Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IDP Attack Database download failure



Article ID: KB23359 KB Last Updated: 28 Sep 2021Version: 3.0

The common reasons for IDP attack database download failures on a SRX device are listed.

This article is referenced from the KB23422 - Resolution Guide - SRX - Verify/Troubleshoot IDP attack database on SRX.

When checking the status of the Attack database download with the request security idp security-package download status command, the following error message is reported:

user@srx> request security idp security-package download status

Done;fetching/uncompressing for....failed

Note:  If the Attack Database install failed, a common reason is that the Attack Database download also failed.  

This error message can be caused by multiple issues. The scenarios, which might cause the above error, can be broadly classified as follows:

  • The SRX device does not have Internet connectivity.
  • The DNS server is not configured on the SRX device.
  • The SRX device does not have access to the SIG DB server.
  • Storage space in the Compact Flash is full.
  • loopback filter to protect RE has HTTPS not allowed

If the Attack database download fails, perform the following checks (these are the common failure reasons).

Verify if the SRX device has Internet connectivity:

  1. Check if the ISP's next hop router/default gateway can be pinged from the SRX device.

  2. Check if an active route pointing to the ISP's next hop router is present in the SRX device's routing table:
    root>  show route <IP address of the SRX'S default gateway>
    If an active route is absent, configure a static route to the ISP's router. For example:
    root# set routing-options static route 0/0 next-hop <ISP routers IP address>
    root# commit
  3. Check the state of the SRX device's egress interface to confirm that the link is physically up:
    root> show interfaces <interface name> terse

Verify if the SRX device has the name-server configured:

If the SRX does not have a name-server configured, then it can be configured as follows:
root# set system name-server <Name Servers IP address>
Verify if the SRX device's Signature Database server is configured:
The URL for the Signature Database is configured as follows:
root# set security idp security-package url
root# commit

Verify if the storage space in the Compact flash is not full:

Check the storage space by using the following command:
root> show system storage
 If the space is full, perform a cleanup process and remove all the non-operational files from the Compact Flash. The set of non-operational files can be viewed by running the following command:
root> request system storage clean up dry-run
To remove all such files, run the following command:
root> request system storage clean up

Verify if the loopback filter is enabled on the loopback interface to protect RE:

                 root> show configuration interface lo0
Modification History:
2021-09-11: Added one more cause of IDP signature failure and command to check it. Also, added vsrx, SRX300, and SRX4000 series in the product list

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search