This article explains why an IDP security package download fails on a single node configured for HA.
Suppose, for example, that an administrator wants to download the IDP security package on a node in HA, when the other node is not available (the other node may be out on an RMA, or there is a network or cabling issue). Unfortunately, the administrator is unable to download the IDP security package on the single node. This scenario is played out in the example below, where node 0 is lost. (This example is using Junos OS 12.1X44-D30.)
//Node0 is lost
{primary:node1}
lab@srx3600b.hk> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1
node0 0 lost n/a n/a
node1 200 primary no no
Redundancy group: 1 , Failover count: 1
node0 0 lost n/a n/a
node1 200 primary no no
{primary:node1}
lab@srx3600b.hk> request security idp security-package download check-server
node1:
--------------------------------------------------------------------------
Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2375(Detector=12.6.140140207, Templates=2375)
{primary:node1}
lab@srx3600b.hk> request security idp security-package download
node1:
--------------------------------------------------------------------------
Will be processed in async mode. Check the status using the status checking CLI
{primary:node1}
lab@srx3600b.hk> request security idp security-package download status
node1:
--------------------------------------------------------------------------
Done;Failed to copy result file to backup RE, errno: 1
{primary:node1}
lab@srx3600b.hk> show log idp-trace
May 22 16:25:18 srx3600b.hk clear-log[65737]: logfile cleared
May 22 16:25:23 jnx_idp_secpack_download: [New request] secpack_download .arg(empty)
May 22 16:25:23 [get_secupdate_cb_status] state = 0x1
May 22 16:25:23 [idpd_child_comm_start]: Disabled comm timer
May 22 16:25:23 Monitoring pid 65741 for SIGDB DOWNLOAD
May 22 16:25:23 jnx_idp_secpack_download: secpack_download result(Will be processed in async mode. Check the status using the status checking CLI)
May 22 16:25:23 idpd_dev_add_ipc_connection called...
May 22 16:25:23 idpd_dev_add_ipc_connection: done.
May 22 16:25:23 idpd_comm_server_get_event:553: evGetNext got event.
May 22 16:25:23 idpd_comm_server_get_event:561: evDispatch OK
May 22 16:25:23 idpd_comm_server_get_event:553: evGetNext got event.
May 22 16:25:23 idpd_comm_server_get_event:561: evDispatch OK
May 22 16:25:23 idpd_comm_server_get_event:553: evGetNext got event.
May 22 16:25:23 idpd_comm_server_get_event:561: evDispatch OK
May 22 16:25:23 [get_detector_ver]ioctl for GET_VERSION_INFO failed.Trying to read from detector file
May 22 16:25:23 [get_secupdate_cb_status] state = 0x1
May 22 16:25:23 Got signal SIGCHLD....
May 22 16:25:23 waitpid returned 65741
May 22 16:25:23 [idpd_child_comm_finish]: Re-enabled comm timer
May 22 16:25:23 Reset the pid 65741 for process 0
When the download command is executed in clustering mode, the primary node tries to open an RCP session to the secondary node. If it cannot do this, the command fails with the error below:
"Done;Failed to copy result file to backup RE, errno: 1"
To download an IDP security package on a single node with a lost cluster member, you must first remove the cluster configuration until the other node is online. Then, when the other node is online, the cluster configuration can be re-added.