Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX-IDP] Configuration commit fails with error: “Please install the latest detector”

0

0

Article ID: KB29469 KB Last Updated: 08 Jan 2015Version: 1.0
Summary:

This article specifies the troubleshooting steps involved in addressing commit failures due to IDP. 

Symptoms:

Commit fails with the error:

[edit security idp]
"Please install the latest detector"


Commit might fail with an error similar to the following:

/var/db/idpd/sec-download/detector-capabilities.xml:4637: parser error : Premature end of data in tag Contexts line 382
<Parent>N ^
/var/db/idpd/sec-download/detector-capabilities.xml:4637: parser error : Premature end of data in tag DetectorCapabilities line 2
<Parent>N ^
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juni per.net/xnm/1.1/xnm">
<source-daemon>idpd</source-daemon>
<edit-path>[edit security]</edit-path>
<statement>idp</statement>
<message>Please install the latest detector
</message>
</xnm:error>
error: configuration check-out failed

The steps below indicate symptoms as well as the resolution for such issues.
Cause:

The problem occurs when the IDP database is missing or the detector-capabilities.xml file is corrupt.

Solution:

Do the following:
  1. Note the current attack database version and detector engine version that are loaded on the device:

    > show security idp security-package-version
    Attack database version:2453(Mon Dec 22 19:12:59 2014 UTC)
    Detector version :12.6.160140822
    Policy template version :2453

  2. Download and install the latest attack database version:

    > request security idp security-package download full-update
    Note: The full-update flag is needed to eliminate any possible database corruption issues
    > request security idp security-package install

  3. If the IDP already has the latest IDP detector engine loaded, the second command in Step 2 will fail. In this case, check for the presence of the detector-capabilities.xml file under /var/db/idpd/sec-download/It is recommended to never delete this file as it is consulted during commit for IDP detector definitions.
-- If the file is already present, do not delete it. A normal download (full-update) or install will resolve the issue.
-- If the file was deleted or is missing, you need to copy it from a working firewall. However, you need to make sure that the attack database on the working firewall and this firewall is same, and that the devices are both either Branch or High-End.
-- If you face this issue on a cluster, you can copy this file from the node that already contains this file.

Note: If you do not have a working firewall with this file, then you will have to reinitialize the IDPD directory contents which involves deleting some directories, followed by a system reboot. Contact your technical support representative in such cases, who can provide you the same file without a need for reboot.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search