Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Security Director] Update firewall policy job fails with error message "cannot insert statement before itself"

0

0

Article ID: KB34767 KB Last Updated: 29 Aug 2019Version: 1.0
Summary:

This article provides a solution and work-around for correcting the error condition.

Symptoms:

Under certain conditions, the update firewall policy job fails in Security Director with the following error:

[Error] Configuration Update failed.
Severity : Error
Message : cannot insert statement before itself

 

The preview configuration output shows the rule name inserted before the rule itself, as follows:

##Security Firewall Policy : trust - untrust##
insert security policies from-zone trust to-zone untrust policy Test before policy Test


 
Cause:

The root cause is due to an incomplete, failed, or canceled publish or unpublish job, for any policy for the selected device.

Solution:

Upgrade to Junos Space 19.2 to prevent this from happening. However, it will not correct any bad entries at the time of the upgrade. To correct the bad entries, perform the work-around below.
 

Work-around:

Run the attached script to clean up stuck jobs. Contact JTAC with any questions or assistance using this script.

Before running this script, ensure all policies assigned to the firewall are in a published state.  Check the Assigned, Published columns on the Device view.

Note: This script is designed for use with Security Director 17.1 - 19.1. This script should not be needed with Security Director 19.2+.

  1. Make a backup of the Space database by following the steps in Backing Up the Junos Space Network Management Platform Database. (The process is the same for all Space versions.)
  2. Download script file depending on the Security Director version from the following links:
    17.1RX
    17.2RX and above

  3. SCP the script file to the server and unzip.  (Unzip the script on the server to ensure file integrity.)
           Example:
           17.1RX:  unzip CleanupJobStruck_2_sh.zip
           17.2RX and above:  unzip CleanupJobStruck_sh.zip
 
        4. Run Script:
            17.1RX:  sh CleanupJobStruck_2.sh
            
17.2RX and above:  sh CleanupJobStruck.sh


Related KBs:
KB33777 - Device found in Security Director but not in Junos Space Platform
KB34765 - Stale entries for shared objects in Security Director
KB34766 - Stale entries for deleted VPN objects in Security Director
 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search