Screen OS

Firewall is in a pair. The Master failed over. I then was unable to access the backup at all. Not even console in. I rebooted and the boot stoppes at Uncompressing Kernel. Are there any troubleshooting steps I can take. Or should the firewall be set to the facorey defaults and if so should this resolve the issue? Thanks.

Hi

 

Could you show us the message? You can also try the reset config button on the front panel.

 

But if the firewall could not boot at all, there could be an issue with the hardware or something else.

I recommend applying the latest boot loader.

 

Can you make sure the boot loader is at version 1.0.5?

 

 Trying to boot from Primary Compact Flash ...                                   boot1...
w lba                                                                           
boot2........                                                                   
                                                                                
ScreenOS Saipanloader V1.0.5        

 

 

If not, https://softserv.juniper.net/download/6.1---01222008/SSG-500/

 

Regards,

My guess would be that either the internal flash is corrupted or the memory is broken.

You could try reapplying the firmware from the bootloader.

 

Juniper KB5519

 

I'm not sure if there is a flash format option or memory check option in the bootloader menu.

The old series had a jumper (JP4) which you could use to enable Functional Test Mode. But I think it is missing in the newer (SSG) series.

kruger,

 

i faced i simillar issue with ssg520 and i reloaded the firmware with the boot loader and it works fine with me.

Thank you. So when I upgrade the bootloader. Will that affect the current config?

no.  config is saved on the internal flash (.i.e., "hard drive") as a separate file.

Thanks for all the responses. Here is the message received. Also, when hitting the reset conf. button on the front will that reset to the factory defaults and Ill loose all my configurations?

 

 

boot_drive = 80
start1 = 2160, start2 = 10800

Hit 'X' and 'A' to upgrade bootloadermounting FAT16 partition
file size = 112
size = 112, sizeof(nvram_rec) = 112

Hit any key to load new firmware
Hit any key to load new firmware
Hit any key to load new firmware
Hit any key to load new firmware/$nsboot$.bin
file size = 9502720

hdr->magic_number = 81ba16ee, hdr->platform_type = 1700, hdr->cpu_type = 11

Ignore image authentication!
loading elf format....
<0x4000000:0x48f5:0x0>
move image from 1001020 -> 4000000, size = 18677
<0x4005000:0x908000:0x50d8>
move image from 1006020 -> 4005000, size = 9490648
real_entry_addr = 4000000, entry_addr = 4000000
Uncompressing Kernel...

Hi there

The "reset config" button should not erase the config.

There is a hardware doc you can ref to (Pg 11):

 http://www.juniper.net/techpubs/hardware/netscreen-systems/netscreen-systems60/HW_SSG500M_600.pdf

 

It looks like there is some issue for the kernel to boot. In a normal sequence of boot events, you should see the next msg to be the kernel booting up. Here is a sample:

 ScreenOS Saipanloader V1.0.2                                                   
Built Apr  4 2006/13:47:05                                                     
watchdog_probe, 1046 bus/dev/fn = 0/248 ich = 2640                             
boot_drive = 80                                                                
start1 = 2160, start2 = 10800                                                  
                                                                               
Hit 'X' and 'A' to upgrade bootloadermounting FAT16 partition                  
file size = 112                                                                
size = 112, sizeof(nvram_rec) = 112                                            
                                                                               
Hit any key to load new firmware                                               
Hit any key to load new firmware                                               
Hit any key to load new firmware                                               
Hit any key to load new firmware/$nsboot$.bin                                  
file size = 10993664                                                           
                                                                               
hdr->magic_number = 81ba16ee, hdr->platform_type = 1700, hdr->cpu_type = 11    
                                                                               
Ignore image authentication!                                                   
loading elf format....                                                        
<0x4000000:0x48f5:0x0>
move image from 1001020 -> 4000000, size = 18677
<0x4005000:0xa72000:0x50d8>
move image from 1006020 -> 4005000, size = 10973400
real_entry_addr = 4000000, entry_addr = 4000000
Uncompressing Kernel...               <<<<<-------------------------------------------------------------------See next step to be kernel booting!
Now booting the kernel
the system has been up for 0 second(s)
the system has been up for 0 second(s)
CPU:GenuineIntel
Version Information:
Extended Family ID = 0
Extended Model ID  = 0
Family ID          = f
Model              = 4
Stepping ID        = 9
Processor Type     = 0
Brand String       = 0
Additional Information:
Brand Index        = 0
CLFLUSH Line Size  = 64
Initial APIC ID    = 0
Feature Information:
FPU VME DE PSE TSC MSR PAE MCE CX8 APIC SEP MTRR PGE MCA CMOV
PAT PSE-36 CLFSH DS ACPI MMX FXSR SSE SSE2 SS
HTT TM PBE
Extended Feature Information:
SSE3 MONITOR/MWAIT DS-CPL CNXT-ID
TLB/Cache Information:
1st-level data cache: 16 KByte, 8-way set associative, 64 byte line size
Data TLB: 4 KByte and 4 MByte pages, 64 entries
Instruction TLB: 4 KByte and 2-MByte or 4-MByte pages, 128 entries
Instruction TLB: 4 KByte Pages, 4-way set associative, 32 entries
2nd-level cache: 1 MByte, 8-way set associative, 64 byte line size, 2 lines per sector
Trace cache: 12 K-ooooop, 8-way set associative
No 2nd-level cache or, if processor contains a valid 2nd-level cache, no 3rd-level cache

