Knowledge Search


×
 

[SRX] Update IDP in the secondary node of a SRX Chassis Cluster (High Availability)

  [KB21052] Show Article Properties


Summary:
Update IDP in the secondary node of a SRX High Availability cluster.
Symptoms:
Symptom/Problem:
  • Attack Database on secondary node is not in sync with primary node
  • How do I sync the Attack Databse 

With Junos 11.4 and below, the IDP security package (attack signature database) is not updated on the secondary node (generally node1) when the IDP update command is run from the operational mode. This article will tell you how to update the IDP in the secondary node of a cluster. The secondary node of a Chassis Cluster does not have a running Routing Subsystem, hence the Internet is not reachable from there.

With Junos 12.1, a new feature was added to synchronize the IDP security package (attack signature database) in a Chassis Cluster automatically.  (See the Release Notes: New Features - Junos 12.1 Branch SRX and New Features - Junos 12.1 High-end SRX.) With 12.1, the attack database version on each node of a Chassis Cluster should match. However, if they don't, perhaps if they were out of sync prior to an upgrade, this article provides instructions on how to sync them.

Cause:

Solution:
Important: The IDP license is necessary to be installed on the Secondary node as well for IDP to function.  If the Attack database on the secondary node is N/A, the IDP license may not be installed.
For help with the license, refer to the SRX Getting Started - Quick Setup Guide.

Perform the instructions below to sync up the attack signature database on the secondary node: 

Junos 12.1 and above

With Junos 12.1, the attack database version on each node of a Chassis Cluster should match. However, if they are not in sync, re-download and re-install the attack signature database on the primary node, and it will be automatically synced to the secondary node. For instructions, refer to Section II Download and install the Signature Database of KB16489 - Quick Setup Guide for Configuring IDP on a SRX.


Junos 11.4 and below

The Secondary node is not able to connect to the Internet of non-running routing subsystem, but it always accepts data from the primary. We can use this ability of the HA secondary node to accept the IDP update files from the Primary node i.e. Node0 in this example, which is up-to-date in IDP:
  1. Go to the shell prompt:
    [primary node0]
    >start shell

  2. Login as the super user by typing "su":
    %su
    password:<enter password>

  3. Copy the following from node0 to node1:
    %rcp -r -T /var/db/idpd/sec-download/* node1:/var/db/idpd/sec-download/

    The rcp is a slow copy method, and the database is usually mostly 20MB+, so it will take time to finish.

    NOTE: If an older version of the Attack Database exists on the secondary node i.e. node1, you may get an error similar to this:

    cp: /var/db/idpd/sec-download/SignatureUpdate.xml and /var/db/idpd/sec-download/SignatureUpdate.xml are identical (not copied)

    If so, then remove the attack database from the secondary node1, and then run the RCP command again:

    %rm -rf node1:/var/db/idpd/sec-download/*

    %rcp -r -T /var/db/idpd/sec-download/* node1:/var/db/idpd/sec-download/


    Note: The above commands are run from the shell mode, indicated by the "%" sign.

    If upgrade on primary is done using NSM, the attack database will be stored at location /var/db/idpd/nsm-download/. In this case use:

    %rcp -r -T /var/db/idpd/nsm-download/* node1:/var/db/idpd/sec-download/

  4. Once it completes, then go the CLI and type this command:
    [primary node0]
    >request security idp security-package install node 1


    If policy-templates are being used, then also run this command:
    >request security idp security-package install policy-templates node 1

  5. Check the installation status using the command:
    [primary node0]
    >request security idp security-package install status

  6. After the completion of the installation, verify the IDP security package in node 1 using the command:
    [primary node0]
    >show security idp security-package-version


    This will give you the complete details about the package installed.

    For example:
    root> show security idp security-package-version
    node0:
    --------------------------------------------------------------------------

    Attack database version:2108(Thu Mar 29 12:47:45 2012)
    Detector version :12.6.160120213
    Policy template version :2108

    node1:
    --------------------------------------------------------------------------

    Attack database version:2108(Thu Mar 29 12:47:45 2012)
    Detector version :12.6.160120213
    Policy template version :2108

Note: The Attack database and Policy template versions are now same on both the primary and secondary nodes.

Related Links: