1. Situation:

In my environment, there are a couple of SRX Clusters managed by NSM. NSM downloads IDP signature updates from Internet then push those updates to each SRX clusters. Most of SRX cluster members will get IDP signature updates except one pair managed by NSM through Virtual Chassis.

2. Symptoms:

For this pair SRX cluster which is managed by NSM through Virtual Chassis, always only primary cluster member get the signature update, not the secondary one. Even after failover, the secondary becomes primary, the NSM will think this pair SRX cluster has been updated to latest signature database then stop to push.

3. Solutions:

Juniper has a KB to manually sync the database between two cluster members. As long as you have one member got the signature database, the second one can be manually copied in and install it.

Step 1: Copy the signature from Primary folder to Secondary

root@fw-srx-2% rlogin -T node0
— JUNOS 11.4R10.3 built 2013-11-15 06:56:20 UTC

root@fw-srx-2% ls -l /var/db/idpd/nsm-download/
total 75784
-rwxr-xr-x  1 root  wheel  23406109 Apr 20 15:04 SignatureUpdate.xml
-rwxr-xr-x  1 root  wheel    223243 Apr 20 15:04 application_groups.xml
-rwxr-xr-x  1 root  wheel     31953 Apr 20 15:05 application_groups2.xml.gz
-rwxr-xr-x  1 root  wheel   1678841 Apr 20 15:04 applications.xml
-rwxr-xr-x  1 root  wheel     11823 Apr 20 15:07 applications.xsd
-rwxr-xr-x  1 root  wheel    232937 Apr 20 15:06 applications2.xml.gz
-rwxr-xr-x  1 root  wheel   4413629 Apr 20 15:06 compiled_ai.bin2
-rwxr-xr-x  1 root  wheel     18360 Apr 20 15:06 contexts.xml.gz
-rwxr-xr-x  1 root  wheel       851 Apr 20 15:06 filters.xml.gz
-rwxr-xr-x  1 root  wheel   4067651 Apr 20 15:07 groups.xml
-rwxr-xr-x  1 root  wheel       753 Apr 20 15:07 heuristics.bin.gz
-rwxr-xr-x  1 root  wheel   1349960 Apr 20 15:07 libidp-detector.so.tgz.v
-rwxr-xr-x  1 root  wheel   3093356 Apr 20 15:04 libqmprotocols.tgz
-rwxr-xr-x  1 root  wheel       472 Apr 20 15:07 platforms.xml
-rwxr-xr-x  1 root  wheel     59327 Apr 20 15:05 products.xml.gz
-rwxr-xr-x  1 root  wheel       921 Apr 20 15:06 services.xml.gz
-rwxr-xr-x  1 root  wheel      2832 Apr 20 15:06 templates.xml.gz


root@fw-srx-2% rcp -r -T  /var/db/idpd/nsm-download/* node0:/var/db/idpd/nsm-download/
root@fw-srx-2% cli

root@fw-srx-1% cd /var/db/idpd/nsm-download/
root@fw-srx-1% ls -l
total 75784
-rwxr-xr-x  1 root  wheel  23406109 Apr 21 14:55 SignatureUpdate.xml
-rwxr-xr-x  1 root  wheel    223243 Apr 21 14:55 application_groups.xml
-rwxr-xr-x  1 root  wheel     31953 Apr 21 14:55 application_groups2.xml.gz
-rwxr-xr-x  1 root  wheel   1678841 Apr 21 14:56 applications.xml
-rwxr-xr-x  1 root  wheel     11823 Apr 21 14:56 applications.xsd
-rwxr-xr-x  1 root  wheel    232937 Apr 21 14:56 applications2.xml.gz
-rwxr-xr-x  1 root  wheel   4413629 Apr 21 14:56 compiled_ai.bin2
-rwxr-xr-x  1 root  wheel     18360 Apr 21 14:56 contexts.xml.gz
-rwxr-xr-x  1 root  wheel       851 Apr 21 14:56 filters.xml.gz
-rwxr-xr-x  1 root  wheel   4067651 Apr 21 14:57 groups.xml
-rwxr-xr-x  1 root  wheel       753 Apr 21 14:57 heuristics.bin.gz
-rwxr-xr-x  1 root  wheel   1349960 Apr 21 14:57 libidp-detector.so.tgz.v
-rwxr-xr-x  1 root  wheel   3093356 Apr 21 14:58 libqmprotocols.tgz
-rwxr-xr-x  1 root  wheel       472 Apr 21 14:58 platforms.xml
-rwxr-xr-x  1 root  wheel     59327 Apr 21 14:58 products.xml.gz
-rwxr-xr-x  1 root  wheel       921 Apr 21 14:58 services.xml.gz
-rwxr-xr-x  1 root  wheel      2832 Apr 21 14:58 templates.xml.gz
root@fw-srx-1% cp * /var/db/idpd/sec-download/

