Screen OS

Hi there, bought an old NS-5GT with FW 6.2.0r2 and wanted to upgrade to the latest r18. Did that via GUI. This resulted in a boot loop :( So I decided to try some Versions between r2 and r18, of course via TFTP. Found out, that any other Version higher than r3 brings the device into the bootloop... So, how do I bring my device up to date? What did I wrong? Maybe I need a different loader? Current loader is 2.1.0 Any help would be nice, thank you in advance. Cheers Voivod

Hello.

 

What outputs do you get?

 

- get mem

- get file info

- get system | inc memory

 

 

Also, after you load, say 6.2.0r14, and reboot, what do you see in the console output?

 

Regards,

Sam

Hi Sam,

 

thanks for your fast answer. Here are the results you requested:

 

ns5gt-> get mem
Memory: allocated 32375120, left 53092592, frag 10, fail 0

ns5gt-> get file info
There are 8906752 bytes free (31262720 total) on disk "flash:"

ns5gt-> get system | inc memory <--- leads to a blank output

ns5gt-> get system
Product Name: NetScreen-NS5GT
Serial Number: xxxxxxxxxxxxxxx, Control Number: 00000000
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 6.2.0r3.0, Type: Firewall+VPN
Compiled by build_master at: Mon Jul 6 15:58:41 PDT 2009
Base Mac: yyyyyyyyyyyyyyy
File Name: ns5gt.6.2.0r3.0, Checksum: e86b456e


Date 10/16/2013 06:41:33, Daylight Saving Time enabled
The Network Time Protocol is Enabled
Up 0 hours 2 minutes 46 seconds Since 16Oct2013:06:38:47
Total Device Resets: 1, Last Device Reset at: 01/01/1997 00:39:28

Box in trust-untrust mode

System in NAT/route mode.

Use interface IP, Config Port: 80
Manager IP enforced: False
Manager IPs: 0

Address                                  Mask                                     Vsys
---------------------------------------- ---------------------------------------- --------------------
User Name: admin

Interface trust:
  description trust
  number 2, if_info 176, if_index 0, mode nat
  link up, phy-link up/full-duplex
  status change:1, last change:10/16/2013 06:39:13
  vsys Root, zone Trust, vr trust-vr
  dhcp client disabled
  PPPoE disabled
  admin mtu 0, operating mtu 1500, default mtu 1500
    route-deny disable
  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
Interface untrust:
  description untrust
  number 1, if_info 88, if_index 0, mode route
  link down, phy-link down
  status change:0
  vsys Root, zone Untrust, vr trust-vr
  dhcp client enabled
  PPPoE disabled
  admin mtu 0, operating mtu 1500, default mtu 1500
  route-deny disable
  bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
Interface serial:
  description serial
  number 6, if_info 528, if_index 0
  link down, phy-link down
  status change:0
  vsys Root, zone Null, vr untrust-vr
  admin mtu 0, operating mtu 1500, default mtu 1500
  bandwidth: physical 92kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps



Done.



Juniper Networks, Inc
NS-5GT System Software
Copyright, 1997-2008

Version 6.2.0r4.0
Load Manufacture Information ... Done

Initialize FBTL 0.... Done
Load NVRAM Information ... (6.2.0)Done
SYIMAGE
Install module init vectors
build and grow heap:system, order:13
The device is storing the firmware into reserved flash sectors.
Please do not power off the device during this operation. Doing so could result in loss of firmware.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The device successfully completed the operation.

Initial port mode trust-untrust(1)
Install modules (00ff4800,01bf73f8) ...
PPP IP-POOL initiated, 256 pools
System config (1793 bytes) loaded

Done.
Load System Configuration ...............................................................................................................................Disabled licensekey auto update
....................Done
system init done..
login: trust interface change physical state to Up
System change state to Active(1)
###Crash Time: 16Oct2013:06:52:09###
System Level:
Image In Task Level
Current Task Is:sys up id = 77

