When checking the status of a security package download, the SRX administrator receives the following error message:
root> request security idp security-package download status
Done;Fetching SignatureUpdate_tmp.xml.gz failed, error: 256
The issue is due to the SRX device being unable to communicate with the server to download the security package. The security server is
services.netscreen.com. You will be unable to ping
services.netscreen.com from the SRX CLI:
root> ping services.netscreen.com
ping: cannot resolve services.netscreen.com: Host name lookup failure
Note: Normally, DNS name lookup is the issue; but it could be any other issue between the SRX and the NetScreen host. Check parameters, such as DNS, routes, and so on.
The most common solution for this issue is to configure the DNS, in such a way that name resolution allows to contact
services.netscreen.com to download the security update. To configure DNS name servers, edit the
system name-server configuration and add name servers:
root>edit
root#edit system name-server
[edit system name-server]
root#set 123.123.123.123
[edit system name-server]
root#set 112.113.114.115
root#commit
Naturally, you will place the real name server IP addresses in the configuration. If DNS resolution is not the issue, look elsewhere to see what is preventing the pinging of the server and open a JTAC ticket; if required.
This behavior is the same in a chassis cluster. This error can be seen in the chassis cluster scenario when the name resolution is not happening for the security server i.e. services.netscreen.com due to the the inactive node's routing engine not having an active route to the internet.