USG5530 UTM online upgrade unsuccessfully case

Publication Date:  2014-03-24 Views:  625 Downloads:  0
Issue Description
USG5530 is deployed in the interior network, customer want to upgrade UTM files by using the command “update host source LoopBack0” to configure to source interface. The source interface is loopback 0, and configured with public IP address, but upgraded unsuccessfully.

Topology shown:
Alarm Information
Handling Process
Let's analyze and check the likely reasons one by one
(1) Check the license information in the firewall by using command “display license”. I find that the license file has the UTM control items, such as IPS ,AV functions, further more the expired time is 2023, So the license is OK.

HRP_M[USG5500]disp license
08:50:07  2014/03/14
Device ESN is: 210235G6HRxxxxxxxxxx
The file activated is: hda1:/lic2013157-a9ca5d2c7b9d9f_usg5530.dat
The time when activated is: 2014/03/13  17:09:07
Content Filtering: Enabled
IPS        : Enabled;   service expire time: 2023/03/11
Anti Virus : Enabled;   service expire time: 2023/03/11
Anti Spam  : Enabled;   service expire time: 2023/03/11
Pre-defined URL category query : Enabled;   service expire time: 2023/03/11

(2) After check the license, let’s check if the device can reach internet. I ping with source public IP address, can reach it. This shows internet is reachable.

HRP_M[USG5500]ping -a xxx.y.94.89
08:45:15  2014/03/14
  PING 56  data bytes, press CTRL_C to break
    Reply from bytes=56 Sequence=1 ttl=44 time=70 ms
    Reply from bytes=56 Sequence=2 ttl=44 time=70 ms
    Reply from bytes=56 Sequence=3 ttl=44 time=70 ms

But when I ping the domain, can't reach it. At the same time, when check sessions in the firewall, I find that there is no reply packets in the dns session,farther more the source IP address of dns session is the interface IP address which is private IP, isn't public IP address which be specified. So the ping test issue is due to the dns resolved failed.

HRP_M[USG5500]ping -a
08:46:05  2014/03/14
Trying DNS server (
Trying DNS server (
Error:  Ping: unknown host
Session information:
HRP_M[USG5500]disp firewall  session table verbose
08:51:05  2014/03/14
Current Total Sessions : 4
  dns  VPN:public --> public
  Zone: local--> untrust  TTL: 00:00:30  Left: 00:00:22
  Output-interface: GigabitEthernet0/0/7  NextHop:  MAC: 00-00-5e-00-01-6e
  <--packets:0 bytes:0   -->packets:1 bytes:76>         //the source IP is private IP address

When upgrade the UTM files (such as AV), need to resolve the domain When I test the AV upgrade, I find the dns session uses the interface IP address as source IP address.So the AV upgrade issue is same with the ping test above. AV upgrade failed due to the dns resolve failed.

HRP_M[USG5500]update online av
08:47:33  2014/03/14
Info: The operation may last for several minutes. Please wait.
HRP_M[USG5500]display firewall session table
08:47:41  2014/03/14
Current Total Sessions : 4
  telnet  VPN:public --> public>
  dns  VPN:public --> public>
  http  VPN:public --> public>
Root Cause
According to issue detail.After analyzed, the likely reasons as following:
(1) The license doesn't have the UTM contral items, or the date is expired
(2) The firewall device can't access internet;
(3) The UTM files download server meets some problem, can't access;
Because of USG5530 in interior network, the device uses private IP address as source IP to resolve dns, due to resolve failed. Because of UTM upgrade need dns resolve domain, the dns failed due to UTM upgrade failed.
The solution is that use source NAT between local zone to untrust zone.After that dns will be resolved and the UTM upgrade will be successfully.the configuration as following:
nat address-group 1 xx.y.21.225 xx.y.21.225   //Use loopback IP address as the NAT address pool
nat-policy interzone local untrust outbound                                    
policy 0                                                                      
  action source-nat                                                            
  policy service service-set dns                         //Only NAT the dns protocol                          
  address-group 1