After upgrading Juniper SRX (branch versions) from 11.x to 12.x, IDP gets stuck in a very weird state. It will start detecting false positives as well as fail when updating.
To fix (for clusters):
configure
set system processes idp-policy disable
deactivate security idp
commit and-quit
Then remove the IDP directories (running "request security idp storage-cleanup" will NOT fix the issue, you need to force-remove the old files and stuck policies in there):
start shell
cd /var/db/idpd
rm -r *
exit
Repeat the commands on the secondary node:
request routing-engine login node 1
cd /var/db/idpd
rm -r *
exit
Check cluster status to make sure the redundancy groups are all on one node:
>show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1
node0 100 primary no no
node1 1 secondary no no
Redundancy group: 1 , Failover count: 1
node0 100 primary no no
node1 1 secondary no no
Reboot the secondary node:
request system reboot node 1
Go get coffee while it comes back up... (keep checking the cluster status until node 1 shows "secondary" and not "lost").
After its back, failover to the secondary node:
request chassis cluster failover redundancy-group 1 node 1
request chassis cluster failover redundancy-group 0 node 1
Reconnect if you are SSH'ing into the device for management and check cluster status.
Once node 1 shows primary on both redundancy groups, reboot node 0.
request system reboot node 0
Go to the restroom while you wait for it to come back online... (keep checking the cluster status until node 0 shows "secondary" and not "lost").
Once they are both up and in their primary/secondary states, reset the failover.
request chassis cluster failover reset redundancy-group 1
request chassis cluster failover reset redundancy-group 0
Configure to reenable IDP:
configure
delete system process idp-policy disable
commit and-quit
At this point, sometimes the update will fail. You can either reboot the nodes AGAIN doing another failover or try issuing "request security idp storage-cleanup downloaded-files".
Download the full IDP update: request security idp security-package download full-update
Check the status when its finished.
If it DID NOT sync ok, you will have to manually copy over the files to the secondary node and move them to the right directory:
start shell
rcp -T -r /var/tmp/sec-download/* node1:/var/db/idpd/sec-download/
mv /var/tmp/sec-download/* /var/db/idpd/sec-download
Install/update IDP: request security idp security-package install
Check the status. When its done, it should look something like:
request security idp security-package install status
node0:
--------------------------------------------------------------------------
Done;Attack DB update : successful - [UpdateNumber=2415,ExportDate=Wed Sep 3 18:26:00 2014 UTC,Detector=12.6.160140626]
Updating control-plane with new detector : successful
Updating data-plane with new attack or detector : not performed
due to no active policy configured.
node1:
--------------------------------------------------------------------------
Done;Attack DB update : successful - [UpdateNumber=2415,ExportDate=Wed Sep 3 18:26:00 2014 UTC,Detector=12.6.160140626]
Updating control-plane with new detector : successful
Updating data-plane with new attack or detector : not performed
due to no active policy configured.
If you use policy templates, then make to rerun the download and install the templates: request security idp security-package install policy-templates
Re-Enable IDP:
configure
activate security idp
commit and-quit
And verify its running:
show security idp policy-commit-status
show security idp status
