1. Situation:
In my environment, there are a couple of SRX Clusters managed by NSM. NSM downloads IDP signature updates from Internet then push those updates to each SRX clusters. Most of SRX cluster members will get IDP signature updates except one pair managed by NSM through Virtual Chassis.
2. Symptoms:
For this pair SRX cluster which is managed by NSM through Virtual Chassis, always only primary cluster member get the signature update, not the secondary one. Even after failover, the secondary becomes primary, the NSM will think this pair SRX cluster has been updated to latest signature database then stop to push.
3. Solutions:
Juniper has a KB to manually sync the database between two cluster members. As long as you have one member got the signature database, the second one can be manually copied in and install it.
Step 1: Copy the signature from Primary folder to Secondary
root@fw-srx-2% ls -l /var/db/idpd/nsm-download/
total 75784
-rwxr-xr-x 1 root wheel 23406109 Apr 20 15:04 SignatureUpdate.xml
-rwxr-xr-x 1 root wheel 223243 Apr 20 15:04 application_groups.xml
-rwxr-xr-x 1 root wheel 31953 Apr 20 15:05 application_groups2.xml.gz
-rwxr-xr-x 1 root wheel 1678841 Apr 20 15:04 applications.xml
-rwxr-xr-x 1 root wheel 11823 Apr 20 15:07 applications.xsd
-rwxr-xr-x 1 root wheel 232937 Apr 20 15:06 applications2.xml.gz
-rwxr-xr-x 1 root wheel 4413629 Apr 20 15:06 compiled_ai.bin2
-rwxr-xr-x 1 root wheel 18360 Apr 20 15:06 contexts.xml.gz
-rwxr-xr-x 1 root wheel 851 Apr 20 15:06 filters.xml.gz
-rwxr-xr-x 1 root wheel 4067651 Apr 20 15:07 groups.xml
-rwxr-xr-x 1 root wheel 753 Apr 20 15:07 heuristics.bin.gz
-rwxr-xr-x 1 root wheel 1349960 Apr 20 15:07 libidp-detector.so.tgz.v
-rwxr-xr-x 1 root wheel 3093356 Apr 20 15:04 libqmprotocols.tgz
-rwxr-xr-x 1 root wheel 472 Apr 20 15:07 platforms.xml
-rwxr-xr-x 1 root wheel 59327 Apr 20 15:05 products.xml.gz
-rwxr-xr-x 1 root wheel 921 Apr 20 15:06 services.xml.gz
-rwxr-xr-x 1 root wheel 2832 Apr 20 15:06 templates.xml.gz
root@fw-srx-2% rcp -r -T /var/db/idpd/nsm-download/* node0:/var/db/idpd/nsm-download/
root@fw-srx-2% cli
root@fw-srx-1% cd /var/db/idpd/nsm-download/
root@fw-srx-1% ls -l
total 75784
-rwxr-xr-x 1 root wheel 23406109 Apr 21 14:55 SignatureUpdate.xml
-rwxr-xr-x 1 root wheel 223243 Apr 21 14:55 application_groups.xml
-rwxr-xr-x 1 root wheel 31953 Apr 21 14:55 application_groups2.xml.gz
-rwxr-xr-x 1 root wheel 1678841 Apr 21 14:56 applications.xml
-rwxr-xr-x 1 root wheel 11823 Apr 21 14:56 applications.xsd
-rwxr-xr-x 1 root wheel 232937 Apr 21 14:56 applications2.xml.gz
-rwxr-xr-x 1 root wheel 4413629 Apr 21 14:56 compiled_ai.bin2
-rwxr-xr-x 1 root wheel 18360 Apr 21 14:56 contexts.xml.gz
-rwxr-xr-x 1 root wheel 851 Apr 21 14:56 filters.xml.gz
-rwxr-xr-x 1 root wheel 4067651 Apr 21 14:57 groups.xml
-rwxr-xr-x 1 root wheel 753 Apr 21 14:57 heuristics.bin.gz
-rwxr-xr-x 1 root wheel 1349960 Apr 21 14:57 libidp-detector.so.tgz.v
-rwxr-xr-x 1 root wheel 3093356 Apr 21 14:58 libqmprotocols.tgz
-rwxr-xr-x 1 root wheel 472 Apr 21 14:58 platforms.xml
-rwxr-xr-x 1 root wheel 59327 Apr 21 14:58 products.xml.gz
-rwxr-xr-x 1 root wheel 921 Apr 21 14:58 services.xml.gz
-rwxr-xr-x 1 root wheel 2832 Apr 21 14:58 templates.xml.gz
root@fw-srx-1% cp * /var/db/idpd/sec-download/
Step 2: Install the copied signature database
{primary:node1}
root@fw-srx-2> request security idp security-package install node 0
node0:
root@fw-srx-1% clear——————————————–
Will be processed in async mode. Check the status using the status checking CLI
{primary:node1}
root@fw-srx-2> request security idp security-package install status
node0:
————————————————————————–
Done;AI installation failed! Attack DB update failed!
node1:
————————————————————————–
Ready to accept a new request
{primary:node1}
root@fw-srx-2> request security idp security-package install status
node0:
————————————————————————–
Done;Attack DB update : not performed
due to the same version between downloaded one and installed one.
Updating control and data-plane with new detector : not performed
due to the same detector version between downloaded and installed one.
node1:
————————————————————————–
Done;Attack DB update : successful – [UpdateNumber=2373,ExportDate=Tue May 13 16:22:18 2014 UTC,Detector=12.6.160140207]
Updating control-plane with new detector : successful
Updating data-plane with new attack or detector : successful
{secondary:node0}
root@fw-twinsburg-srx-1> …security idp security-package install status
node0:
————————————————————————–
In progress:Installing AI …
node1:
————————————————————————–
Done;Attack DB update : not performed
due to the same version between downloaded one and installed one.
Updating control and data-plane with new detector : not performed
due to the same detector version between downloaded and installed one.
{primary:node1}
root@fw-srx-2> show security idp policy-commit-status
node0:
————————————————————————–
IDP policy[/var/db/idpd/bins/fw-tw-20140109.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:350641 Bytes
node1:
————————————————————————–
IDP policy[/var/db/idpd/bins/fw-tw-20140109.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:415603 Bytes