This guide helps you verify/troubleshoot the IDP attack database is downloaded and installed on a SRX device in a Chassis Cluster.

If your SRX is not in a Chassis Cluster, refer to KB23422 - Verify/Troubleshoot IDP attack database on SRX.

• Not able to download the Attack Database on node in a Chassis Cluster
• The version of the Attack Database does not match with the current version

Note: In Junos 12.1, a new feature was added to synchronize the IDP security package in a Chassis Cluster automatically, so this will help significantly with the Attack Database being out of sync on the Chassis Cluster nodes in Junos 11.4 and below. See the Release Notes: New Features - Junos 12.1 Branch SRX and New Features - Junos 12.1 High-end SRX.

This guide applies to Junos 12.1 and below.

Perform the following steps:

[Identify which node is primary]

Run the command 'show chassis cluster status', and identify which node is Primary for Redundancy group 0 on your SRX.

user@host> show chassis cluster status
Cluster ID: 1 
   Node name               Priority    Status    Preempt  Manual failover
	Redundancy-group: 0, Failover count: 1
    node0                   254         primary   no       no
    node1                   2           secondary no       no
	Redundancy-group: 1, Failover count: 1    
    node0                   254         primary   no       no
    node1                   1           secondary no       no 

In the above output, node 0 is the primary for Redundancy-group 0 (RG 0 implies the Routing Engine).

[Check Attack database version on Primary node]

  Run the command 'show security idp security-package-version', and observe the 'Attack database version' for the Primary node:

node0:  <------
--------------------------------------------------------------------------
Attack database version:1732(Mon Jul 19 12:44:15 2010)  <------
Detector version :10.4.140100525
Policy template version :N/A

node1:  
--------------------------------------------------------------------------
Attack database version:N/A(N/A) 
Detector version :10.4.140100525
Policy template version :N/A

Does the Primary node have N/A for the 'Attack database version'?

• Yes -  It is best to tackle correcting the Primary node first.  To do this, perform the steps in KB23422 - Resolution Guide - SRX - Verify/Troubleshoot IDP attack database on SRX to get an attack database version on the Primary node. Then restart at the top of this article.


• No -
  • It has a version:  Continue to Step 3 to check the secondary node.
  
  
  • I get the message: Warning IDP disabled:
    Run the following command from configuration mode to enable IDP:
    delete system processes idp-policy disable
  
  
  • The option to run the command is not there:
    The IDP functionality is supported on High Memory SRX Branch and High-End devices.

[Check Attack database version on Secondary node]

  Now observe the 'Attack database version' for the Secondary node:

node0:
--------------------------------------------------------------------------
Attack database version:1732(Mon Jul 19 12:44:15 2010)  
Detector version :10.4.140100525
Policy template version :N/A

node1:
--------------------------------------------------------------------------
Attack database version:N/A(N/A)  <------
Detector version :10.4.140100525
Policy template version :N/A

Does the secondary node have N/A for the 'Attack database version'?

• Yes - Continue to Step 4 


• No -  A version is specified.
  If the Attack database versions are the same on each node, go to KB23424 - Resolution Guide - SRX - Troubleshooting IDP for a list of SRX/IDP issues.
  
  If the Attack database versions are different on each node, jump to Step 5.

[Version is N/A]

On the secondary node, run the command 'show system license'. (Both nodes in a Chassis Cluster must have the IDP license.)

Do you see the feature 'idp-sig' (which is the IDP license)?

• No - Follow the 'manual' instructions to install the license in Section I of KB16489 - Quick Setup Guide for Configuring IDP on a SRX.
  When the 'idp-sig' license exists, continue to Step 5


• Yes - Continue to Step 5 

[Update database version on Secondary]

  Do the Chassis Cluster nodes have connectivity to the Internet?

• One node has Internet Connectivity; One node does not (typical setup):
  Update the attack database on the secondary by performing the steps in the following:
  KB21052 - Update IPD in the secondary node of a High Availability Cluster without failover


• Both nodes are off-line (and do not have Internet Connectivity): 
  Refer to the following instructions:
  TN83 - How to perform offline IDP signature update in SRX
  
  KB21051 - How to install IDP update/database manually when internet is not at your reach [Transfer of IDP database from SRX to SRX]

After performing the steps to update the Attack database, continue to Step 6.

 Run the command 'show security idp security-package-version' again.

node0:
--------------------------------------------------------------------------
Attack database version:1732(Mon Jul 19 12:44:15 2010) <------
Detector version :10.4.140100525
Policy template version :N/A

node1:
--------------------------------------------------------------------------
Attack database version:1732(Mon Jul 19 12:44:15 2010) <------
Detector version :10.4.140100525
Policy template version :N/A 

Are the Attack database versions the same?

• Yes - Done. For a list of other SRX/IPD isues, go to KB23424 - Resolution Guide - SRX - Troubleshooting IDP.

• No - Collect the IDP information in KB21781 - [SRX] Data Collection Checklist, and open a case with your technical support representative.

2020-02-08: Article reviewed for accuracy. Article is correct and complete.