.40.206 > 220.127.116.11.
And I also upgraded the proxyasg BMC to the latest version 18.104.22.168 as well, following the steps here.
So the BMC upgrade was done first and then the firmware.
Now I was already aware of some known issues with CAS in these upgrades, but since the TAC recommended the upgrade, I was expecting a smooth sailing — I had plans and God was laughing.
Right after the upgrade I checked the CAS and saw these hideous errors which have no documentation anywhere.
Under Content Analysis > AV Patterns
"error no such interface tap0"
and I saw “unavailable” for services that should be working:
And any traffic going through this box was blocked with this:
“icap_error” an error occured while perfoming an ICAP operation. Uknown error (16:0x0); nonname; Sub File: ; Vendor: Kaspersky Labs; Engine version: unknown; Pattern version: Unknown; Pattern data: Unknown
The box did not do HTTPS inspection so it was only the HTTP websites like bbc.com and example.com which were being blocked. The error makes sense now, since it looks like the box cannot find any icap engine to do the content scanning and due to the “block if not able to scan” was enabled it rightfully did so.
Since there was no information online opening a TAC case was all there was to do.
And that also was for nothing, since the support did not have any idea on what was happening.
With time I think one from their engineering teams joined the session and a restart of ICAP services was recommended.
The restart options are in Content Analysis > Utilities.
After that, all the ugly errors were gone and we saw the AV patterns in Under “Services > AV Patters” were still downloading. Once they downloaded, then the traffic started working through the device.
Later after Symantec log analysis for an RCA, it seems we hit a bug in the 22.214.171.124 and a better upgrade path would have been 126.96.36.199 > 188.8.131.52 > 184.108.40.206.
However, I thought I will just record this info here, in case someone somewhere in a far away galaxy will come looking for these errors at 1AM early morning and will probably save some time.