USG5530 UTM online upgrade unsuccessfully case

Publication Date:  2014-03-24 Views:  597 Downloads:  0
Issue Description
USG5530 is deployed in the interior network, customer want to upgrade UTM files by using the command “update host source LoopBack0” to configure to source interface. The source interface is loopback 0, and configured with public IP address, but upgraded unsuccessfully.

Topology shown:
Alarm Information
None
Handling Process
Let's analyze and check the likely reasons one by one
(1) Check the license information in the firewall by using command “display license”. I find that the license file has the UTM control items, such as IPS ,AV functions, further more the expired time is 2023, So the license is OK.

HRP_M[USG5500]disp license
08:50:07  2014/03/14
Device ESN is: 210235G6HRxxxxxxxxxx
The file activated is: hda1:/lic2013157-a9ca5d2c7b9d9f_usg5530.dat
The time when activated is: 2014/03/13  17:09:07
Content Filtering: Enabled
IPS        : Enabled;   service expire time: 2023/03/11
Anti Virus : Enabled;   service expire time: 2023/03/11
Anti Spam  : Enabled;   service expire time: 2023/03/11
Pre-defined URL category query : Enabled;   service expire time: 2023/03/11

(2) After check the license, let’s check if the device can reach internet. I ping 8.8.8.8 with source public IP address, can reach it. This shows internet is reachable.

HRP_M[USG5500]ping -a xxx.y.94.89 8.8.8.8
08:45:15  2014/03/14
  PING 8.8.8.8: 56  data bytes, press CTRL_C to break
    Reply from 8.8.8.8: bytes=56 Sequence=1 ttl=44 time=70 ms
    Reply from 8.8.8.8: bytes=56 Sequence=2 ttl=44 time=70 ms
    Reply from 8.8.8.8: bytes=56 Sequence=3 ttl=44 time=70 ms

But when I ping the domain sec.huawei.com, can't reach it. At the same time, when check sessions in the firewall, I find that there is no reply packets in the dns session,farther more the source IP address of dns session is the interface IP address which is private IP, isn't public IP address which be specified. So the ping test issue is due to the dns resolved failed.

HRP_M[USG5500]ping -a 196.1.94.89 www.google.com
08:46:05  2014/03/14
Trying DNS server (213.154.64.13)
Trying DNS server (213.154.64.13)
Error:  Ping: unknown host sec.huawei.com
Session information:
HRP_M[USG5500]disp firewall  session table verbose
08:51:05  2014/03/14
Current Total Sessions : 4
  dns  VPN:public --> public
  Zone: local--> untrust  TTL: 00:00:30  Left: 00:00:22
  Output-interface: GigabitEthernet0/0/7  NextHop: 10.33.1.20  MAC: 00-00-5e-00-01-6e
  <--packets:0 bytes:0   -->packets:1 bytes:76
  10.33.1.18:49912-->213.154.64.13:53         //the source IP is private IP address

When upgrade the UTM files (such as AV), need to resolve the domain sec.huawei.com. When I test the AV upgrade, I find the dns session uses the interface IP address as source IP address.So the AV upgrade issue is same with the ping test above. AV upgrade failed due to the dns resolve failed.

HRP_M[USG5500]update online av
08:47:33  2014/03/14
Info: The operation may last for several minutes. Please wait.
HRP_M[USG5500]display firewall session table
08:47:41  2014/03/14
Current Total Sessions : 4
  telnet  VPN:public --> public 41.219.31.6:45392-->41.214.21.225:23
  dns  VPN:public --> public 10.33.1.18:49651-->213.154.64.13:53
  http  VPN:public --> public 196.1.94.89:51788-->58.251.153.51:80
Root Cause
According to issue detail.After analyzed, the likely reasons as following:
(1) The license doesn't have the UTM contral items, or the date is expired
(2) The firewall device can't access internet;
(3) The UTM files download server meets some problem, can't access;
Suggestions
Because of USG5530 in interior network, the device uses private IP address as source IP to resolve dns, due to resolve failed. Because of UTM upgrade need dns resolve domain sec.huawei.com, the dns failed due to UTM upgrade failed.
Solution:
The solution is that use source NAT between local zone to untrust zone.After that dns will be resolved and the UTM upgrade will be successfully.the configuration as following:
nat address-group 1 xx.y.21.225 xx.y.21.225   //Use loopback IP address as the NAT address pool
nat-policy interzone local untrust outbound                                    
policy 0                                                                      
  action source-nat                                                            
  policy service service-set dns                         //Only NAT the dns protocol                          
  address-group 1                          

END