Sounds like a known issue. Download the following version of firmware, interrupt the boot process, load the image via TFTP, let it boot, then upgrade to 6.3r23.
https://download.juniper.net/software/firewall/ssg5ssg20.6.2.0r4-ef2.0
↧
Re: SSG5 ScreenOS update failed (unit continuously reboots)
↧
Re: can't fetch reports for netscreen firewall
Hi Swati,
You can download the 6.3 MIB file from the below mentioned link :
# https://www.juniper.net/techpubs/software/screenos/mibs.html
You will find the tempreature in NS-Chassis MIB file and session in NS-RES MIB file.
Regards,
Rishi
↧
↧
Re: can't fetch reports for netscreen firewall
how to see the value for OID ?
I have seen the file but I don't find the OID for session and temperature with which server should poll to fetch the data.
also confirm by which command we see that mib file is already present on the node?
↧
Re: can't fetch reports for netscreen firewall
Hi Swati,
You can load the MIB file in any MIB browser for eg. Ireasoning. Once you do this you just need to click on SNMP MIB , the OID will be shown on the OID bar at the top of the browser. I have attached sample snapshot for the same.
I am not able to understand your query "which command we see that mib file is already present on the node?"
Can you just explain in detail what you are looking for.
Regards,
Rishi
↧
Re: SSG5 ScreenOS update failed (unit continuously reboots)
Hi SPULUKA, thanks for your advice.
Juniper won't renew support for this device since it's too old (EOL).
Yes, I get to the loader prompt and I can upload versions using TFTP. That's how I uploaded and tried various versions of ScreenOS.
I would like to get the older version of the ScreenOS to try, but it looks like Juniper doesn't support it any more.
I was hoping someone would have an old saved version they could provide to me.
↧
↧
Re: SSG5 ScreenOS update failed (unit continuously reboots)
These devices are still supported until 2020. You should be able to download the file from the link I provided above as long as you have an account on the Juniper site.
↧
Re: SSG5 ScreenOS update failed (unit continuously reboots)
Hi RSEIBERT. Thank you for your post. That fixed it!!!!
The link you provided worked. I was able to download the "error fix" version of ScreenOS and flash it into my unit.
It booted up without the crash, dump, reboot loop. It got to a point where i just kept saying "check_for_flash_write: Num_to_be_flashed 0" over and over, but I hit enter and logged on fine.
Then I was able to upload and flash the latest and greatest version of the firmware and it is working now.
THANK YOU. THANK YOU. THANK YOU!!!
↧
Re: SSG5 ScreenOS update failed (unit continuously reboots)
Not a problem. Please mark this as solved, and kudos are apprieciated.
↧
Re: can't fetch reports for netscreen firewall
i only have CLI access to nerscreen firewall.
I would like to know if the MIB file is present in the firewall or not . Is there any command to check the same.
Also I need the OID for session and temperature so that I can check if that OID is present on the server or not
↧
↧
Re: can't fetch reports for netscreen firewall
Hi Swati,
MIB file does not reside on FW. The SNMP server will have the MIB file. You need to enable SNMPv2 or SNMPv3 on the FW and perform SNMP walk from the server to fetch the requrired information. I think you did not referred to the attached snapshot in last update.
OID for tempreature:
# nsTempreatureID: .1.3.6.1.4.1.3224.21.4.1.1
# nsTempreatureSlotID: .1.3.6.1.4.1.3224.21.4.1.2
# nsTempreatureCur: .1.3.6.1.4.1.3224.21.4.1.3
# nsTempreatureDesc: .1.3.6.1.4.1.3224.21.4.1.4
OID Session:
 nsResSession | 1.3.6.1.4.1.3224.16.3 |
 nsResSessAllocate | 1.3.6.1.4.1.3224.16.3.2 |
| nsResSessMaxium | 1.3.6.1.4.1.3224.16.3.3 |
| nsResSessFailed | 1.3.6.1.4.1.3224.16.3.4 |
Regards,
Rishi
↧
NSM ISG2000 IDP signature Update issue
Hi every one.
recently i have a strange problem in updating my isg 2000 IDP signatures with NSM. last week i updated my idp modules with latest signatures via offline method which is downloading two files:
1-NSM-SecurityUpdateInfo.dat
2-NSMFP14-DI-IDP.zip
generally I place these two files in nsm and then go through the update wizard to update the idp signatures.
