Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Anti-virus update failure due to routing issue

0

0

Article ID: KB30912 KB Last Updated: 08 Jun 2016Version: 1.0
Summary:

One reason for anti-virus update failure is because there are no routes to reach the internet in the inet (default) routing table.

An SRX device updates the anti-virus signature from the update server (example - http://update.juniper-updates.net/AV/SRX550/). It will look for routes in the inet (default) routing table. We must be able to reach the name server and update server from the inet routing table.

Symptoms:

Anti-virus signature update failed:

root@LAB_SRX> show security utm anti-virus status
UTM anti-virus status:

Anti-virus key expire date: 2017-02-01 00:00:00
Update server: http://update.juniper-updates.net/SAV/
Interval: 1440 minutes
Pattern update status: next update in 1433 minutes
Last result: download version file failed <<<<<<<<<< Anti-virus signatures update failed
Anti-virus signature version: Not loaded      
Scan engine type: sophos-engine
Scan engine information: Load failure (general error)

Cause:

There could be many different causes. In this particular scenario, we will look at a routing issue that caused the anti-virus signature update failure.

Check the reachability of the name server and the update server (example - http://update.juniper-updates.net/AV/SRX550/)

While checking reachability in the above destination, make sure they are reachable from the default routing instance (inet).

In this case, there is no internet reachability from the inet table.

root@LAB_SRX> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss


root@LAB_SRX# run show route

inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/8 *[Direct/0] 00:01:11
                                          > via lo0.0
10.0.0.1/32 *[Local/0] 00:01:11
                                              Local via lo0.0

R1.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

80.10.111.0/24 *[Direct/0] 00:12:31
                                           > via ge-0/0/4.0
80.10.111.1/32 *[Local/0] 00:12:31
                                              Local via ge-0/0/4.0
192.168.11.0/24 *[Direct/0] 00:12:31
                                            > via ge-0/0/3.0
192.168.11.1/32 *[Local/0] 00:12:31
                                           Local via ge-0/0/3.0

Solution:

Import a route from the routing table which has internet connectivity.

Here, the routing table R1.inet.0 has a route to the internet. Be sure to import directly connected routes from inet to R1, in order to complete the routing for return traffic.

Importing R1 interface route to inet:

root@LAB_SRX#set policy-options policy-statement INET-R1 term 1 from instance R1
root@LAB_SRX#set policy-options policy-statement INET-R1 term 1 from protocol direct
root@LAB_SRX#set policy-options policy-statement INET-R1 term 1 from protocol local
root@LAB_SRX#set policy-options policy-statement INET-R1 term 1 then accept
root@LAB_SRX#set policy-options policy-statement INET-R1 term default then reject

root@LAB_SRX#set routing-options instance-import INET-R1

Injecting a default route in inet table pointing to R1 table.

root@LAB_SRX#set routing-options static route 0.0.0.0 next-table R1.inet.0

Importing inet interface routes to R1

root@LAB_SRX#set policy-options policy-statement R1-INET term 1 from instance master
root@LAB_SRX#set policy-options policy-statement R1-INET term 1 from protocol direct
root@LAB_SRX#set policy-options policy-statement R1-INET term 1 from protocol local
root@LAB_SRX#set policy-options policy-statement R1-INET term 1 then accept
root@LAB_SRX#set policy-options policy-statement R1-INET term default then reject

root@LAB_SRX#set routing-instances R1 routing-options instance-import R1-INET


Once the above configuration is done, check the routing table for the route:

root@LAB_SRX# run show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:15:14
                                            to table R1.inet.0
10.0.0.0/8 *[Direct/0] 00:24:16
                                           > via lo0.0
10.0.0.1/32 *[Local/0] 00:24:16
                                          Local via lo0.0
80.10.111.0/24 *[Direct/0] 00:20:40
                                       > via ge-0/0/4.0
80.10.111.1/32 *[Local/0] 00:20:40
                                       Local via ge-0/0/4.0
192.168.11.0/24 *[Direct/0] 00:20:40
                                       > via ge-0/0/3.0
192.168.11.1/32 *[Local/0] 00:20:40
                                       Local via ge-0/0/3.0

R1.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:12:41
                                   > to 80.10.111.254 via ge-0/0/4.0
10.0.0.0/8 *[Direct/0] 00:16:06
                                   > via lo0.0
10.0.0.1/32 *[Local/0] 00:16:06
                                      Local via lo0.0
80.10.111.0/24 *[Direct/0] 00:35:36
                                    > via ge-0/0/4.0
80.10.111.1/32 *[Local/0] 00:35:36
                                    Local via ge-0/0/4.0
192.168.11.0/24 *[Direct/0] 00:35:36
                                   > via ge-0/0/3.0
192.168.11.1/32 *[Local/0] 00:35:36
                                    Local via ge-0/0/3.0


Now that we have the route, we should be able to reach the name server:

root@LAB_SRX> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=54 time=24.202 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=54 time=24.637 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 24.202/24.419/24.637/0.218 ms

Now that the name server is reachable, the anti-virus database should be updated. Check the AV database:
 
root@LAB_SRX> show security utm anti-virus status
UTM anti-virus status:

Anti-virus key expire date: 2017-02-01 00:00:00
Update server: http://update.juniper-updates.net/SAV/
Interval: 1440 minutes
Pattern update status: next update in 1439 minutes
Last result: new database downloaded  <<<<<<<<<< shows Anti-virus signatures are updated
Anti-virus signature version: 1.13 (1.02)
Scan engine type: sophos-engine
Scan engine information: last action result: No error

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search