ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Arzo
Posts: 171
Registered: ‎11-12-2007
0

ISG2000 failure after 5.0 to 5.4

i upgraded my firewall from 5.0 to 5.4, and i loaded the configuration file and checked the old one with the new one, i noticed some minor changes but not major, the problem is, that the firewall is not passing traffic from trust to any other zone, i cant go to configure it from zero, i have about 400 policy and lot of vlan interfaces on it, can anyone please help me to resolve this issue.
Tariq Morad
Contributor
Arzo
Posts: 171
Registered: ‎11-12-2007
0

Re: ISG2000 failure after 5.0 to 5.4

just to clear this issue, i noticed a major problem that i was unable to ping my default route which resides on the untrust side.. i was unable to test from the other side to the firewall since the responsible guy was not available.

 

set route  0.0.0.0/0 interface ethernet2/1.2 gateway 211.X.X.77

 

i was unable to ping 211.X.X.77

 

the interface is up.

Tariq Morad
Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: ISG2000 failure after 5.0 to 5.4

Hi

 

Just a few questions.

 

1. Have You upgraded Your bootloader before upgrading the ScreenOS version.

2. Which version of 5.4 have You upgraded to

 

Regards

Hans

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
Arzo
Posts: 171
Registered: ‎11-12-2007
0

Re: ISG2000 failure after 5.0 to 5.4

thank you so much for replaying, actully i didnt upgrade the bootloader !! i didnt know that i need to do that, here is the version i upgraded to it..

 

nsISG2000.5.4.0-IDP1.r8a.0.zip

 

can you please guide me through this issue. i will also check my self for it.

 

and another question, if the bootloader is not upgraded !! what is the effect on the firewall, taking in considration that i can boot and login to it successfully.

Tariq Morad
Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: ISG2000 failure after 5.0 to 5.4

Hi Arzo

 

The first thing to do is issue the following command from the cli - "get envar" - here You should be able to see Your Bootloader version. It should be 1.1.5 or then You have to upgrade the bootloader.

 

You can find releasenotes following the link below:

 

http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/index.html

 

I have attached the releasenotes from 5.4.0r9 it describes the upgrade sequence of the bootloader.

 

Regards

Hans

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: ISG2000 failure after 5.0 to 5.4

Hi Arzo

 

For some reason I am not able to attach the releasenotes.

 

Hope You can find it through the link I sent You.

 

Regards

Hans

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: ISG2000 failure after 5.0 to 5.4

Hi Arzo

 

To answer Your question:

 

and another question, if the bootloader is not upgraded !! what is the effect on the firewall, taking in considration that i can boot and login to it successfully.

 

You can normally boot though the bootloader is the wrong version, but i can make the firewall unstable.

 

Regards

Hans

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
Arzo
Posts: 171
Registered: ‎11-12-2007
0

Re: ISG2000 failure after 5.0 to 5.4

thanks a lot for your kind help, well i have 2 firewalls there, i checked the active one which is still 5.0, it had 1.1.5 bootloader which is the recommended, now we are checking the backup one with 5.4 and the problem, mostly its the same, hopefully not.

 

Active Firewall

get envar
default_image=nsISG2000.5.0.0-IDP1.r10a.4
run_image=default (nsISG2000.5.0.0-IDP1.r10a.4)
loader_version=1.1.5
last_reset=2007-10-05 10:19:48 by root
sme= 

Tariq Morad
Contributor
Arzo
Posts: 171
Registered: ‎11-12-2007
0

Re: ISG2000 failure after 5.0 to 5.4

thanks a lot for your help, i found out that the other one also is 1.1.5, i have 1.1.6, do you agree with me to upgrade it just in case.
Tariq Morad
Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: ISG2000 failure after 5.0 to 5.4

 Hi

 

I haven't heard of any problems upgrading to bootloader 1.1.6 in this case, but I doubt that it will solve Your problems.

 

If You choose to upgrade the bootloader then why not take the step to ScreenOS 6.1.0, it should give considerable performance boost and a lot af new features.

 

Of cause there can be issues that makes You choose to stay on ScreenOS 5.4.

 

As it seems that You have the right bootloader installed I would maybe choose to investigate the issue more thorougly and try to do some debugging.

 

If You make a flow-filter with source in the trust-zone adn destination in another zone and then do a debug flow basic to see what happens when You try to initiate traffic across the zones. This might give You a hint as to what is the problem.

 

If You can't find the cause to the problem I think the best path would be to open a case with JTAC. A good thing to have when You start a JTAC case is the outpu from the following commands:

 

Get tech
Get log sys
Get log sys saved
Get session info
Get perf cpu all detail
Get perf session detail
Get mem
Get mem chunk
Get os task
Get net-pak s
Get socket
Get pport
Get gate
Get sess frag
Get gbic
Get tcp
Get int
Get event (last few pages)

 

It's a lot of output but my expirience is that it makes the time to solve the cases shorter.

 

Regards

Hans

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.