Re: FMC - URL filtering download failure

ibrahim.imad · ‎02-20-2020

Dears,

Please note that I have FMC version 6.4.0.4-34 with AMP, IPS and URL filtering license.

I received an error: URL filtering download failure.

Last successful URL filtering update: 4 February 2020.

I tried to download it manually without success.

I tried the steps in this document without success:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html#anc6

I tried the steps in this document without success:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118791-technote-firesight-00.html

Please can you assist.

Thank you.

Marvin Rhoads · ‎02-21-2020

When you say you tried the steps without success, can you share the output from your FMC? For instance the second link which tells us to use:

sudo openssl s_client -connect support.sourcefire.com:443

should return something like this:

CONNECTED(00000003)
depth=1 C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV SSL CA - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=support.sourcefire.com
   i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKjCCBRKgAwIBAgIQCffv0Y7LSoM3zG/mYfvT2DANBgkqhkiG9w0BAQsFADBj
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEeMBwGA1UEAxMVdGhhd3RlIERWIFNTTCBDQSAt
IEcyMB4XDTE4MDgxNzAwMDAwMFoXDTIwMDgxNzIzNTk1OVowITEfMB0GA1UEAxMW
c3VwcG9ydC5zb3VyY2VmaXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMn/fh7hL9Yu+DWUYyO1o94+ULyl31V6iI+718hYjVyYyYoncsp/uXUj
rtOx5sTv2xvC6eLQAe1momFH6Soviy/bU7K0bppBGzpGje8O5Cqzk0cbRMqHyP/M
HY6piEfg+4gQXltj88NsXHWIRt/+xufB2ZA5mpKUrxdR8vGQVKSXwpmEAdpaki2u
DeXst1Bus9UrgSfaEEoYkOLzlFZOnsz0+I/opYMMlhFkGHrKwTYzoL8vm/YTOzMn
CFZFOrs+VwVUlZ6VPSmiT4EiE2e2Zc160Ky8pXqArPsfwB+7eA5lQWNx6Bkn2ZMR
LcIORL2xaYGKTxI2HsKNEFmsY9ykXzsCAwEAAaOCAxowggMWMB0GA1UdDgQWBBSo
fk/rOmQAZ9aZ93rLw4yyxzZYczAhBgNVHREEGjAYghZzdXBwb3J0LnNvdXJjZWZp
cmUuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vdG4uc3lt
Y2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vdG4uc3ltY2IuY29tL3RuLmNydDAJ
BgNVHRMEAjAAMG4GA1UdIARnMGUwYwYGZ4EMAQIBMFkwJgYIKwYBBQUHAgEWGmh0
dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMC8GCCsGAQUFBwICMCMMIWh0dHBzOi8v
d3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeTArBgNVHR8EJDAiMCCgHqAchhpodHRw
Oi8vdG4uc3ltY2IuY29tL3RuLmNybDAfBgNVHSMEGDAWgBSfuMGpbPL1wCIqlO1c
