Knowledge Search


×
 

[Security Director] Update firewall policy job fails with error message "cannot insert statement before itself"

  [KB34767] Show Article Properties


Summary:

This article provides a solution and work-around for correcting the error condition.

Symptoms:

Under certain conditions, the update firewall policy job fails in Security Director with the following error:

[Error] Configuration Update failed.
Severity : Error
Message : cannot insert statement before itself

 

The preview configuration output shows the rule name inserted before the rule itself, as follows:

##Security Firewall Policy : trust - untrust##
insert security policies from-zone trust to-zone untrust policy Test before policy Test


 
Cause:

The root cause is due to an incomplete, failed, or canceled publish or unpublish job, for any policy for the selected device.

Solution:

Upgrade to Junos Space 19.2 to prevent this from happening. However, it will not correct any bad entries at the time of the upgrade. To correct the bad entries, perform the work-around below.
 

Work-around:

Run the attached script to clean up stuck jobs. Contact JTAC with any questions or assistance using this script.

Before running this script, ensure all policies assigned to the firewall are in a published state.  Check the Assigned, Published columns on the Device view.

Note: This script is designed for use with Security Director 17.1 - 19.1. This script should not be needed with Security Director 19.2+.

  1. Make a backup of the Space database by following the steps in Backing Up the Junos Space Network Management Platform Database. (The process is the same for all Space versions.)
  2. Download script file depending on the Security Director version from the following links:
    17.1RX
    17.2RX and above

  3. SCP the script file to the server and unzip.  (Unzip the script on the server to ensure file integrity.)
           Example:
           17.1RX:  unzip CleanupJobStruck_2_sh.zip
           17.2RX and above:  unzip CleanupJobStruck_sh.zip
 
        4. Run Script:
            17.1RX:  sh CleanupJobStruck_2.sh
            
17.2RX and above:  sh CleanupJobStruck.sh


Related KBs:
KB33777 - Device found in Security Director but not in Junos Space Platform
KB34765 - Stale entries for shared objects in Security Director
KB34766 - Stale entries for deleted VPN objects in Security Director
 

Related Links: