Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[JSA] CRE processor threads can die when the MAXMIND database is updated via Auto update



Article ID: KB34719 KB Last Updated: 06 Jul 2019Version: 1.0

CRE processor threads can die when the MAXMIND database is updated via Auto update. As a result, the JSA server would stop processing Offenses.

This could be verified by checking the event details where the "Custom Rule" and "Custom Rules Partially Matched" tables' content would be empty.


Offenses and Rules stop working.


It has been identified that CRE thread dies when the Maxmind database (used for geolocation updates) is updated via Auto Update. JSA  processing issues with the Custom Rule Engine (CRE), including Offense generation can occur due to an un-caught thread exception.

Messages similar to the following might be visible in /var/log/qradar.error on affected appliances when this issue is occurs after the Auto Update is performed:

com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
[NOT:0000003000][/- -] [-/- -]Exception was uncaught in thread: Preprocessor(events)_9 java.lang.InternalError: SIGBUS
    at com.maxmind.db.Reader.readNode(
    at com.maxmind.db.Reader.findAddressInTree(
    at com.maxmind.db.Reader.get(
    at com.maxmind.geoip2.DatabaseReader.get(
    at com.q1labs.core.shared.location.LocationUtils.lookup(
    at com.q1labs.core.shared.location.LocationUtils.lookup(
    at com.q1labs.core.shared.location.LocationUtils.lookup(
    at com.q1labs.core.types.event.NormalizedEventProperties$SourceGeographicLocation.createKey(
    at com.q1labs.core.types.event.NormalizedEventProperties$SourceGeographicLocation.createKey(
    at com.q1labs.cve.accumulation.ObjectArrayAccessors$ObjectArrayAccessor.getKey(
    at com.q1labs.cve.accumulation.ObjectArrayAccessors.getKey(
    at com.q1labs.cve.accumulation.ObjectArrayAccessors.buildRecord(
    at com.q1labs.cve.accumulation.Preprocessor$
    at java.util.concurrent.ThreadPoolExecutor.runWorker(
    at java.util.concurrent.ThreadPoolExecutor$

When you have verified that a JSA server is experiencing the CRE issue as defined above, a restart of the ecs-ep service via the command line (SSH) on the affected appliance(s) can be used to correct the issue:

# systemctl restart ecs-ep

To prevent this from reoccurring until a patch fix is applied, you can disable updates of the maxmind/geographic data file using the following steps:

  1. Go to Admin tab > System Settings / Geographic Settings

  2. Set 'Disable Automatic content Updates' to 'True' (default is False)

Note: This issue is fixed in JSA 7.3.1 patch 9 (mentioned under resolved issues in release notes)


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search