Re: Bogus image message
Hello Reload,Greetings !!From the problem i can see there is a problem while install Screen OS firmware and you are getting erorr mentioned Kindly follow the below steps 1. Upload an image on the...
View ArticleClik here to view.
Re: Bogus image message
Hi Reload, I believe this is where you are getting stuck at: SSG550-> save software from tftp 172.22.152.251 new/ssg500.6.3.0r17.0 to flash Load software from TFTP 172.22.152.251 (file:...
View ArticleClik here to view.
Re: Bogus image message
Hi Reload, Greetings, I believe these logs, i.e. bogus image not authenticated are observed because the ScreenOS firmware is not successfully authenticated by the new image key during...
View ArticleRe: Bogus image message
The issue comes from the change in signing key from Juniper in 2017When you get this error follow these instructions.More information is in this blog....
View ArticleRe: Bogus image message
Hi Reload, Good day!! Can you use following link to downgrade the OS? http://kb.juniper.net/InfoCenter/index?page=content&id=KB5519&actp=search Note:- While device boots up, you have to take...
View ArticleRe: SSG to SRX conversion tool
Thanks for the reply.. Our fantastic Jtac is still trying to figure out the access issue, it has been 3 days escalated. are you referring to Juniper Firewall Migration Cloud tool in...
View ArticleSSG to srx conversion Juniper Firewall Migration Cloud is down
Both the Ssg to srx conversion tools has been decomissioned this year.https://migrationtools.juniper.net/s2j/index.jsp JTAC confirmed below tool is also down & going to be...
View ArticleRe: SSG to srx conversion Juniper Firewall Migration Cloud is down
Hello, At the moment, the only conversion tool available for the public is https://migrationtools.juniper.net/i2j/ and I think it is decommissioned already. The second tool which you have mentioned -...
View ArticleCreating 2 IPSec tunnels as primary and secondary to a remote office on a...
I have a Juniper SSG-320 FW. I would like to create to IPSec tunnels to another office. One is primary and the other one is secondary. The remote destination subnet is the same because its an office....
View ArticleRe: Creating 2 IPSec tunnels as primary and secondary to a remote office on a...
Hello Gilles, I don't understand this part - The remote destination subnet is the same because its an office. I can see that the destination network is 192.168.1.0/24 and the source network is...
View ArticleRe: Creating 2 IPSec tunnels as primary and secondary to a remote office on a...
Sorry. Disregard that sentence. There is no overlap. You can just refer to the diagram I posted. Is it possible to have this setup.
View ArticleRe: Creating 2 IPSec tunnels as primary and secondary to a remote office on a...
From your SSG if you have two external interfaces(say eth0 and eth1) connecting Cisco Router-1 and Cisco Router-2 then it is pretty straightforward. Create 2 Route-based VPN. If you have only one...
View ArticleRe: Creating 2 IPSec tunnels as primary and secondary to a remote office on a...
Thanks. That document helps. My setup would be a multi point. Also, for both the metric and preference. Which is preferred? Higher or lower
View ArticleRe: Creating 2 IPSec tunnels as primary and secondary to a remote office on a...
For a straight up primary and backup vpn as in your diagram you can use the ScreenOS group feature. I have a configuration outline posted on my blog....
View ArticleRe: Creating 2 IPSec tunnels as primary and secondary to a remote office on a...
Hi Gilles, When you have two routes towards the same destination in your routing table given by two different protocols. e.g. Static route and BGP route. and if you want to choose one route as Active,...
View ArticleRe: Creating 2 IPSec tunnels as primary and secondary to a remote office on a...
Thank you very much! Does this configuration also work on the Juniper SRX. If so, do you have documentation on the SRX configuration, or is the same as the SSG. Is there also a way to import/export an...
View ArticleRe: Creating 2 IPSec tunnels as primary and secondary to a remote office on a...
This configuration example is only applicable on ScreenOS. This feature uses policy based vpn with active/passive failover. The feature was never migrated to the SRX/Junos platform.