mazU7NfGBzCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHcA3esdK3oNT6Ygi4Gt
gWhwfi6OnQHVXIiNPRHEzbbsvswAAAFlSaiwhgAABAMASDBGAiEAy9EM8zCNyGa9
SzgHtjDEA8mAmeMCMQ6E8YK+FgQAktICIQCguUgljj6TC4Wdjuf3k9TE2Kx2Prmz
bo/ROm7tBCIRAwB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAAB
ZUmosJYAAAQDAEcwRQIgPJpsKYhy1a4pgV8ZUaHzJQHMnz1lkmyBULZ9PRzO/NgC
IQCQ3zXcwnECWlzHUbThPxKxqk3nR7ZN9eDJUwBezfcurQB2AO5Lvbd1zmC64UJp
H6vhnmajD35fsHLYgwDEe4l6qP3LAAABZUmosMEAAAQDAEcwRQIgSPggiga+pdRi
8s9sODMFByruWgqMTafRY5RA7Qh3cbgCIQD5hRG8rOAkxsbKUpUdsagGlpDO704C
eLjEVW1uENWOqTANBgkqhkiG9w0BAQsFAAOCAQEARbAtM8+WXmipvvbS2oI7b6ai
wTCvhZG+fJ8VSnnWK0+Eiyed5VIo/TWPTTcaMbOK4PplujHIAycIGjYvRoYfz8Vb
a6NfRPxp1A9aLYJpo3cpYEfuJ43Q/dnwcg6Cb+4q1WaVpChD2cny5V/bIWRCVLUm
B0e+Myo06IWvJWbAaaTv4YnpAQA/v+gFstWSzhA2KV2EgVaXGy/qaBCt8HNxrXa0
GqDEQ10F9GqwLhKiJtsh8Tr2jLLA+YZFnrIOUKOo0GkwHqNIUyH52n7ZUkHNxP4b
/3aOvQ2H1QdgKl9Cv0bm31M18X+DTpZxLyEf9rPZa3aYjlil8e8xYXbwi8uqjg==
-----END CERTIFICATE-----
subject=/CN=support.sourcefire.com
issuer=/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3514 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 2A7EF7E603A86D4FDC0F7600F40FECCB8ADF3CD2262C31FFA5A789A5408A7DE9
    Session-ID-ctx: 
    Master-Key: 379495DB0F11A1D8A7BF145EFF04020A565F2AD1D3D547C12BAF278B69D73BFBC17683C3B2BBFA6AC257B46B2DAACC7F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 35 a9 af 3b 76 ce 88 72-59 e6 c9 ff 6a 7a d5 73   5..;v..rY...jz.s
    0010 - 69 ed b4 05 18 fc ec ad-99 5f 53 c0 3e e4 d7 ce   i........_S.>...
    0020 - 98 cb fc ef 95 9e 26 49-22 ca f0 df 5e 95 3f 1f   ......&I"...^.?.
    0030 - 10 ae c1 83 1b d5 3c e9-49 f0 e6 bc 20 ec 07 0f   ......<.I... ...
    0040 - d3 24 cf 29 a0 3d 35 f6-b0 bc 64 bb 5e f3 41 25   .$.).=5...d.^.A%
    0050 - fe ce 8a 35 0f 01 c4 80-39 31 e2 1e a6 c4 fd 7d   ...5....91.....}
    0060 - 62 1e 8d bb f7 7a 09 9a-1a 35 01 ad ee 75 54 eb   b....z...5...uT.
    0070 - d0 e5 6a 84 2d d4 84 c9-d7 30 3e da 05 2b 25 fc   ..j.-....0>..+%.
    0080 - 39 47 31 5c 77 81 a1 ad-df a5 38 29 d4 22 a6 a7   9G1\w.....8)."..
    0090 - 10 e0 4e dd d4 c6 22 d1-af b7 37 c0 91 76 3e a7   ..N..."...7..v>.
    00a0 - 0c ff c4 ea ae 49 91 18-f0 27 49 8f 1f 01 50 1d   .....I...'I...P.
    00b0 - f1 3f 40 38 4a 6a 46 3d-65 16 14 de 6c ae cf 98   .?@8JjF=e...l...