3: eax = 0, ebx = 0, ecx = 0, edx = 0
4: eax = 121, ebx = 1c0003f, ecx = 1f, edx = 0
eax = 40, ebx = 40, ecx = 0, edx = 0
count = 80000008
Brand String:              Intel(R) Pentium(R) 4 CPU 3.40GHz
L1 I Cache: 0K (0 bytes/line), D cache 0K (0 bytes/line)
L2 Cache: 1024K (64 bytes/line)
total DRAM size is 1048576 KB
init 0(+100000)
heap 100000(+2bf00000)
iocard 2c000000(+1400000)
packet 2d400000(+800000)
CTRL 2dc00000(+400000)
TASK 2e000000(+12000000)
heap_start = 21a3010, heap_size = 29e5cff0

RCBA = fed1c001
FD = e8ef1
MAP = 1
MAP = 1

 bootmap_size = 8000
zone_table[ZONE_TASK].free_pages = 71670, zone_table[ZONE_TASK].num_pages = 73728
_fbss = 1ae5000, _end = 21a3000
data_start = 1058000, data_end = 1ae4000

 

Juniper Networks, Inc
SSG520/SSG550 System Software
Copyright, 1997-2008

Version 6.2.0r1.0
set_ecb_dcr: not implemented
scan pci 0 devices....
Device found on PCI bus 0:dev_num is 0,vendor id is 0x25888086
Device found on PCI bus 0:dev_num is 1,vendor id is 0x25898086
Device found on PCI bus 0:dev_num is 28,vendor id is 0x26608086
Device found on PCI bus 0:dev_num is 29,vendor id is 0x26588086
Device found on PCI bus 0:dev_num is 30,vendor id is 0x244e8086
Device found on PCI bus 0:dev_num is 31,vendor id is 0x26408086
scan pci 1 devices....
Device found on PCI bus 1:dev_num is 0,vendor id is 0x03298086
scan pci 2 devices....
Device found on PCI bus 2:dev_num is 2,vendor id is 0x90001148
Device found on PCI bus 2:dev_num is 3,vendor id is 0x90001148
cav_bar_init: called. Dump BARs PCI conf regs --
cav_bar_init: called. orig reg setting: PCI 10 = 0000c801, 18 = 0000c401
Load Manufacture Information ... init manufacture info Done
cfcard ready.
Install module init vectors
Get card id: slot 3, bus 4, dev 0, cid 0733
IO_CARD_BUF_START: 0x2c000000
ssg Searching GbE devices...
On-board GbE device found, VID = 0x1148, DID = 0x9000 Bus 2, Slot 2
On-board GbE device found, VID = 0x1148, DID = 0x9000 Bus 2, Slot 3
GbE adapter found at bus 4, dev 0 slot 3
        VID = 0x11ab, DID = 0x4342
GbE adapter found at bus 6, dev 14 slot 3
        VID = 0x11ab, DID = 0x4341
Total on-board GbE devices found 2
Total adapter GbE devices found 2
Install modules (01058000,01ae4000) ...
PPP IP-POOL initiated, 256 pools

Initializing DI 1.1.0-ns

System config (1037 bytes) loaded

Done.
Load System Configuration ...................................................................................Disabled licensekey auto update
............Done
system init done..
Load NVRAM Information ... (6.2.0)Done
login:

 

 

I think you should try to see if you can reload the bootloader and the screen OS. If that still fails, it may be better to have a JTAC case open for someone to look into this.

ok Thanks.

 

Here is the bootloader version.

 

Trying to boot from Primary Compact Flash ...
boot1...
w lba
boot2......

ScreenOS Saipanloader V1.0.2
Built Apr  4 2006/13:47:05
watchdog_probe, 1046 bus/dev/fn = 0/248 ich = 2640
boot_drive = 80
start1 = 2160, start2 = 10800

 

Also, is there any documentation on the steps for reloading the bootloader?

