Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

AV and DI Updates Are Failing on the Backup Device of an NSRP Cluster

0

0

Article ID: KB15110 KB Last Updated: 04 Sep 2009Version: 1.0
Summary:
AV and DI updates are succeeding on the active device, but the database updates fail on the backup device.
Symptoms:
AV updates on backup fail, with the event log message:
2009-08-31 12:06:46 system notif 00767 Cannot download attack database from 
                                       https://services.netscreen.com/
                                       restricted/sigupdates/6.1/ssg20/
                                       attacks.dat?sn=0164092006000669 (error 
                                       Unable to est. TCP connection).
DI updates on backup also fail, and with the following event log message:
2009-08-31 12:37:53 system notif 00554 SCAN-MGR: Cannot retrieve AV pattern 
                                       file due to Unknown Host (-10). HTTP 
                                       status code: 0.
Solution:
When implementing AV and DI in an NSRP environment, in order to get the backup device to update the database, the NSRP device must be configured with its own separate unique manage-ip address.  When no manage-ip is configured, the backup device does not have the ability to send out a request to the database server.  The recommended configuration is to define a unique manage-ip for each device in the cluster.

For example, let's interface ethernet0/0 is bound to the untrust zone, then each device should be configured as follows:

Device A:
set interface ethernet0/0 ip 172.19.51.188/23
set interface ethernet0/0 manage-ip 172.19.51.38

Device B:
set interface ethernet0/0 ip 172.19.51.188/23
set interface ethernet0/0 manage-ip 172.19.51.37

In this example, device A will communicate to the AV/DI database servers with source IP address 172.19.51.38, while device B will communicate to the AV/DI database servers with source IP address 172.19.51.37.  This same rule would also apply for Subscription Updates.  These manage-ip's will ensure that each device in the cluster is able to obtain its database updates, or Subscription Updates, regardless of which device is active or backup device.


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search