Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  The device was unable to reach the entitlement server to retrieve license keys

    Posted 03-10-2011 09:26

     

    Hi,
    I'm running an NS5GT, the device is able to ping nextwave.netscreen.com, it is time sync and entitled. How can I fix this?
    fw-> debug httpfx all
fw-> clear db
fw-> exec license-key update
The device was unable to reach the entitlement server to retrieve license keys

Failed command - exec license-key update
fw-> get db stream
## 2011-03-10 09:03:07 : http-fx: wakes up...request(ctx=0x0262c4f4)
## 2011-03-10 09:03:07 : http-fx: GET request processing starts...ctx=<0x0262c4f4>, url=<https://nextwave.netscreen.com/key_retrieval?serial=0129032005000214&version=6.2.0r8.0>
## 2011-03-10 09:03:07 : parse_http_url: host=<nextwave.netscreen.com>
## 2011-03-10 09:03:07 : parse_http_url: urlPath=</key_retrieval?serial=0129032005000214&version=6.2.0r8.0>
## 2011-03-10 09:03:07 : parse_http_url: input url=<https://nextwave.netscreen.com/key_retrieval?serial=0129032005000214&version=6.2.0r8.0>
## 2011-03-10 09:03:07 : http-fx/proc-get: parsed url results...host=<nextwave.netscreen.com>, port=<443>, path=</key_retrieval?serial=0129032005000214&version=6.2.0r8.0>.
## 2011-03-10 09:03:07 : http-fx: will connect to host <nextwave.netscreen.com> at <207.17.137.226>
## 2011-03-10 09:03:07 : http-fx: SSL connect param setup ... 
Done. CA-Cert=<>, Subj-name=<>.
## 2011-03-10 09:03:07 : http-fx: conn setup/SSL bind ... Complete.
## 2011-03-10 09:03:07 : http-fx: conn setup/connecting ...
## 2011-03-10 09:03:10 : http-fx: conn setup/FAIL <207.17.137.226:443>.
## 2011-03-10 09:03:10 : http-fx: closed connection to 207.17.137.226 ...

     



  • 2.  RE: The device was unable to reach the entitlement server to retrieve license keys

    Posted 03-14-2011 07:57

    Hi,

     

    You can start troubleshooting as follows:

     

    1) from the device cli try if you can ping the entitlement server:

     ping nextwave.netscreen.com

     

    If that fails you may have a DNS problem.

    If the ping is successful, you have IP connectivity to the server.

     

    2)  do the following debug to find out why the retrieval fails:

     

    debug httpfx all

    clear db

    exec license-key update (to trigger the key update)

    ... wait a few seconds to let it fail...

     get db stream

     

    Also check this:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB13368

     

     

    Gavrilo



  • 3.  RE: The device was unable to reach the entitlement server to retrieve license keys
    Best Answer

    Posted 03-23-2011 23:04

    For the record, I ended up fixing the issue. The problem was due to an excess of zeal on my part where I may have been doing too much clean up in the first place and removed a useful CA Cert.

    To help diagnose the issue, I used the below cli commands:

     

    debug pki detail
clear db
exec license-key update
get db stream

    Those commands showed which certificate was missing from the chain of trust. All I had to do was to import the offending CA Cert. from http://crl.verisign.com/SVRSecureG3.cer in my case.