View ArticleRe: Creating 2 IPSec tunnels as primary and secondary to a remote office on a...
But can the SRX do some kind of IPsec tunnel failover.Sent from Samsung Note
View ArticleRe: Creating 2 IPSec tunnels as primary and secondary to a remote office on a...
Hello Gilles, Yes, we can configure primary/backup VPN in SRX and route failover is supported with IP monitoring feature. [J/SRX] Example – Configuring a primary and backup VPN with route failover...
View ArticleVPN Creating Between Cisco RV340 and Juniper Netscreen Firewall
Dear Team , I have created VPN as per standard procedure in Juniper and Cisco Side Both i m getting error which i have attached on this artical please check and let us know I want to know in this case...
View ArticleRe: VPN Creating Between Cisco RV340 and Juniper Netscreen Firewall
The issue seems to be a mismatch with the ScreenOS proxy-id configuration versus the Cisco ACL setup. This kb walks through how to identify where to look based on the details of the message....
View ArticleSSG-140, Route based VPN: How to deny incoming IKE form specific IP ?
Hi Community, My SSG-140 each 10 seconds has receiving IKE packets (Initial Phase 1 packet) from an unrecognized peer gateway, I see in the event log its source IP. I've tried to implement deny policy...
View ArticleRe: SSG-140, Route based VPN: How to deny incoming IKE form specific IP ?
Traffic processed by the firewall itself is NOT covered by policies which apply to transit traffic that cross the firewall. So you cannot apply a policy in this fashion to block the vpn requests. The...
View ArticleRe: SSG-140, Route based VPN: How to deny incoming IKE form specific IP ?
Thank you for reply, Steve. So, if I understand correct, there is no way to block the vpn requests from specific IP(s)?In the Settings/Admin I've no found something suitable for that. Dmitry
View ArticleRe: SSG-140, Route based VPN: How to deny incoming IKE form specific IP ?
Yes, this is not an option to block on ScreenOS. There is an option for these policies with Junos on the SRX.
View ArticleClik here to view.
SSG140 Interface 0/9 traffic Bandwidth issue
Hi,I 'm try to connect a 500mb internet link to replace current 100mb link. When I check the interface bandwidth report and it's still showing Ethernet 0/9 100Mbps as snapshot attached. However, when I...
View ArticleRe: SSG140 Interface 0/9 traffic Bandwidth issue
That column in the report is the physical link limit. This looks like the port might be connected to a fast-ethernet switch port. As long as the gig port is coming up at physical 100 you won't be able...
View ArticleNetscreen ScreenOS 6.3.0r26 - How to enable openSSH CTR Ciphers to be...
I am having trouble finding how to prefer CTR ciphers for SSH over the weaker CBC Mode ciphers. Currently I only see AES-128, AES-192 and AES-256 available in ScreenOS. Are CTR ciphers available with...
View ArticleRe: Netscreen ScreenOS 6.3.0r26 - How to enable openSSH CTR Ciphers to be...
For the ScreenOS 6.3 EOL milestones this is the document. This was pushed again to May 2021 https://support.juniper.net/support/eol/software/screenos/ The hardware listing is on this document also May...
View ArticleRe: Netscreen ScreenOS 6.3.0r26 - How to enable openSSH CTR Ciphers to be...
Steve,Thanks for your response but can I get more detail on the download you were speaking to. Is it the software download? I need to provide information to our auditors so I could benefit if you...
View ArticleRe: Netscreen ScreenOS 6.3.0r26 - How to enable openSSH CTR Ciphers to be...
Sorry for the confusion, by download I just meant the ScreenOS software itself. I saw the same as you looking on my SSG line device.
View ArticleRe: Netscreen ScreenOS 6.3.0r26 - How to enable openSSH CTR Ciphers to be...
Oh so you basically just went into your device to verify what you see in the software. Can you share the command you used to bring those up?