*********************************************************
                  Exception Dump
*********************************************************
System up time: 0 hours 0 minutes 48 seconds
Version 6.2.0r4.0
Exception(Data Abort Exception code(1002))
Exception address: 00496c3c
Registers of Main Processor:
R0:      00000000   R1:      00000001  R2:      0000008d
R3:      0199ad74   R4:      8606e298  R5:      8c6eaa64
R6:      79f91dc0   R7:      05f22730  R8:      00000024
R9:      00000000   R10(sl): 8bffff80  R11(fp): 8bfffee8
R12(ip): 79f91d9c   R13(sp): 8bfffec8  r14:     00496c44
lr:      00807524   SPSR:    20000010  CPSR:    20000097
The registers of control processor 15:
CR1ARM:  000031FF   CR1XSCALE:  00000000   CR2:     04fdc000
CR3:     000000E4   CR4:        Reserved   CR5:     000000f5
CR6:     8C6EAA84   CR7:        N/A        CR8:     N/A
CR9:     00000000   CR10:       N/A        CR11:    Reserve
CR12:    Reserve    CR13:       00000000
Stack dump:
8bfffe48: 05 f2 27 30 00 00 00 24 00 00 00 00 8b ff ff 80
8bfffe58: 8b ff fe 88 8b ff fe 68 00 80 87 b8 00 fb d0 ac
8bfffe68: 00 a7 77 38 00 00 00 00 00 00 00 00 86 06 e2 98
8bfffe78: 06 67 c7 cc 8b ff fe c4 8b ff fe 9c 00 49 6b f0
8bfffe88: 00 80 87 40 01 03 90 b8 05 f2 27 30 ff ff ff ff
8bfffe98: 01 99 ad 74 00 00 00 00 86 06 e2 98 06 67 c7 cc
8bfffea8: 00 00 00 58 05 f2 27 30 00 00 00 24 8b ff ff 80
8bfffeb8: 8b ff fe e8 8b ff fe c8 00 49 6c b4 00 49 6a 98
8bfffec8: 00 00 00 84 02 30 d3 d0 06 67 c7 a0 00 00 00 00
8bfffed8: 01 c0 73 1c 8b ff fe f8 8b ff fe ec 00 49 6d 2c
8bfffee8: 00 49 6c 24 8b ff ff 14 8b ff fe fc 00 49 6d bc
8bfffef8: 00 49 6c e4 00 00 00 01 00 00 00 02 00 00 00 01
8bffff08: 8b ff ff 30 8b ff ff 18 00 49 f4 a4 00 49 6d 4c
8bffff18: 8b ff ff 80 00 49 f3 4c 00 00 00 00 8b ff ff 4c
8bffff28: 8b ff ff 34 00 a6 ca 88 00 49 f3 58 00 00 00 04
8bffff38: 01 fd 34 78 03 10 59 4c 8b ff ff 7c 8b ff ff 50
8bffff48: 00 a6 cb f0 00 a6 ca 08 00 00 00 01 00 00 00 01
8bffff58: 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00
8bffff68: 00 00 00 00 00 00 00 00 8b ff ff ac 8b ff ff 80
8bffff78: 00 a6 d2 b4 00 a6 cb 50 00 00 00 02 00 00 00 02
8bffff88: 00 00 00 01 8b ff ff bc 8b ff ff 9c 00 e6 32 48
8bffff98: 00 3a 58 1c 00 a6 d1 0c 8b ff ff bc 8b ff ff b0
8bffffa8: 00 a6 d1 28 00 a6 d2 2c 00 00 00 00 8b ff ff c0
8bffffb8: 00 3a 58 1c 00 a6 d1 18 00 00 00 00
Trace Dump:
00496c3c 00807524 00496d2c 00496dbc 0049f4a4 00a6ca88 00a6cbf0 00a6d2b4
00a6d128 003a581c
FP Trace Dump:
00000000 00000000 8bfffee8 8bfffef8 8bffff14 8bffff30 8bffff4c 8bffff7c
8bffffac 8bffffbc
Crash dump, the system will reboot...
Crash dump is done.

 Everything runs fine, until the reboot...

 

Thanks a lot for any help

 

Cheers

Voivod

Hello.

 

How long before the firewall experiences the crash upon reboot?

 

From the console output, the firewall crashes after loading the config and status changes to 'active'... there also may something in the config causing an issue.

 

Unfortunately, I don't have the tools to break down the trace output.

 

for potential config conflict:

===================

* while running 6.2.0r3, set the box to factory defaults -- enter serial# as both login/password.

* try loading later version of 6.2.x and see if that works.

 

 

To clean up the flash (optional):

================

Also, recommend freeing space on the flash.  I have a feeling that there were a lot of leftover files left on the flash -- most likely AV related files.