Step 2: Install the copied signature database

{primary:node1}
root@fw-srx-2> request security idp security-package install node 0 
node0:
root@fw-srx-1% clear——————————————–
Will be processed in async mode. Check the status using the status checking CLI

{primary:node1}
root@fw-srx-2> request security idp security-package install status    
node0:
————————————————————————–
Done;AI installation failed! Attack DB update failed!

node1:
————————————————————————–
Ready to accept a new request

{primary:node1}
root@fw-srx-2> request security idp security-package install status    
node0:
————————————————————————–
Done;Attack DB update : not performed
      due to the same version between downloaded one and installed one.
     Updating control and data-plane with new detector : not performed
      due to the same detector version between downloaded  and installed one.

node1:
————————————————————————–
Done;Attack DB update : successful – [UpdateNumber=2373,ExportDate=Tue May 13 16:22:18 2014 UTC,Detector=12.6.160140207]
     Updating control-plane with new detector : successful

     Updating data-plane with new attack or detector : successful


{secondary:node0}
root@fw-twinsburg-srx-1> …security idp security-package install status    
node0:
————————————————————————–
In progress:Installing AI …

node1:
————————————————————————–
Done;Attack DB update : not performed
      due to the same version between downloaded one and installed one.
     Updating control and data-plane with new detector : not performed

      due to the same detector version between downloaded  and installed one.


{primary:node1}
root@fw-srx-2> show security idp policy-commit-status 
node0:
————————————————————————–
 IDP policy[/var/db/idpd/bins/fw-tw-20140109.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
 The loaded policy size is:350641 Bytes

node1:
————————————————————————–
 IDP policy[/var/db/idpd/bins/fw-tw-20140109.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
 The loaded policy size is:415603 Bytes


Step 3: verify the installation status

root@fw-srx-2% rlogin -T node0
— JUNOS 11.4R10.3 built 2013-11-15 06:56:20 UTC

{secondary:node0}
root@fw-srx-1> …security idp security-package install status    
node0:
————————————————————————–
In progress:performing DB update for an xml (SignatureUpdate.xml)

node1:
————————————————————————–
Ready to accept a new request



{secondary:node0}
root@fw-srx-1> …security idp security-package install status    
node0:
————————————————————————–
Done;Attack DB update : successful – [UpdateNumber=2365,ExportDate=Wed Apr 16 19:07:52 2014 UTC,Detector=12.6.160140207]
     Updating control-plane with new detector : successful
     Updating data-plane with new attack or detector : successful

node1:
————————————————————————–
Ready to accept a new request

{secondary:node0}
root@fw-srx-1> show security idp security-package-version 
node0:
————————————————————————–

  Attack database version:2365(Wed Apr 16 19:07:52 2014 UTC)
  Detector version :12.6.160140207
  Policy template version :N/A

node1:
————————————————————————–

  Attack database version:2365(Wed Apr 16 19:07:52 2014 UTC)
  Detector version :12.6.160140207
  Policy template version :N/A

By Jon

Leave a Reply