In some configurations, you may see that the ICAP heath check fails as soon as a Secure ICAP service is enabled.
Showing the error:
proxySG#(config)external-services
proxySG#(config external-services)edit ProxyAV1
proxySG#(config icap ProxyAV1)health-check perform
Enabled Check failed DOWN
Last status: Certificate validation failed.
Successes (total): 121100 (last): Fri, 06 Nov 2015 16:07:47 GMT (consecutive): 0
Failures (total): 7833 (last): Fri, 06 Nov 2015 17:38:39 GMT (consecutive): 545 (external): 0
Last response time: 14 ms Average response time: 15 ms
Minimum response time: 13 ms Maximum response time: 24 ms
% Health check has failed.
proxySG#(config icap ProxyAV1)exit
proxySG#(config external-services)exit
The possible root cause of the issue could be the following:
Assuming that the proper steps have been taken on generating the certificate on the DLP or on the AV, and later importing it in to the proxy following the steps provided in Integrating the ProxySG and ProxyAV Appliances Guide (https://bto.bluecoat.com/sites/default/files/tech_pubs/SG_AV_Integration.pdf)
To solve the issue you must disable the function of "Verify Peer", on the proxy WebUI under the Configuration->SSL->Device Profile->select the secure ICAP that you created earlier and Edit.
Apply.