This article describes IDP security package installation failure in an SRX cluster setup, and the procedure to resolve it.
Two SRX 3600 series devices in a cluster setup having a problem with IDP security package installation
> request security idp security-package install status
Done;AI installation failed! exit...!
idp trace options:
May 31 13:44:49 Waiting for AI result
May 31 13:44:59 Waiting for AI result
May 31 13:45:09 Waiting for AI result
May 31 13:45:19 Waiting for AI result
May 31 13:45:29 Waiting for AI result
May 31 13:45:39 AI installation failed due to xcommit error.
May 31 13:45:39 [set_secupdate_cb_status] state change from 0x108 to 0x110
May 31 13:45:39 [set_secupdate_cb_process_status] state change from 0x110 to 0x310
May 31 13:45:39 [get_secupdate_cb_status] state = 0x310
May 31 13:45:39 Got signal SIGCHLD....
srx-node0> show security idp security-package-version
node0:
--------------------------------------------------------------------------
Attack database version:1732(Mon Jul 19 12:44:15 2010)
Detector version :10.4.140100525
Policy template version :N/A
node1:
--------------------------------------------------------------------------
Attack database version:N/A(N/A)
Detector version :10.4.140100525
Policy template version :N/A
{primary:node0}
srx-node0>
% pwd
/var/db/idpd/sec-download
% ls -ltr
total 40200
drwxr-xr-x 2 root wheel 512 Dec 13 15:56 sub-download
-rw-r----- 1 root wheel 423 May 29 09:01 platforms.xml
-rw-r----- 1 root wheel 1430160 May 29 09:01 libidp-detector.so.tgz.v
-rw-r----- 1 root wheel 4045223 May 29 09:01 groups.xml
-rw-r----- 1 root wheel 678919 May 29 09:01 applications.xml
-rw-r----- 1 root wheel 14333720 May 29 09:01 SignatureUpdate.xml
When the security package installation error "AI installation failed due to xcommit error" is received, check /var/db/appid/sec-download/mgdxcommit.txt
for the root cause. It may be one of the following:
- Uncommitted changes in Junos config
- Junos global DB locked in HA
- Same port number being assigned to multiple applications in APPID signatures
Note: In some cases, the file mgdxcommit.txt
may not get generated at this location. However, the solution below still applies for the issue.
Solution for the above causes
- Commit the Junos configuration changes first, and then issue the IDP
install
command.
- Exit from the Junos global DB. To achieve this, after any configuration changes, perform commit and exit the configuration mode. This ensures that users exit the global DB.
- In Junos OS 10.2 or later, issue
request services application-identification uninstall
, and then install IDP or APPID. The workaround for Junos OS 10.1 is to issue delete services application-identification
, commit in Junos config mode, and then perform IDP installation with the command request security idp security-package install
.
- For versions 12.1 and later, download application-identification separately by using
request services application-identification download
(hidden command), and then install IDP.
In an SRX cluster setup, there is another reason for the occurrence of "AI installation failed due to xcommit error."
In a cluster setup that is running older versions (earlier than 12.1):
- The entire signature database needs to be downloaded manually from the primary node onto the secondary node.
- Application signatures need to be installed on the primary node, and are synced to the backup node.
- Sigpack needs to be downloaded under
/var/db/idpd/sec-download/
on the primary node and not under any other location.
So the IDP signature package gets installed on the backup node, after installing AI on the primary node.
In cluster setups that are running 12.1 and later versions:
- The signature database is downloaded automatically on the master node and synced with the backup node.
- After both devices have a signature database, installation for the signatures takes place separately. This can be seen by using the following command on the primary node:
"request security idp security-package install status"