recently i have downloaded these two files and this time i faced an error message that prevented the wizard to complete the update . i have attached error screenshot.
after this error message which is general java error for which it seems that it could apperar for several reasons i investigated the NSM-SecurityUpdateInfo.dat file and i saw strange thing.
in older versions of this .dat file there is lots of texts about different versions of signature update files for example (NSMFP14-DI-IDP.zip , NSMFP15-DI-IDP.zip NSMFP17-DI-IDP.zip , ....)
in this new .dat file there is nothing but only about NSMFP17-DI-IDP.zip file. (you can open .dat file via word or any text editor)
problem is my nsm is ver 2010.3 and for this version im using NSMFP14-DI-IDP.zip file. also i think NSMFP17-DI-IDP.zipis for newer nsm version!(i dont know if any one can tell me the deference)
this is download link for those two files:
https://services.netscreen.com/restricted/sigupdates/nsm-updates/NSM-SecurityUpdateInfo.dat
https://services.netscreen.com/restricted/sigupdates/nsm-updates/NSMFP14-DI-IDP.zip
i also tried to update idp sig with this new .dat file and sig update NSMFP17-DI-IDP.zip but i get same error message in attachment. i think these error has to be something with this new .dat file format which i dont understand why juniper changed this file content. i also attached an older version of NSM-SecurityUpdateInfo.dat int the attachemnts which you can see is much richer than this new dat file that you can download it from above url. (i also tried to alter old .dat file and use it with new sig update file with No luck!)
please help me to resolve this strange problem. thanks
↧
Re: NSM ISG2000 IDP signature Update issue
Hi Sevan,
I thnk you are using very old version of NSM:2010.3. As per TSB17019 signature update is EOL for below products version.
PRODUCT AFFECTED:
Fore more information please refer the below mentioned link :
# https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17019&smlogin=true&actp=search
I would recommend you to upgrade the NSM to latest version and then test.
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Regards,
Rishi
↧
Re: NSM ISG2000 IDP signature Update issue
Hi Rishi ,
thanks for your reply. you are right about my NSM version but the fact is despite of my old NSM version i was able to update my IDP till last week just before change of the 'NSM-SecurityUpdateInfo.dat' file that i mentioned in my earlier post.
↧
↧
Re: NSM ISG2000 IDP signature Update issue
Hi Sevan,
I do understand that but there are some changes which have been made as per the EOL which might be causing this issue.
I would recommend you to upgrade the version and than let me know if the issue is still persistent, I will take it further .
Regards,
Rishi
↧
Re: can't fetch reports for netscreen firewall
Juniper has a MIB explorer application on the support site.
https://contentapps.juniper.net/mib-explorer/
Using this you can either search for terms in the MIB to find the OID of interest or just navigate the heirarchy online to find what is of interest.
↧
Re: NSM ISG2000 IDP signature Update issue
Thanks Rishi
accourding to your guidance and documentations im convinced to upgared my nsm and i think its right thing to do. but i have questions for this upgrade thing.
1- my nsm is 2010.3 and if i upgrade from current release what will happen to my installed license files?(i have 25 device license installed on my nsm)
2- how can i export my license files from current nsm if i need to do clean install?
3- according to nsm 2012.2 release note i should go to 2010.3S first and then i can go to 2012.2 .my linux is Redhat Enterprise 5.4 so whcih one of this files i have to download and execute on my server to go to 2010.3S1 ?
| Central Manager upgrade | MD5 SHA1 | 2010.3s1 | zip | 1,022,355,754 | 01 Dec 2011 |
| Linux Server | MD5 SHA1 | 2010.3s1 | zip | 1,176,388,021 | 01 Dec 2011 |
| Linux System Update utilities | MD5 SHA1 | 2010.3s1 | zip | 77,973,357 | 01 Dec 2011 |
| Linux UI client | MD5 SHA1 | 2010.3s1 | zip | 156,077,423 | 01 Dec 2011 |
| Offline Server upgrade | MD5 SHA1 | 2010.3s1 | zip | 201,833,135 | 01 Dec 2011 |
| Regional Server upgrade | MD5 SHA1 | 2010.3s1 | zip | 1,191,639,748 | 01 Dec 2011 |
| Solaris Server | MD5 SHA1 | 2010.3s1 | zip | 1,269,869,762 | 01 Dec 2011 |
| Solaris System Update utilities | MD5 SHA1 | 2010.3s1 | zip | 19,042,157 | 01 Dec 2011 |
| Windows UI client |
4- after upgrade to 2010.3S1 which of these files stated in table "Tools - CentOS5.7" in 2012.2 download page i need to download and execute?
