SRX

Hi,

I have downloaded and installed IDP and associated Signatures onto a box running JUNOS [11.4R5.5]

After applying the template to the config I get the below, never really ran into this before and thinking it may be a bug?

Any ideas?

user@srx#set system scripts commit file templates.xsl

user@srx# commit check


/dev/null:60:(36) Opening and ending tag mismatch: login line 36 and commit-script-input
/dev/null:61:(4) Premature end of data in tag system line 4
/dev/null:61:(2) Premature end of data in tag configuration line 2
/dev/null:61:(1) Premature end of data in tag commit-script-input line 1
error: error reading configuration: /dev/stdin
error: 5 errors reported by commit scripts
error: commit script failure

user@srx# run show security idp security-package-version
  Attack database version:2291(Mon Aug 19 18:34:44 2013 UTC)
  Detector version :12.6.160130715
  Policy template version :2291

I upgraded to 11.4R7.5 Recommended Release also and its the same.

Anyone? 😮

This sounds like an issue with the parsing of template file.

Was there any change made to templae.xsl or any of the xml files?

I would try deleting all the configuration or cleanup of config directory like below:

http://kb.juniper.net/InfoCenter/index?cmid=no&page=content&id=KB24684

Regards,

Raveen

Hi,

The templates.xsl has not been modified in any way.  It does look like a parsing issue.

I have tried clearing the config directory and also I have removed IDP as below.

I removed the following, redownloaded everything and the same error!  :-s

rm -rf /cf/var/db/scripts/commit/*
rm -rf /cf/var/db/idpd/db/*
rm -rf /cf/var/db/idpd/sec-download/*
rm -rf /cf/var/db/idpd/nsm-download/*
rm -rf /cf/var/db/idpd/sec-repository/*

Hi, just following up on this in case it ever helps anyone, basically the system message banner had characters causing the IDP commit script to fail upon parsing the config.

The exact message is below, the ▒▒▒ characters were somehow put in place during an upgrade( I cant see a user actually putting these in!), replacing blank spaces in the config.

A second SRX has the exact same banner message but does not display the oddball characters.

*********************************** Warning ************************************                                                       *▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒*                                                       * You are about to access a protected resource. Unauthorized Persons will be   *                                                       * prosecuted to the fullest extent of the law. This will be your only warning. *                                                       *▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒*                                                       ********************************************************************************

Hope it help!

You can also use \n to perform a carriage return as well:

set system login message "\nUNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.\n\nYou must have explicit permission to access or configure this device.\nAll activities performed on this device may be logged, and violations\nof this policy may result in disciplinary action,and may be reported to\nlaw enforcement. There is no right to privacy on this device.\n\n"

 Which will produce:

UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.

You must have explicit permission to access or configure this device.
All activities performed on this device may be logged, and violations
of this policy may result in disciplinary action,and may be reported to
law enforcement.  There is no right to privacy on this device.

 Unless I'm missing something else.

Hi Clay,

Of course that is a much cleaner method of creating a banner!  When the IDP commit script was parsing the back end XML, it coundn't t handle this character, which I now know to be Unicode Character 'Medium Shade' (U+2592).  I assume there is quite a lot more it cant handle

How they got there instead of spaces, I dont know, I'm told they were copied from an old unit.

What exact characters are valid in the banner (and other places) I am not sure, havent looked into it.

We will try to document this in Juniper KB article for others Juniper product users to use it.

--Cheers

Dipanshu