    Start Time: 1582285319
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

I just verified the above from my FMC so the support site is working.

ibrahim.imad · ‎02-21-2020

This is the output:

root@FTD-Management:~# sudo openssl s_client -connect support.sourcefire.com:443
CONNECTED(00000003)
depth=1 C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV SSL CA - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=support.sourcefire.com
i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKjCCBRKgAwIBAgIQCffv0Y7LSoM3zG/mYfvT2DANBgkqhkiG9w0BAQsFADBj
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEeMBwGA1UEAxMVdGhhd3RlIERWIFNTTCBDQSAt
IEcyMB4XDTE4MDgxNzAwMDAwMFoXDTIwMDgxNzIzNTk1OVowITEfMB0GA1UEAxMW
c3VwcG9ydC5zb3VyY2VmaXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMn/fh7hL9Yu+DWUYyO1o94+ULyl31V6iI+718hYjVyYyYoncsp/uXUj
rtOx5sTv2xvC6eLQAe1momFH6Soviy/bU7K0bppBGzpGje8O5Cqzk0cbRMqHyP/M
HY6piEfg+4gQXltj88NsXHWIRt/+xufB2ZA5mpKUrxdR8vGQVKSXwpmEAdpaki2u
DeXst1Bus9UrgSfaEEoYkOLzlFZOnsz0+I/opYMMlhFkGHrKwTYzoL8vm/YTOzMn
CFZFOrs+VwVUlZ6VPSmiT4EiE2e2Zc160Ky8pXqArPsfwB+7eA5lQWNx6Bkn2ZMR
LcIORL2xaYGKTxI2HsKNEFmsY9ykXzsCAwEAAaOCAxowggMWMB0GA1UdDgQWBBSo
fk/rOmQAZ9aZ93rLw4yyxzZYczAhBgNVHREEGjAYghZzdXBwb3J0LnNvdXJjZWZp
cmUuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vdG4uc3lt
Y2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vdG4uc3ltY2IuY29tL3RuLmNydDAJ
BgNVHRMEAjAAMG4GA1UdIARnMGUwYwYGZ4EMAQIBMFkwJgYIKwYBBQUHAgEWGmh0
dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMC8GCCsGAQUFBwICMCMMIWh0dHBzOi8v
d3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeTArBgNVHR8EJDAiMCCgHqAchhpodHRw
Oi8vdG4uc3ltY2IuY29tL3RuLmNybDAfBgNVHSMEGDAWgBSfuMGpbPL1wCIqlO1c
mazU7NfGBzCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHcA3esdK3oNT6Ygi4Gt
gWhwfi6OnQHVXIiNPRHEzbbsvswAAAFlSaiwhgAABAMASDBGAiEAy9EM8zCNyGa9
SzgHtjDEA8mAmeMCMQ6E8YK+FgQAktICIQCguUgljj6TC4Wdjuf3k9TE2Kx2Prmz
bo/ROm7tBCIRAwB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAAB
ZUmosJYAAAQDAEcwRQIgPJpsKYhy1a4pgV8ZUaHzJQHMnz1lkmyBULZ9PRzO/NgC
IQCQ3zXcwnECWlzHUbThPxKxqk3nR7ZN9eDJUwBezfcurQB2AO5Lvbd1zmC64UJp
H6vhnmajD35fsHLYgwDEe4l6qP3LAAABZUmosMEAAAQDAEcwRQIgSPggiga+pdRi
8s9sODMFByruWgqMTafRY5RA7Qh3cbgCIQD5hRG8rOAkxsbKUpUdsagGlpDO704C
eLjEVW1uENWOqTANBgkqhkiG9w0BAQsFAAOCAQEARbAtM8+WXmipvvbS2oI7b6ai
wTCvhZG+fJ8VSnnWK0+Eiyed5VIo/TWPTTcaMbOK4PplujHIAycIGjYvRoYfz8Vb
a6NfRPxp1A9aLYJpo3cpYEfuJ43Q/dnwcg6Cb+4q1WaVpChD2cny5V/bIWRCVLUm
B0e+Myo06IWvJWbAaaTv4YnpAQA/v+gFstWSzhA2KV2EgVaXGy/qaBCt8HNxrXa0
GqDEQ10F9GqwLhKiJtsh8Tr2jLLA+YZFnrIOUKOo0GkwHqNIUyH52n7ZUkHNxP4b
/3aOvQ2H1QdgKl9Cv0bm31M18X+DTpZxLyEf9rPZa3aYjlil8e8xYXbwi8uqjg==
-----END CERTIFICATE-----
subject=/CN=support.sourcefire.com
issuer=/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3514 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 1233BBF7588019294D5EA06929F89D32874C6D75EB968221E7AA75D7A592C819
Session-ID-ctx:
Master-Key: E479B3C5456CC751B4932033F2CC8A112CBAD3B325BF270310673476F9B389484775CC169E1AE1ACC9614D8ED48DA751
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 35 a9 af 3b 76 ce 88 72-59 e6 c9 ff 6a 7a d5 73 5..;v..rY...jz.s
0010 - bf 9e 0f 25 9d 1d d1 ae-5c a5 69 98 94 dd 53 10 ...%....\.i...S.
0020 - 11 01 9b 73 7e 46 fa 3c-7a 1d 70 72 9e 34 92 c7 ...s~F.<z.pr.4..
0030 - 45 d6 8d 37 de c8 f9 aa-5e 34 be 2a 9e 56 e2 5b E..7....^4.*.V.[
0040 - 09 fb 4e 67 be df 4d db-ab a3 bd 0e 25 76 5a b8 ..Ng..M.....%vZ.
0050 - f7 de e9 04 3e 2f aa 74-d4 7c 83 6d 99 27 e4 a4 ....>/.t.|.m.'..
0060 - 07 e8 8f ef b9 13 43 e5-bb 42 50 0a 61 99 7e 0a ......C..BP.a.~.
0070 - 4c e6 60 cb fa 11 39 09-8a 28 e2 2c 64 39 89 4a L.`...9..(.,d9.J
0080 - 74 21 00 7e ad 91 bc 2f-43 a2 d0 a9 fb 32 fe 5b t!.~.../C....2.[
0090 - 77 f9 25 60 87 9e 6f 5a-93 14 65 4f 59 23 86 35 w.%`..oZ..eOY#.5
00a0 - 1e d3 46 8d 86 9a 62 ad-cb a8 c3 8f 1c 7f 19 24 ..F...b........$
00b0 - a1 bf ae cb 21 c8 9d 78-02 aa 18 dd 8d 4d f1 f6 ....!..x.....M..

Start Time: 1582291806
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---

Marvin Rhoads · ‎02-21-2020

So all looks good from your troubleshooting steps. I have seen one other less common cause that occurs when the URL filtering data is corrupted on your FMC. There had been a previous bug related to that but it was fixed back in 6.2.2. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve08525

I'd recommend opening a TAC case to investigate in real time.