Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IDP policy push fails with the 'Failed to update device: Failed to load policy' error message being generated

0

0

Article ID: KB14717 KB Last Updated: 29 Jan 2013Version: 4.0
Summary:
This article describes the issue of IDP policy push failure, with the Failed to update device: Failed to load policy error message being generated.
Symptoms:

An IDP-200 (or other low end IDP) device is running 4.1r1 (or a version less than 4.1r3) and policy push failure occurs. Also, the Failed to update device: Failed to load policy error message is generated.

Cause:

Solution:
  1. Check the sciod logs in /usr/idp/device/var/sysinfo/logs during the time of the policy push. Check if similar errors, to the following, are posted to the log files:
    [10:39:21] Error: sc_klib_subs_load_policy: sc_dev_ioctl() failed
    [10:40:21] Error: sc_dev_ioctl: ioctl(8, c0786b20, 0x3fffe800) failed [14, Bad address]
  2. Check the /var/log/kernel log file for memory allocation errors that are similar to this:
    Jun 7 10:39:21 pps-idpsensor kernel: sc_pmanager_policy_load: policy_copyin 10000 ms
    Jun 7 10:39:21 pps-idpsensor kernel: sc_register_dll: load addr '0x81c5f720'; sc_dll_init
    Jun 7 10:39:21 pps-idpsensor kernel: Critical: sc_malloc.c:925 sc_kmalloc: do_malloc(35932) 
    failed, caller ../../sc_vector.c:76
    Jun 7 10:39:21 pps-idpsensor kernel: sc_pmanager_policy_load: policy_copyin 30000 ms
  3. Run the following command:
    scio const -s s0:flow get sc_flow_reset_on_policy
    The value should be set to 0x1. If it reports scio, sc_flow_reset_on_policy = 0x0, change the value by running the following set command:
    scio const -s s0:flow set sc_flow_reset_on_policy 1
  4. Confirm that the value is correctly set to 0x1:
    scio const -s s0:flow get sc_flow_reset_on_policy 
    scio: sc_flow_reset_on_policy = 0x1
    
    Changing this value will not interfere with the flow of traffic through the IDP.
  5. Even when sc_flow_reset_on_policy is 0x1, the old policy with the active session does not get reset, which results in the update failure, due to (probably) lack of memory. So, now you need to run the following command to remove the existing sessions:
    scio policy unload s0
  6. Run the following command to verify if all the old policies with the active sessions have been removed:
    scio policy list s0
  7. After all the policies have been removed, the policy push should succeed.

Explanation:

By default, sc_flow_reset_on_policy should be set to0x1 for lower-end devices. There was an issue in the releases that were prior to 4.1r3, in which this was set to 0x0.

When memory is fragmented, the policy push can fail and this is evident by the memory allocation errors. The above mentioned solution might work, only if memory allocation errors mentioned in point 2 are occurring.

Another solution to this issue is to upgrade to IDP OS firmware 5.1r3. If the All Attacks policy is included, upgrading to firmware 5.1r3 may still not work. In such a case, the fine tuning of the policy is advised, via which the size of the attack table is managed by including only what is relevant.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search