Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  HTTPS/SSL management Access to NS25 not working

    Posted 08-11-2009 07:17

    Was wondering if someone could help.

     

    I have a number of netscreen/SSG I am working on and all have been straightforward to configure for management via HTTPS.  I have two boxes however that I cannot get this to work on and I'm not sure why.  I have set the interface manage option to allow SSL, SSL enable tick box is ticketed.  I'm not sure what else to check.  Any ideas?  I ran a debug flow basic and can see the 443 packets hit the firewall but I don't get the admin login page.  Is there anything simple I missed?

     

    FW 1 Screen OS 5.3.0R2

    FW 2 Screen OS 5.0.0 R8

     

    ns25-> get int eth3
    Interface ethernet3:
      number 6, if_info 1248, if_index 0, mode nat
      link up, phy-link up/full-duplex
      vsys Root, zone Untrust, vr trust-vr
      dhcp client disabled
      PPPoE disabled
      admin mtu 0, operating mtu 1500, default mtu 1500

      route-deny disable
      pmtu-v4 disabled
      ping disabled, telnet enabled, SSH disabled, SNMP disabled
      web enabled, ident-reset disabled, SSL enabled
      DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
      OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace disabled
      PIM: not configured  IGMP not configured
      bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
                 configured ingress mbw 0kbps, current bw 0kbps
                  total allocated gbw 0kbps
      DHCP-Relay disabled
      DHCP-server disabled

     

    Any help would be much appreciated.

     

     

     



  • 2.  RE: HTTPS/SSL management Access to NS25 not working

    Posted 08-11-2009 09:03

    Just to add I wire sharked the session and I get the following error from the firewall before I send back a FIN and session closes:

     

    SSLv3 Record Layer: Alert (Level: Fatal, Description: Bad Record MAC)



  • 3.  RE: HTTPS/SSL management Access to NS25 not working

    Posted 08-11-2009 09:26

    Did you enable SSL management for admin? Through the GUI it is Admin/Management - then check the SSL box. Can't remember the CLI command off the top of my head right now



  • 4.  RE: HTTPS/SSL management Access to NS25 not working

    Posted 08-11-2009 15:07
    The option is already selected and I can see this from CLI with a get ssl.


  • 5.  RE: HTTPS/SSL management Access to NS25 not working

    Posted 08-11-2009 21:47
    Are you using the default self-signed cert, or one of your own?  Since it is failing at the SSL level, it appears it is passing simple 3-way TCP connection.  Try running a debug ssl all, and see if it complains about a bad cert or something to that effect.  Also, confirm if other management is possible (e.g.  telnet, ssh, webui).


  • 6.  RE: HTTPS/SSL management Access to NS25 not working

    Posted 08-12-2009 04:09

    Hello Oldtimer,

     

    Good pointer, a bit daft of me to start wiresharking and forget about debug on the FW.  Anyway the debug showed me the following :

     

    ssl server new socket. queue count(0)
    SSL master_socket(143)
    SSL accept_socket(39)
    free ssl_ctx
    MSG:PKI_CID_FAKE_CERT_REQ send to PKI. mail count(1).
    SSL get system generated self signed cert.
    ## 2009-08-12 19:50:18 : self cert bad key <0184c3cc><0184c740><01833ce8>.
    extra_certs num = 0
    SSL context init succeed
    ssl_state: sslStateCertVerified
    SSL Connection Init
    SSL set server mode
    SSL_accept:before SSL initalisation
    SSL_accept:SSLv3 read client hello A
    SSL_accept:SSLv3 write server hello A
    SSL_accept:SSLv3 write certificate A
    SSL_accept:SSLv3 write server done A
    SSL_accept:SSLv3 flush data
    SSL: HDSK break for(;;)
    SSL: HDSK ssl3_accept end
    SSL: do handshake_func
    SSL_accept:SSLv3 read client certificate A
    SSL: HDSK SSL3_ST_SR_CERT_A|SSL3_ST_SR_CERT_B ret(-1)
    SSL_accept:SSLv3 read client certificate A
    SSL: HDSK SSL3_ST_SR_KEY_EXCH_A|SSL3_ST_SR_KEY_EXCH_B
    SSL_accept:SSLv3 read client key exchange A
    SSL3 alert write:fatal:bad record mac
    SSL: HDSK ssl3_accept end
    SSL_accept:error in SSLv3 read certificate verify A
    ssl state sslStateFailedssl close socket(39)
    ssl closing accept socket(39)
        free ssl sock(39)
    ConnectionsActive: --

     

    AS you can see the same error I saw in the packet trace comes up (bad record mac).  I found a similar forum entry from 2006 where someone had the same issue when using internet explorer 6.  They were advised to setup IE for SSL V3 only which I am already set too!  I downloaded Firefox and all is ok from that!  I don't fully understand why its not working from IE (I am running IE version 7)  but am happy to use Firefox for now.   The other solution mentioned was a ScreenOS upgrade which I need to do anyway so hopefully that will sort it.  Thanks for your ponter.

     

    RK



  • 7.  RE: HTTPS/SSL management Access to NS25 not working
    Best Answer

    Posted 08-12-2009 04:12
    I managed to get it working from Internet Explorer by unselecting the Use TLS 1.0 box.


  • 8.  RE: HTTPS/SSL management Access to NS25 not working

    Posted 08-12-2009 08:23

    RK,

    Glad to see you got it working.  I forgot all about the TLS 1.0 option.  I remember running into that, but it had been a long time since I ran into that.