View ArticleRe: SSG140 Interface 0/9 traffic Bandwidth issue
Thanks for the reply.It means this gig port on SSG140 is not compatible with switch/router installed by ISP?I did test the speed from direct connect to my laptop and it can reach 490/490. Will...
View ArticleDST Nat without VIP
Hello, Am trying to setup destination NAT on a SSG 350m. Internet -> SSG 350m -> Internal machine 24.12.0.2 -> 192.168.1.1 -> 192.168.1.111 UDP/30200 -> -> UDP/30200 Policy: set...
View ArticleRe: Netscreen ScreenOS 6.3.0r26 - How to enable openSSH CTR Ciphers to be...
What I see is that even after upgrade to the latest version I still have OSX complaining about ScreenOS using weak ciphers. I can override this warning and connect anyway. The admin > management...
View ArticleRe: SSG140 Interface 0/9 traffic Bandwidth issue
This is not a firmware issue but a negotiation between the SSG and the connected switch. Since your laptop works connecting GE to the port that side is likely configured at GE auto-neg. Check the...
View ArticleRe: SSG140 Interface 0/9 traffic Bandwidth issue
Thanks Steve, Any docs or CLI commands you could provide to reset GE? Am I able to reset/reconfigure it from GUI or CLI only? Please advise, Thanks again.Felix
View ArticleRe: SSG140 Interface 0/9 traffic Bandwidth issue
I don't have an SSG with gig interfaces to test but I think this is the command format.set interface eth0/9 phy 1000mb
View ArticleClik here to view.
Re: SSG140 Interface 0/9 traffic Bandwidth issue
Thank for the reply. Would this changes impact the current existing 100M link connected once it is implemented? Are we able to see this changes from GUI without connect to the new 500M link? or CLI...
View ArticleRe: SSG140 Interface 0/9 traffic Bandwidth issue
When you apply these commands it overrides auto-neg and forces the specified speed. This will bounce the interface and reconnect if manual connection is accepted by the partner. If the switch port does...
View ArticleRe: SSG140 Interface 0/9 traffic Bandwidth issue
Thanks Steve, Could you please advise what the command for change back to auto if set interface eth0/9 phy full 1000mbdidn't overwrite well in case. So I can rollback?Thanks
View ArticleRe: SSG140 Interface 0/9 traffic Bandwidth issue
Reverting the interface to the default auto-neg would beset interface eth0/9 phy auto
View ArticleHow to Migrate SSG140 to SRX?
SSG config.set auth-server "Local" id 0set auth-server "Local" server-name "Local"set auth-server "SSG" id 1set auth-server "SSG" server-name "10.10.10.10"set auth-server "SSG" account-type admin set...
View ArticleRe: How to Migrate SSG140 to SRX?
This assumes the radius accounting is on your tac-plus server. And you will need to subsitute the local ip address for the interface in the original configuration.set system authentication-order...
View ArticleSSG-550M Random ARP Drops Log - packet dropped pakQ full 201
Seem to be hitting strange problem - ARP packets being randomly dropped. Logs from SSG showing the following: packet dropped pakQ full 201 Any ideas, perhaps reaching maximum allowed ARP entries?
View ArticleRe: SSG-550M Random ARP Drops Log - packet dropped pakQ full 201
I've not seen that error log before. But you can confirm your max arp limits by running. get sys-cfg And see the current usage along with the max on the device at any moment withget arp So if you can...
View ArticleClik here to view.
Re: SSG140 Interface 0/9 traffic Bandwidth issue
Thanks Steve, Confirmed with ISP. They configured NTU port as auto negotiate.When I change 0/9 to auto, we can achieve the expected speed which firewall can handle. I also have an issue regards of VPN....
View ArticleClik here to view.
SSG140 VPN access failed with A Phases 2 packet arrived while XAuth was still...
Hi Team, We recently upgraded the internet link. The SSG140 was working fine with old link and VPN access via VPN access Manager.But since we upgraded the link with WAN info (didnt touch any other...
View Article