Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Still SSG550 Infranet Auth issues

    Posted 05-20-2015 23:42

    Hi all,

     

    Our company have a SSG550 firewall, and a Junos Pulse Access Control at remote site.  And we want to connect the IC for unified access control.

     

    Configuration at my site is like:

     

    set infranet controller name "UAC-1"
    set infranet controller name "UAC-1" host-name 10.10.2.3 port 11122
    set infranet controller name "UAC-1" src-interface ethernet0/0
    set infranet controller name "UAC-1" password "3uTMg+iUNQEGzcsiQwC6NtwsKgnlHWI55w=="
    set infranet controller name "UAC-1" ca-hash "90EE54F60750B4A5AB3111044AED754024E6E4DF"
    set infranet controller name "UAC-1" cert-subject "CN=A,OU=B ,O=C,L=D,ST=E,C=F"

     

     

    When we config at both side, SSG550 keeps logging the following message.

     

    2015-05-21 14:39:05notifInfranet Enforcer could not connect to Infranet Controller UAC-1 (ip 10.10.2.3).
    2015-05-21 14:39:05notifInfranet Enforcer could not connect to the Infranet Controller because the Controller could not be reached on the network.
    2015-05-21 14:39:05notifPKI: Cannot build certificate chain for cert with subject name CN=A,OU=B ,O=C,L=D,ST=E,C=F,.

     

    What could be the problem? Thanks.



  • 2.  RE: Still SSG550 Infranet Auth issues

    Posted 05-21-2015 00:58

    It looks a connectivity issue, Please refer to the below KB:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB11119



  • 3.  RE: Still SSG550 Infranet Auth issues

    Posted 05-21-2015 22:59

    Hi,

     

    I don't think it would be a connectivity issue, ping from each side to the other is OK.

    And I also can capture the TCP packets from firewall to IC.



  • 4.  RE: Still SSG550 Infranet Auth issues

    Posted 05-22-2015 03:38

    Check the kb link that Malik posted.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB11119

     

    You event message is Scenario 1 with a listed solution.

     

    Scenario 1: CRL Checking Causing the Failure



  • 5.  RE: Still SSG550 Infranet Auth issues

    Posted 05-26-2015 23:18

    Hi,

     

    We changed as senario 1 shows, the log changes but still not able to work , the new log is like below:

     

    2015-05-27 13:50:33 system notif 00535 PKI: No revocation check, per config, for cert with subject name CN=A,OU=B,O=C,L=D,ST=E,C=F,.
    2015-05-27 13:50:33 system notif 00015 Infranet Enforcer did not receive a keepalive from the Infranet Controller(10.1.12.3) in the past 66 seconds. Cleaning up internal state.

     

    Seems there should be other mistakes.

     

    Br

     

    Frank



  • 6.  RE: Still SSG550 Infranet Auth issues
    Best Answer

    Posted 05-27-2015 03:05

    Yes, this is a new issue.  Try this kb setting.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB8351

     

    SOLUTION:

    These messages indicate that  SSH Password Authentication is not enabled in the Infranet Enforcer (IE). To enable it, go to Configuration > Admin > Administrators > SSH Password Auth in the Infranet Enforcer and enable SSH Password Authentication. The communication between Infranet Controller and Infranet Enforcer should come up.



  • 7.  RE: Still SSG550 Infranet Auth issues

    Posted 06-11-2015 02:45

    Thanks, it works