Troubleshooting Configuration Push Errors (NSM Procedure)

Problem

Table 58 provides tips for troubleshooting errors related to NSM configuration push jobs.

Table 58: Troubleshooting: Configuration Push Errors

Error

Description

Timeout

The default timeout for IDP policy is 2400000 milliseconds (40 minutes).

When you first push a policy to a newly deployed IDP device, NSM must send a lot of information (mostly attack definitions). In some cases, the update job can time out before it completes.

To modify the timeout setting:

  1. On the NSM Device Server, open the following file in a text editor:
    /usr/netscreen/DevSvr/var/devSvr.cfg
  2. Modify the following setting:
    devSvrDirectiveHandler.idpPolicyPush.timeout 2400000

The following attacks/groups cannot be updated. Not supported for version.

Different versions of IDP use different detector engines. Not all attack objects are valid for all versions of the detector engine. IDP indicates which attack objects in the security policy were not valid for the loaded detector engine and, therefore, not loaded.

This message is for information purposes only and does not indicate a problem with the IDP device or the policy.

No firewall rules can be updated for device in assigned policy policyName.

You try to load a policy that contains a firewall rulebase onto a standalone IDP device.

This message just means that IDP cannot process the firewall rulebase. The IDP rulebases are still processed normally, assuming no other errors.

Rule #: Packet logging with any/any rule has serious performance implications.

Setting the rule to log packets causes IDP to save packets until it is sure that they will not be needed for a log entry. A rule that has any in the Source IP column and any in the Destination IP column examines all traffic. So, IDP has to save a lot of packets all the time, which impacts performance.

Policy has not changed and hence will not be updated.

For performance reasons, IDP does not spend resources recompiling a security policy that has not changed.

Failed to update device. Failed to compile policy.

Something has gone wrong with the policy compilation. Other error messages may indicate why.

No license for idp.

The device does not have a valid license. Unlicensed devices do not accept policy uploads.

Solution

Related Documentation