Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Why "configuration check-out failed" error is seen after executing "commit check"?

0

0

Article ID: KB34102 KB Last Updated: 31 Mar 2020Version: 3.0
Summary:

On SRX devices, users may encounter the "error: configuration check-out failed​" error while executing commit check. The error is seen after download and install of security package 3062 on SRX devices.

Note: This error was seen on SRX 550 that was running Junos OS 12.3X48 D50 release. However this error can be seen irrespective of the SRX hardware & Junos version.

This article indicates the security package version in which this error has been resolved, while also giving a workaround and the reason for commit check to fail.

 

Symptoms:

A configuration check-out failed error is reported as shown below when a commit check is executed.

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
'predefined-attacks P2P:AUDIT:SE-HUB-LOOK'
Unknown attack:P2P:AUDIT:SE-HUB-LOOK
error: configuration check-out failed​

Note: Removing IDP and reinstalling it from scratch or rebooting the device does not resolve the issue.

 

Cause:

The following signatures were removed from security package 3062 due to which commit check fails.

P2P:AUDIT:SOFTETHER-SSH
P2P:BITTORRENT:BT-TRACKER-DOS
P2P:BITTORRENT:CONTENT-TYPE
P2P:BITTORRENT:DHT
P2P:BITTORRENT:DOT-TORRENT
P2P:EDONKEY:FILE-SEARCH-REQ
P2P:EDONKEY:FILE-SHARES

 

Solution:

This issue has been fixed in signature pack 3065 wherein the missing seven signatures have been added again.

Meanwhile, a couple of workarounds are to remove the missing signatures manually OR disable IDP OR disable the IDP security policy.
  1. Remove the seven missing signatures from the predefined attack groups as shown below:
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:AUDIT:SE-HUB-LOOK

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:AUDIT:SOFTETHER-SSH'
    Unknown attack:P2P:AUDIT:SOFTETHER-SSH
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:AUDIT:SOFTETHER-SSH 

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:BITTORRENT:BT-TRACKER-DOS'
    Unknown attack:P2P:BITTORRENT:BT-TRACKER-DOS
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:BITTORRENT:BT-TRACKER-DOS

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:BITTORRENT:CONTENT-TYPE'
    Unknown attack:P2P:BITTORRENT:CONTENT-TYPE
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:BITTORRENT:CONTENT-TYPE              

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:BITTORRENT:DHT'
    Unknown attack:P2P:BITTORRENT:DHT
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:BITTORRENT:DHT            

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:BITTORRENT:DOT-TORRENT'
    Unknown attack:P2P:BITTORRENT:DOT-TORRENT
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:BITTORRENT:DOT-TORRENT

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:EDONKEY:FILE-SEARCH-REQ'
    Unknown attack:P2P:EDONKEY:FILE-SEARCH-REQ
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:EDONKEY:FILE-SEARCH-REQ  

[edit]
user@host# commit check
[edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks]
  'predefined-attacks P2P:EDONKEY:FILE-SHARES'
    Unknown attack:P2P:EDONKEY:FILE-SHARES
error: configuration check-out failed

[edit]
user@host# delete security idp idp-policy Space-IPS-Policy rulebase-ips rule Untrust-IPS-BITTORRENT match attacks predefined-attacks P2P:EDONKEY:FILE-SHARES                       

[edit]
user@host# commit check
configuration check succeeds 
  1. Disable IDP or the IDP security policy as follows:

  • deactivate security idp
  • deactivate security policies from-zone untrust to-zone external policy untrust-out-permit then permit application-services idp

 

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search