SSL VPN
Reply
New User
SOCKMD
Posts: 3
Registered: ‎01-22-2009
0

Making a new authentication server deletes a random older one!

We have a clustered environment og two SA6000 boxes, in active/passive.

 

Our own company uses it, as well as a number of customers, on overall 16 IVSes so far.

 

We finally took the plunge and upgraded from 5.5R7 til 6.2R3.1. Release notes indicated this was an okay upgrade path to take, and I also called JTAC and had them confirm that this was the recommended release to upgrade to from ours.

 

After the upgrade though, we are seeing quite a few bugs!

 

The most serious one is regarding authentication server. If we try and make a new authentication server, of any kind, og any of teh IVSes, the system will automatically delete one of the older ones! On one of the IVSes it even deleted the authentication server called "Administrators", which normally can't be deleted. Realms and roles and so forth just map to the newly created one, if they mapped to the deleted one.

 

Anyone else seen anything like this? The odd thing, it's only a problem on IVSes made before the upgrade. If we make an IVS and create new authentcation servers, it works as intended. Problem is, we have a lot of local authentication databases, and have no way of exporting and importing all the users in these.

 

Have a JTAC case open on this, but so far they haven't come up with anything at all. So thought I'd post here too, in case anyone has seen anything similar.

 

Thanks in advance for any feedback you can provide on this.

Trusted Contributor
Mrkool
Posts: 249
Registered: ‎02-28-2008
0

Re: Making a new authentication server deletes a random older one!

well from 5 to 6 was a major code change. I only have a handfull of Auth servers and we rarely create new ones so i can not help you with that but if you have a lab box have you tried upgrading to the 6.4beta and see if you the problem exists?
SA-6500 (7.3R3) Production
MAG 4610 (7.4) Lab
Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: Making a new authentication server deletes a random older one!

If you have a lab box or can break your cluster and persuade Juniper to give you licenses to run the passive device as a primary, I'd recommend using the function to duplicate an IVS to create a "new" IVS with the same authorization settings as an "old" IVS.  This might give you a way to recreate your IVSs without having to reconfigure like crazy.

 

Ken

New User
SOCKMD
Posts: 3
Registered: ‎01-22-2009
0

Re: Making a new authentication server deletes a random older one!

I'm afraid the only lab box we have is a SA 700, and not much I can do with that on this particular issue.

 

Breaking the cluster is also not an option, as this cluster is in production and out customers paid good money to get redundancy, so we can't just take that away and hope nothing goes wrong while we've done this.

 

I actually tried making a new IVS on the production system, and choose to make it a copy of an existing one. The copy had the same error, so that doesn't solve anything, apparently. 

 

Seems the case has just been escalated, so I'm hoping Juniper will take a more serious look at the problem now...

 

Thanks for your answers though guys.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.