Management
Reply
Contributor
Chuck
Posts: 32
Registered: ‎02-03-2009
0

DI Update of Devices not working

Hi,

 

        We have an NSM device which manages around 100 SSG-140's. The problem we are facing is with the offline update of DI (Attack Database).We run the below script to get thi to work

 

cd /usr/netscreen/GuiSvr/utils/

./guiSvrCli.sh --attack-update --post-action --update-devices  --skip

 

This script is downloading the new DI update packs and updating the NSM server but it is not pushing this to firewalls. i.e. the post action is not working properly. If i am running the command manualy, it says command completed successfully. If i go to the Gui and check the Job manager (in global domain), i can see that the "Scheduled Attack Database Update" is 100% Success. Along with this 2 firewalls are also getting updates. But rest of the firewall will not be updated. 

 

  Strange thing is that if i do a Attack DB push from the Gui, all the firewalls will take the update smoothly. Why is this script not pushing the update to firewalls.

 

NSM version: 2008.2 r2

Recognized Expert
Daniele
Posts: 164
Registered: ‎11-06-2007
0

Re: DI Update of Devices not working

Hi Chuck,

from the guiSvrCli.sh --help:

 

 

   --post-action          This parameter specifies what action the system
                          should perform after attack have been updated.
      --update-devices    This parameter directs the system to attempt
                          to update affected devices, though devices having
                          other changes pending willbe skipped so as to
                          avoid accidentally pushing unexpected changes
         --retry          THIS PARAMETER IS DEPRECATED. Offline device
                          will always be skipped for updating.
            --override    THIS PARAMETER IS DEPRECATED. Setting it will
                          have no effect.
            --abort       THIS PARAMETER IS DEPRECATED. Setting it will
                          have no effect.
         --skip           This parameter directs the system to skip updating
                          the device if device is not connected to the
                          system 

 

 

 

So I can see 2 different situations:

1) the devices are not connected to NSM when the operation is executed

2) the devices have pending changes (check the status, it should be "Managed, in sync" on the device manager list!) 

 

 

Btw, the right command syntax for 2008.2r2 is:

/usr/netscreen/GuiSvr/utils/guiSvrCli.sh --update-attacks --post-action --update-devices --skip

 

Check this KB for more info:

http://kb.juniper.net/KB7863

 

Ciao! :smileyhappy:

Daniele

***Contributor at Router Freak blog***
Contributor
Chuck
Posts: 32
Registered: ‎02-03-2009
0

Re: DI Update of Devices not working

Hi Daniele, Thanks for replying.

 

All the devices are having connectivuty to the NSM. I have double checked that. but for the "Managed, In Sync" , we have a problem there. Even if there is no change to be pushed, this column will say "Managed, Device and NSM Changed" or " Managed, Device Changed" or "Managed, NSM Changed". Is this known issue with NSM ?

 

We were having 2007.3r3 and had this "changed" issue. So consulted with Juniper and they suggested to upgrade the device to 2008.2r2. We did but still the problem persists. I had a word with juniper also and they are now suggesting a fresh installaion of 2008.2r2 and an upgrade to 2008.2r2a. Do you have anything on this issue ?

Recognized Expert
Daniele
Posts: 164
Registered: ‎11-06-2007

Re: DI Update of Devices not working

Hi Chuck,

it may be because of the NTP sync between the 2 cluster members!

 

Check this KB:

http://kb.juniper.net/KB13145

 

Root cause: The Master firewall is sending a NTP sync command through the NSRP link after syncing with the NTP server. When the Backup firewall receives the NSRP sync message, it takes the command as a manual change in itself, and it sends out a 'device change' flag to NSM.

The solution is to configure each NSRP cluster member to sync with the NTP server individually, then apply command 'set ntp no-ha-sync' to block the NTP sync from the Master. 

 

 

Let us know if this solves

 

Ciao :smileyhappy:

Daniele

***Contributor at Router Freak blog***
Contributor
Chuck
Posts: 32
Registered: ‎02-03-2009
0

Re: DI Update of Devices not working

Hi,

           A part of it was solved by this. A BIG Thanks to you.

 

          In some clusters i have made the change (No sync of NTP btwn members) and they did a re-import of the firewall config and after that, firewalls started showing Manages, In Sync. Then tried to run the script and the DI update got pushed to the firewall :smileytongue:.

 

          I have noticed one thing that in the previous setup, where we were having 2007.3r3, this update was working fine, even if there is a "Changed" status. Is it something they introduced in 2008.2r2, which is blocking this. Can we override this setting in anywhy, like the firewall should be updated even if there is a "Changed" status ?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.