Knowledge Search


×
 

[SRX] Why "configuration check-out failed" error is seen after executing "commit check"?

  [KB34102] Show Article Properties


Summary:

On SRX devices, users may encounter the "error: configuration check-out failed​" error while executing commit check. The error is seen after download and install of security package 3062 on SRX devices.

Note: This error was seen on SRX 550 that was running Junos OS 12.3X48 D50 release. However this error can be seen irrespective of the SRX hardware & Junos version.

This article indicates the security package version in which this error has been resolved, while also giving a workaround and the reason for commit check to fail.

 

Symptoms:

A configuration check-out failed error is reported as shown below when a commit check is executed.

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
'predefined-attacks P2P:AUDIT:SE-HUB-LOOK'
Unknown attack:P2P:AUDIT:SE-HUB-LOOK
error: configuration check-out failed​

Note: Removing IDP and reinstalling it from scratch or rebooting the device does not resolve the issue.

 

Cause:

The following signatures were removed from security package 3062 due to which commit check fails.

P2P:AUDIT:SOFTETHER-SSH
P2P:BITTORRENT:BT-TRACKER-DOS
P2P:BITTORRENT:CONTENT-TYPE
P2P:BITTORRENT:DHT
P2P:BITTORRENT:DOT-TORRENT
P2P:EDONKEY:FILE-SEARCH-REQ
P2P:EDONKEY:FILE-SHARES

 

Solution:

This issue has been fixed in signature pack 3065 wherein the missing seven signatures have been added again.

Meanwhile, a couple of workarounds are to remove the missing signatures manually OR disable IDP OR disable the IDP security policy.
  1. Remove the seven missing signatures from the predefined attack groups as shown below:
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:AUDIT:SE-HUB-LOOK

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:AUDIT:SOFTETHER-SSH'
    Unknown attack:P2P:AUDIT:SOFTETHER-SSH
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:AUDIT:SOFTETHER-SSH 

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:BITTORRENT:BT-TRACKER-DOS'
    Unknown attack:P2P:BITTORRENT:BT-TRACKER-DOS
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:BITTORRENT:BT-TRACKER-DOS

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:BITTORRENT:CONTENT-TYPE'
    Unknown attack:P2P:BITTORRENT:CONTENT-TYPE
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:BITTORRENT:CONTENT-TYPE              

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:BITTORRENT:DHT'
    Unknown attack:P2P:BITTORRENT:DHT
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:BITTORRENT:DHT            

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:BITTORRENT:DOT-TORRENT'
    Unknown attack:P2P:BITTORRENT:DOT-TORRENT
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:BITTORRENT:DOT-TORRENT

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:EDONKEY:FILE-SEARCH-REQ'
    Unknown attack:P2P:EDONKEY:FILE-SEARCH-REQ
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:EDONKEY:FILE-SEARCH-REQ  

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:EDONKEY:FILE-SHARES'
    Unknown attack:P2P:EDONKEY:FILE-SHARES
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:EDONKEY:FILE-SHARES                       

[edit]
user@host# commit check
configuration check succeeds 
  1. Disable IDP or the IDP security policy as follows:

  • deactivate security idp
  • deactivate security policies from-zone untrust to-zone external policy untrust-out-permit then permit application-services idp

 

Related Links: