Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Resolution Guide - SRX - Verify/Troubleshoot IDP attack database on SRX in Chassis Cluster

0

0

Article ID: KB23423 KB Last Updated: 09 Feb 2020Version: 6.0
Summary:

This guide helps you verify/troubleshoot the IDP attack database is downloaded and installed on a SRX device in a Chassis Cluster.

If your SRX is not in a Chassis Cluster, refer to KB23422 - Verify/Troubleshoot IDP attack database on SRX.

Symptoms:
  • Not able to download the Attack Database on node in a Chassis Cluster
  • The version of the Attack Database does not match with the current version

Note: In Junos 12.1, a new feature was added to synchronize the IDP security package in a Chassis Cluster automatically, so this will help significantly with the Attack Database being out of sync on the Chassis Cluster nodes in Junos 11.4 and below. See the Release Notes: New Features - Junos 12.1 Branch SRX and New Features - Junos 12.1 High-end SRX.

This guide applies to Junos 12.1 and below.

Solution:

Perform the following steps:

[Identify which node is primary]

Step 1. Run the command 'show chassis cluster status', and identify which node is Primary for Redundancy group 0 on your SRX.

user@host> show chassis cluster status
Cluster ID: 1 
   Node name               Priority    Status    Preempt  Manual failover
	Redundancy-group: 0, Failover count: 1
    node0                   254         primary   no       no
    node1                   2           secondary no       no
	Redundancy-group: 1, Failover count: 1    
    node0                   254         primary   no       no
    node1                   1           secondary no       no 

In the above output, node 0 is the primary for Redundancy-group 0 (RG 0 implies the Routing Engine).

[Check Attack database version on Primary node]

Step 2.  Run the command 'show security idp security-package-version', and observe the 'Attack database version' for the Primary node:

node0:  <------
--------------------------------------------------------------------------
Attack database version:1732(Mon Jul 19 12:44:15 2010)  <------
Detector version :10.4.140100525
Policy template version :N/A

node1:  
--------------------------------------------------------------------------
Attack database version:N/A(N/A) 
Detector version :10.4.140100525
Policy template version :N/A

Does the Primary node have N/A for the 'Attack database version'?

  • Yes -  It is best to tackle correcting the Primary node first.  To do this, perform the steps in KB23422 - Resolution Guide - SRX - Verify/Troubleshoot IDP attack database on SRX to get an attack database version on the Primary node. Then restart at the top of this article.

  • No -
    • It has a version:  Continue to Step 3 to check the secondary node.

    • I get the message: Warning IDP disabled:
      Run the following command from configuration mode to enable IDP:
      delete system processes idp-policy disable

    • The option to run the command is not there:
      The IDP functionality is supported on High Memory SRX Branch and High-End devices.

[Check Attack database version on Secondary node]

Step 3.  Now observe the 'Attack database version' for the Secondary node:

node0:
--------------------------------------------------------------------------
Attack database version:1732(Mon Jul 19 12:44:15 2010)  
Detector version :10.4.140100525
Policy template version :N/A

node1:
--------------------------------------------------------------------------
Attack database version:N/A(N/A)  <------
Detector version :10.4.140100525
Policy template version :N/A

Does the secondary node have N/A for the 'Attack database version'?

  • Yes - Continue to Step 4 

  • No -  A version is specified.
    If the Attack database versions are the same on each node, go to KB23424 - Resolution Guide - SRX - Troubleshooting IDP for a list of SRX/IDP issues.

    If the Attack database versions are different on each node, jump to Step 5.

[Version is N/A]

Step 4. On the secondary node, run the command 'show system license'. (Both nodes in a Chassis Cluster must have the IDP license.)

Do you see the feature 'idp-sig' (which is the IDP license)?


[Update database version on Secondary]

Step 5.   Do the Chassis Cluster nodes have connectivity to the Internet?

After performing the steps to update the Attack database, continue to Step 6.

Step 6. Run the command 'show security idp security-package-version' again.

node0:
--------------------------------------------------------------------------
Attack database version:1732(Mon Jul 19 12:44:15 2010) <------
Detector version :10.4.140100525
Policy template version :N/A

node1:
--------------------------------------------------------------------------
Attack database version:1732(Mon Jul 19 12:44:15 2010) <------
Detector version :10.4.140100525
Policy template version :N/A 

Are the Attack database versions the same?

Modification History:

2020-02-08: Article reviewed for accuracy. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search