Quantcast
Channel: All ScreenOS Firewalls (NOT SRX) posts
Viewing all 2577 articles
Browse latest View live

When upgrading screenOS, I encounter something problem...

August 11, 2016, 5:51 pm
$
0
0

Hello all,
I have 5 SSG-5.
Among them, only 2 SSG-5 can operate properly about upgrading screenOS


Others cannot operate when I upgrade ScreenOS...


The steps I progress are below.
1. Deleting crypto imagekey(old one)
2. Upgrading boot loader
3. Upgrading screenOS
4. Upgrading crypto imagekey(new one)


And
the issues on devices are below.

Issue 1)
ssg5-isdn-> save software from tftp 192.168.10.99 Loadssg5ssg20v132.d to flash
software major version is not same, accept this firmware? y/[n] y
cksum :a69dbc size :407692
Incorrect firmware data, please check it.
Done

software major version is not same, accept this firmware? y/[n] n
Wrong software, ignore it.
Done

 

Issue 2)
ssg5-isdn-> save software from tftp 192.168.10.99 Loadssg5ssg20v132.d to flash

Load software from TFTP 192.168.10.99 (file: Loadssg5ssg20v132.d).
!rcv tftp error(1)tftp wait error, instance was freed!
TFTP read file failed

 

I think the steps I progress are correct.
Why this issues are coming and how can I deal with it?

Please tell me advice experts!!

Regards,
SK.

Search

Re: When upgrading screenOS, I encounter something problem...

August 11, 2016, 9:36 pm
$
0
0

Issue 1 :

               What is the output of 'get sys' and the name size & hash of the software you are trying to load to the device?

 

Issue 2: 

            It looks to be more relates to TFTP issue. can you take a packet capture on the TFTP server and check where device is sending the tftp packets to the server and tftp response etc.

 

Thanks,

Vikas

Re: When upgrading screenOS, I encounter something problem...

August 12, 2016, 4:42 pm
$
0
0

I"ve seen #2 when the tftp default interface does not match where you actually reach the tftp server on.  Use this command to explicitly set the source interface that you need for the tftp request.  Substitute the correct bgroup or eth interface where the tftp server will face.

 

set tftp source-interface bgroup0

Re: When upgrading screenOS, I encounter something problem...

August 15, 2016, 7:21 pm
$
0
0

hi! 

i'm jogilsang! The companies such as questioner. sorry to late reply.

Write the information you requested.

 

(The current patch status is conducted.)

 

Product Name: SSG5-ISDN

Software Version: 6.3.0r22.0, Type: Firewall+VPN
Feature: AV-K
BOOT Loader Version: 1.3.2
Compiled by build_master at: Wed Mar 9 07:57:20 PST 2016

 

There you need more information?

To resolve this issue needs your help. 

Thanks for reading.

Re: When upgrading screenOS, I encounter something problem...

August 15, 2016, 9:43 pm
$
0
0

 Additionally, I'll put information 

 

1) ssg5-isdn-> save software from tftp 192.168.XX.XX ssg5ssg20.6.3.0r22.0 to flash // screenOS upgrade

2) ssg5-isdn -> save software from tftp 192.168.XX.XX Loadssg5ssg20v132.d to flash // bootloader upgrade

 

1)

 

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 25, cpu = 12, version = 1 8
update new flash image (026fdd20,13381258)
platform = 25, cpu = 12, version = 18
offset = 20, address = 5800000, size = 13381180
date = 2669, sw_version = 31808000, cksum = 59d01749
Program flash (13381258 bytes) ...

 

2)

 

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 25, cpu = 12, version = 16
update new flash image (026fdd20,407771)
platform = 25, cpu = 12, version = 16
offset = 20, address = 900000, size = 407692
date = 0, sw_version = 0, cksum = 5e2f1681
software major version is not same, accept this firmware? y/[n] n
Wrong software, ignore it.
Done

 

They have different values.( sw_version )

Maybe it should not ever due to this problem?

I hopeit comesquicklytoupdatethe bootloader Smiley Happy

 

 

 

ssg140 vpn throughtput.

August 15, 2016, 10:59 pm
$
0
0

ssg140 vpn is 100Mb. Is this shared between tunnels. So if I have 4 tunnels and 1 is doing high traffic it will affect other tunnels

as 100mb is shared ?

Re: SC-CPA on SSG5 not function

August 15, 2016, 11:00 pm
$
0
0

HI STEVE

Was the url filtering license previously installed and lost?. NO

is this a new setup that needs the license applied?. YES

The portal Support->find license key and search by seral number: FEATURE: Extended Mode: Extended Mode Key

 

This is the serial number of the device: 0162112010004886 (SSG5)

Tell me what could I do?

THANKS

RAFAEL

Re: When upgrading screenOS, I encounter something problem...

August 16, 2016, 2:10 am
$
0
0

1: Product Name: SSG5-ISDN

    Software Version: 6.3.0r22.0   <-- this means device is already on the latest version.

 

2 :ssg5-isdn -> save software from tftp 192.168.XX.XX Loadssg5ssg20v132.d to flash // bootloader upgrade

 

If you are getting software error during the bootloader upgrade then it looks to be fine because this is not how you should upgrade the bootloader.
Please follow KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB10949&smlogin=true&actp=search to upgrade the bootloader.

 

 

Thanks,

Vikas

Search

Re: SC-CPA on SSG5 not function

August 16, 2016, 8:22 am
$
0
0
Based on the serial number 0162112010004886 , it only has Extended mode license, and does not include WF. Was this device recently RMA'd? If so, then the license would need to be transferred. Otherwise, if you know you have purchased the WF license, then you will have to call into Customer Care, to resolve that issue.

Re: ssg140 vpn throughtput.

August 16, 2016, 3:11 pm
$
0
0

That is total device capacity.  If you have one tunnel that is doing 60Mbps, then the other 4 would only be able to get up to 40Mbps

Re: When upgrading screenOS, I encounter something problem...

August 16, 2016, 3:13 pm
$
0
0

Bootloader upgrade have to be done via the loader prompt (console via reboot).

 

Also, SSGs do not require bootloader upgrades.  This is optional.

 

 

Re: When upgrading screenOS, I encounter something problem...

August 17, 2016, 6:02 am
$
0
0

Thank you your accuracy and kindness!

I work out, thanks!!!

 

I hope you have a pleasant business and all your things are well

see you later Smiley Happy

 

Re: SC-CPA on SSG5 not function

August 18, 2016, 6:00 pm
$
0
0

Web filtering is an optional additional license that gets applied then to the SSG5.  You should get an email with a code to use to generate the license from your reseller when they are purchased.  The code gets used along with your serial number on the support site to create the key you then add to the SSG in the web interface to activate the license period.

Protection on the number of connection

August 19, 2016, 8:03 am
$
0
0

Is there any way to put limitation on the number of the connection on netscreen coming from internet on the single destination IP.

I am aware of one feature Scree option where i can put screening on the packet coming from any specific zone and limit the number of session on the dst or source. But can i do it on some specific Ip as well?

Re: Protection on the number of connection

August 19, 2016, 8:32 am
Search

Re: Protection on the number of connection

August 20, 2016, 6:13 am
$
0
0

You select your desired protections for the zone level here:

 

Security > Screening > Screen

Select your untrust zone from the pick list

 

For source address based attacks, in addition to the syn flood settings noted above, also look at what you would want in the scan section.

 

Screen Shot 2016-08-20 at 9.09.37 AM.png

Re: Protection on the number of connection

August 20, 2016, 9:25 am
$
0
0

Hello,

 

Screening for only a single destination IP is not possible. Options given so far are applicable to all the source or destination IPs.

 

Per policy screening is application to source IPs only.

 

Regards,

 

Rushi

Re: Disable Interface? (Reposted in right topic)

August 22, 2016, 8:20 am
$
0
0
rseibert wrote:

Disable monitor/rekey on the Hub2.  Unfortunatly, you will have to wait for the hub2 IKE to time out before it will show down.  If both sides are set with the floating routes, then when hub1 comes back up, all sessions should change to that route.

Thanks! That seems to work.

 

Any downside to setting a really low IKE timeout? (Like 30 minutes)

Policy ID's

August 23, 2016, 8:23 pm
$
0
0

Hi friends,

 

If i have deleted a rule from the policy, is it possible that the same policy ID could be assigned to a new rule in the future? We are hoping the same policy ID will never get re-used, is this the case?

Re: Policy ID's

August 23, 2016, 10:38 pm
$
0
0

Hello,

 

If you have a policy with id 20 & if you delete it, this number can be reused later on for different policy.

 

Regards,

 

Rushi

Viewing all 2577 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>