It appeared this was an easy fix (I also tried 12.1R6.5 and 12.1X44-D11.5, to no avail).
First, I looked at the version of the signature DB that it's trying to download (2263):
netops> request security idp security-package download check-server
Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2263(Detector=12.6.160130325, Templates=2263)
Then, I decided that this is possibly an actual bad md5 checksum (per what Junos expects), and I downloaded the previous version, 2262:
netops> request security idp security-package download version full-update 2262
Will be processed in async mode. Check the status using the status checking CLI
It worked! I've had to do something similar on Netscreen, but it's been a while. I turned off automated updates, and I can get back to studying.
netops> request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2262(Tue May 14 16:27:00 2013 UTC, Detector=12.6.160130325)
Now that the download is finished, everything is installing properly:
netops> request security idp security-package install
Will be processed in async mode. Check the status using the status checking CLI
netops> request security idp security-package install status
In progress:performing DB update...
netops> request security idp security-package install status
In progress:performing DB update for an xml (groups.xml)
netops> request security idp security-package install status
In progress:performing DB update for an xml (applications.xml)
etc.
netops> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=2262,ExportDate=Tue May 14 16:27:00 2013 UTC,Detector=12.6.160130325]
Updating control-plane with new detector : successful
Updating data-plane with new attack or detector : not performed
due to no active policy configured.
I'm thinking that this is either a bug in SRX110H-VA, a combination of hardware/software release, or bad signature updates on services.netscreen.com. I'm pretty sure that I could just look through the XML, and figure out where the bad md5sum is (and fix it by hand), but I'll follow up once I hear back from Juniper.
Newest edit: I also had to manually download the policy template from Juniper, extract it with gzip -d templates.xml.gz
, and place it in /var/db/idpd/sec-download/sub-download/
. Once that was done, I was able to install it. The issue here is that the request security idp security-package install policy-templates
command does not take a 'version', like the other idp commands. This will always be an issue when the head IDP policy has md5 errors, although I would hope that this isn't a frequent occurrence at Juniper.
netops> request security idp security-package install policy-templates
Will be processed in async mode. Check the status using the status checking CLI
netops> request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository
(=>/var/db/scripts/commit/templates.xsl)!
Best Answer
X indicates that it is a aggressive feature train per KB27144 and TSB16034. The NN is a normal incremental version number.