* what is V1 and V2 V 3 V4 differences? do i need both?
5- and my final question, in above table it says NSM Appliance generic offline, my nsm server is ordinery HP server and not Appliance so is it ok? or i need to download some other files?
i can just say Big Thank you for the Time you spend for answering my Questions . thank you
↧
Re: NSM ISG2000 IDP signature Update issue
Hi Seven,
Generally if the number of devices managed by NSM are less than 25 then it is base license used on that server. When you need to manage more than 25 device you need to purchase additional license.
on your NSM CLI you can naviagate to /var/netscreen/GuiSvr/License and check if you see license.txt there, If yesmove it to your PC using WINSCP. If no you can assume that it is the base license and proceed with the upgrade.
You need to use the below mentioned file for the linux server:
| Linux Server | MD5 SHA1 | 2010.3s1 | zip | 1,176,388,021 | 01 Dec 2011 |
| Linux System Update utilities | MD5 SHA1 | 2010.3s1 | zip | 77,973,357 | 01 Dec 2011 |
The files you have mentioned in question#4 are for hardware appliance, for linux server you need download the same above file from 2012.2 section.
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Regards,
RIshi
↧
↧
Re: NSM ISG2000 IDP signature Update issue
Hi Rishi
i want to say thank you for all your effort in helping me through this. you helped me so much. for final question as i red the documents i assume these things are correct. can you verify:
1- because i have no appliance and im in linux server so i can go straight to 2012.2 from 2010.3 with using 'Linux System Update utilities' and 'Linux Server' and no need to go to 2010.3S1 (if i had appliance i should have but i dont)?
and as you saied i checked my nsm and the path you mentioned and im sure that im using base license so every thing is ok for upgrade. thanks
↧
Re: NSM ISG2000 IDP signature Update issue
Hi Sevan ,
I request you to please refer the Page-16 for the recommended upgrade paths to 2012.2 following the below mentione link :
Documentation:
Please let me know if you have further queries.
Regards,
Rishi
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
↧
Problem with VPN configuration: The peer sent a TS that did not match the one in the SA config
Hi,
I have followed this document to establish VPN connection between Juniper SSG140 and iOS device:
But I am stuck on:
2017-01-25 09:09:45 info Rejected an IKE packet on ethernet0/9 from a.b.c.d:500 to w.x.y.z:500 with cookies 1328d54ec3a99964 and 54bd7563665d5c93 because The peer sent a TS that did not match the one in the SA config.
2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16395 NOTIFY_MSG_NON_FIRST_FRAGMENTS_ALSO.
2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16394 NOTIFY_MSG_ESP_TFC_PADDING_NOT_SUPPORTED.
2017-01-25 09:09:45 info IKE w.x.y.z IKESA : Completed IKESA negotiations with IKE SA AUTH.
2017-01-25 09:09:45 info IKE w.x.y.z IKESA: Completed for user swissmom-ios-user.
2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16396 RESERVED TO IANA.
2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16384 NOTIFY_MSG_INITIAL_CONTACT.
2017-01-25 09:09:45 info IKE w.x.y.z CHILD SA with IKE SA INIT: Initiated negotiations.
2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16430 RESERVED TO IANA.
2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16389 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP.
2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16388 NOTIFY_MSG_NAT_DETECTION_SOURCE_IP.
2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16406 RESERVED TO IANA.
2017-01-25 09:09:45 info IKE w.x.y.z IKESA: Responder starts negotiations.
Can someone please explain me what this message (The peer sent a TS that did not match the one in the SA config) mean and how can I potentially fix it? From log reference guide:
https://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_messages.pdf
on page 287 I can only see this explanation:
"The Traffic Sector (TS) payload (local and remote subnets protected by this tunnel) within the message was not consistent with the TS setting for this VPN configuration."
But what does it mean exactly for me? how can I check local and remote subnets protected by my tunnel? Which settings?
Thanks,
Matthias
↧