Knowledge Search


×
 

Commit confirmed is not supported for Branch SRX with IDP

  [KB21334] Show Article Properties


Summary:
Commit confirmed is not supported for Branch SRX with IDP.
Symptoms:
When using NSM to manage the Branch SRX device which is running IDP, if the commit confirmed option has been selected in NSM, the commit will fail with the following error:
Error Text:
Update fails UpdateDevice Results
sanityCheckCmd Success.
lock Success.
GenerateEditConfig Success.
validate Success.
confirmedCommit Success.
commit Failed .
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/10.4R1/junos" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<rpc-error>
<error-severity>error</error-severity>
<source-daemon>
idpd
</source-daemon>
<error-path>
[edit security]
</error-path>
<error-info>
<bad-element>
idp
</bad-element>
</error-info>
<error-message>
idpd busy in commit. Please try again later.
</error-message>
</rpc-error>
<rpc-error>
<error-severity>error</error-severity>
<error-message>
configuration check-out failed
</error-message>
</rpc-error>
</rpc-reply>

From the CLI as well commit confirmed also throws the following error:
[edit]
root@SRX-2# commit confirmed
[edit security]
'idp'
idpd busy in commit. Please try again later.
error: configuration check-out failed

[edit]
root@SRX-2# commit
[edit security]
'idp'
idpd busy in commit. Please try again later.
error: configuration check-out failed


Solution:
For Branch SRX, the commit confirmed option from NSM as well as from CLI is not supported. In order to evaluate the configuration, please use the following command:
[edit]
root# commit check
configuration check succeeds

[edit]
root# commit
commit complete

In order to check the status of the compilation of the IDP policy, the following CLI may be used (from 104R1, 10.3R2 onwards):
test1> show security idp policy-commit-status
IDP policy[/var/db/idpd/bins/Recommended-IDS.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.

The workaround for NSM is to disable the confirmed-commit option in GUI. The path for the option is as follows:
Preferences->device update->Netconf->use confirmed commit

For High End SRX, the commit confirmed option is supported and the issue has been fixed from 10.3R1/10.4R1.

Related Links: