ScreenOS Firewalls (NOT SRX)
Reply
Contributor
StuartHare
Posts: 11
Registered: ‎07-09-2009
0

SSH Hash MAC failure with ISG 2000 passive device

Hi

 

I have a pair of ISG 2000 firewalls in active passive mode, and have an issue with SSH on the passive device.

 

All SSH works perfectly to the active device, and I can connect and authenticate successfully to the passive device.

But...as soon as I connect responsiveness is extremely slow and when I run a get conf for example i get partial output and it closes the SSH session with Message Authentication Code Data Intregrity failure error message.

 

'Message Authentication Code did not verify (packet #51). Data Integrity has been comprimised.'

 

I have tried this from different clients machines using both Putty and SecureCRT and have the same result, so Im pretty convinced this is a problem with the device.

 

SSH is configured correctly on both devices, and I have tried to remove/recreate the host keys and this has not resolved the issue.

 

FW(M)-> get ssh
SSH V2 is active
SSH is enabled
SSH is ready for connections
Maximum sessions: 24

Any ideas???

 

Cheers

S

 

Super Contributor
Cesar
Posts: 141
Registered: ‎11-18-2008
0

Re: SSH Hash MAC failure with ISG 2000 passive device

Can you issue

debug ssh all

cl db

<Start SSH session>

get db str

Contributor
StuartHare
Posts: 11
Registered: ‎07-09-2009
0

Re: SSH Hash MAC failure with ISG 2000 passive device

Thanks Cesar

 

i had already run the debug and from the output didnt find anything out the ordinary.

 

Turns out this is not just an SSH issue though, during testing we failed over to the passive device to prove redundancy is working as expected, and as soon as it becomes the active device we are seeing more than 50% packet loss.

 

Looks like faulty hardware, will update when clarified.

 

Stu

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.