 

I recommend the following --

 

1. remove any license not being used.-- especially anti-spam, AV, web-filtering licenses. These are not supported in 6.2 anyway.

"get license" to see what's installed

"exec license delete <key name>" (i.e. "exec license delete av_v2_key")

reboot

 

2. format the flash. I think this is the best way to start from a clean slate, but I can't find the KB on formatting 5GT flash... used to be there. Perhaps someone from JTAC can find it for us?

 

In the meantime, you can do: "exec vfs ls flash:" to list the files

And we can "exec vfs unlink flash:<filename>" to delete the files

 

 

 

Regards,

Sam

Hi Sam, sorry for the late answer, gotta lot of work...

 

So, what happend...

The firewall is coming up, reachable for 5 pings or so and then reboots...

 

Factory Reset

I already did a factory reset via pinhole as the item arrived here. Do you think I must redo the factory reset than?

 

What I did now:

ns5gt-> get license
capacity_key        : *not interesting*

Sessions:           2064 sessions
Capacity:           unlimited number of users
NSRP:               Disable
VPN tunnels:        10 tunnels
Vsys:               None
Vrouters:           3 virtual routers
Zones:              8 zones
VLANs:              10 vlans
Drp:                Enable
Deep Inspection:    Disable
Deep Inspection Database Expire Date: Disable
Signature pack:     N/A
IDP:                Disable
AV:                 Disable(0)
Anti-Spam:          Disable(0)
Url Filtering:      Disable

Update server url: nextwave.netscreen.com/key_retrieval
License key auto update : Disabled
Auto update interval : 0 days

 

So what can I delete?

 

On the flash, I see something like that:

ns5gt-> exec vfs ls flash:
    $NSBOOT$.BIN              11,157,504
    envar.rec                 100
    node_secret.ace           0
    golerd.rec                1,220
    dnstb.rec                 63
    dhcpservl.txt             132
    burnin_log1               10,240
    burnin_log0               10,240
    syscert.cfg               1,167
    certfile.cfg              3,208
    certfile.dsc              504
    license.key               364
    ns_sys_config             1,793
    pkidatabase.digest        20
    ns_sys_cfg.sig            20
    NS5GT620.0                11,151,918
  8,906,752 bytes free (31,262,720 total) on disk

 

Shall I scrub anything?

 

Thanks for your patience and help.

 

Cheers

Voivod

 

 

Hi.

 

I recommend first trying this:

 

   exec vfs unlink flash:/dnstb.rec
   exec vfs unlink flash:/dhcpservl.txt

   reset

 

Then try to upgrade to a later version of 6.2.

 

If the reboot continues and if you don't mind starting from scratch -- suggest the following... have a tftp server handy, as well as a copy of the 6.2.x image

 

1. save your config

      save config to tftp x.x.x.x backup.config

 

2. Note the files stored in the flash root directory:

 

     exec vfs ls flash:

 

3. Unmount flash:

 

    exec vfs unmount flash 0x80000

 

4. Format the flash:

 

    exec vfs format device flash

 

5. Mount flash disk back:

 

    exec vfs mount flash flash fat

 

6. load latest 6.2 image via tftp:

 

   save software from tftp x.x.x.x ssg5ssg20.6.2.0rXX.0 to flash

 

7. reset

 

8. once the device reboots, everything will be at factory defaults. If no more reboot loop, then upload the saved config (or copy/paste).

 

 

 

Hope this helps.

 

Regards,

Sam

Yes! Sam, you are the man!

 

Just did the first part

exec vfs unlink flash:/dnstb.rec
exec vfs unlink flash:/dhcpservl.txt
reset

 and it comes up with no pain @6.2.0r18!

 

Thanks a lot!

 

Cheers

Voivod

 

When you are in Germany, come and visit me for a beer or two 😉

Nice!

 

So this confirms that the main issue was the crash related to dns and/or dhcp service on the firewall.  The firewall saves the allocated ip info on the flash in case the firewall reboots.

 

I don't recall the specifics, but there was an issue when upgrading to later version of 6.2, and the firewall crashes... JTAC has a special intermediary ScreenOS to upgrade to before upgrading to 6.2.rX.

 

Glad you got it working! 

 

 

Regards,

Sam