The Online Upgrade of the USG2100 (UTM) Fails Due to the Network Environment

Publication Date:  2012-07-24 Views:  83 Downloads:  0
Issue Description
The configurations for the product upgrade are complete. The following information is displayed during the upgrade:
2010-11-01 10:51:09 USG2100 %%01UPDATE/4/UPDATE(l):  module=IPS version=0.0 status=manual-update result=failed details="Exception error"
The debugging information is as follows:
*0.1390340 USG2100 UPDATE/7/DBG:[event] 9090 HTTP server responsed: incr-featurelist( num=0 max-ver=0.0 ) major-feature( ver= ) ftp-info( url=sec-downloadserver1.huaweisymantec.com port=21 ) others( msg-code=100 active-code=0WcQwYe61KEXRCYILOHhb7i5EGrLgsI/pZCRczEzeVETPlEAkVMc34YAvZdpNs0lmXa0TDsoJVcvXZCGG24k4IhCNGvIue2aYsENZE1q8SEMn6FugTNjzBBGbfGO4DqoLTI4DgYRk5pqr4yd/nKm5RGWjepCvoe4V32rzj6TUTm6m+p15VE8Hv0EHO4KHGH3 ).
 
*0.1398520 USG2100 UPDATE/7/DBG:[data] 2768 HTTP server responsed: incr-featurelist( num=0 max-ver=0.0 ) major-feature( ver= ) ftp-info( url=sec-downloadserver1.huaweisymantec.com port=21 ) others( msg-code=100 active-code=0WcQwYe61KEXRCYILOHhb7i5EGrLgsI/pZCRczEzeVETPlEAkVMc34YAvZdpNs0lmXa0TDsoJVcvXZCGG24k4IhCNGvIue2aYsENZE1q8SEMn6FugTNjzBBGbfGO4DqoLTI4DgYRk5pqr4yd
Alarm Information
None.
Handling Process
1. Confirm that The UTM device is connected to the public network through the USG2110 in NAT mode. Check the configurations of the USG2110, the ASPF is not configured.
2. Configure the detect ftp command in the interzone of NAT. Configure the nat alg enable ftp command in the system view.
3. Complete the configuration. The upgrade succeeds.
Root Cause
1. At the beginning, the cause is supposed to be the upgrade of the background Web site. However, according to the O&M engineer, the message code (msg-code=100) indicates that the UTM device is successfully connected to the upgrade server. The configurations of the upgrade Web site are correct.
2. According to the discussion with R&D engineers and debugging information, the UTM device is successfully connected to the upgrade server, and the server notifies the UTM device of the signature file to be downloaded. However, the UTM device fails to download the signature database.
3. During the upgrade, the UTM adopts the FTP passive mode, and the data port is a random one. The ASPF function is disabled at the egress, so the download fails.
Suggestions
Before upgrading the UTM, you need to check the network environment. If you access the Internet through NAT, make sure that the ASPF function is enabled.

END