 

Thanks.

 

you'll need a tftp server connected to same IP subnet as eth0/0 or eth0/1. (This tftp server works well: http://support.3com.com/software/utilities_for_windows_32_bit.htm)

 

During bootup, break into the bootloader prompt when you see:

 

          Hit 'X' and 'A' to upgrade bootloader

 

Then:

 

                                                                               
Hit 'X' and 'A' to upgrade bootloader                                          
Loader File Name:loadssg500v105.d                                              
Self IP Address :10.1.1.1                                                      
TFTP IP Address :10.1.1.2                                                      
                                                                               
Saipan motherboard proto 3 or later detected                                   
Probing...[Ethernet0/0 and Ethernet0/1]                                        
                                                                               
Initiating hardware and waiting for link up ...                                
[Ethernet0/2 and Ethernet0/3]                                                  
                                                                               
Initiating hardware and waiting for link up ...       

 

The file will be downloaded to the firewall, installed, then will reset.      

Thank you. Where would I find the file used to upload the bootloader? The firewall is in a pair. When I update the bootloader on the one how will this affect the other firewall that is in the pair. Do the versions have to be the same or does it not matter?

 

 

Thanks.

In a NSRP cluster, it doesn't matter that the bootloader between the pair is running different versions.  There is no such check that takes place.

 

do you have access to support site?  http://support.juniper.net

 

- click on ScreenOS under "Download Software"

- Look under ScreenOS software download for 6.1.  One of the downloads is the bootloader.

 

Regards,

 

What about using the usb on the firewall. Can I load it that way?

 

For updating ScreenOS firmware, yes.

 

But for upgrading the Bootloader, tftp is the only way.

Thanks. I am thinking of connecting directly to the firewall with a crossover cable. Should the IP of the connected server be the same as the trusted interface or the untrust?

 

Thanks

Hi.

 

It can be crossover or straight-thru.  The ethernet on the SSG has auto-sense for this.

 

In any case, the PC running the tftp server will need to be on same subnet as eth0/0 or eth0/1.   You'll have no problems as long as the IP of the PC and the "self IP" you assign to the firewall is in the same subnet...   i.e., 10.1.1.1 for your PC and 10.1.1.2 on the firewall.

 

Regards,

ok. I tried two different tftp server applications. I connected my laptop to firewall ethe0 and used IPs on the same subnet. With both tftp server apps I receive ALERT: got a fragmented packet - reconfigure your server. This was displayed on the firewall.

 

Any ideas what could cause this error?

 

Thanks

 

Hi.  Can you tell us which tftp server you've tried?

 

Our firewall cannot deal with fragmented IP packets when tftp files.

 

What are the packet size sent/received between the SSG and your PC?   (you may need to sniff your PC with wireshark).

 

 In my tests, I typically see 512 byte packets.

 

Regards,

 

Thanks for the reply. I actually used a third tftp server app. and it worked. The bootloader is at version 1.0.5 now. But on reboot it gets past the uncompressing kernel and stops right after that.

 

:16] Tony: Hit 'X' and 'A' to upgrade bootloadermounting FAT16 partition
 file size = 112
 size = 112, sizeof(nvram_rec) = 112
 
 Hit any key to load new firmware
 Hit any key to load new firmware
 Hit any key to load new firmware
 Hit any key to load new firmware/$nsboot$.bin                                   file size = 9502720
 
 hdr->magic_number = 81ba16ee, hdr->platform_type = 1700, hdr->cpu_type = 11
 
 Ignore image authentication!
 loading elf format....
 <0x4000000:0x48f5:0x0>
 move image from 1001020 -> 4000000, size = 18677
 <0x4005000:0x908000:0x50d8>
 move image from 1006020 -> 4005000, size = 9490648
 real_entry_addr = 4000000, entry_addr = 4000000
 Uncompressing Kernel...
 inflate returned
 exit

Hi Kruger,

 

I think at this point, the last thing to try is to re-load ScreenOS image....

 

break into "Hit any key to load new firmware", and load ScreenOS image.

 

If this doesn't work, then sounds as if you'll need to RMA the unit.

 

Regards,

 

Hi kruger,

 

I have the same problem with the uploading the bootloader version 1.0.5. Reciveing 'ALERT: got a fragmented packet - reconfigure your server' on the firewall SSG520

 

I have tried solarwinds tftp and Tftpd32, both gave me the same problem. Which tftp server work for you? or what is tftp server can people recommend.

 

Thanks

 

 

Hmm, it does not look like its the same error. Looks like you are sending fragmented packets?

Is there any special configuration for the interface on your PC?

I think you can also try 3CDaemon. But if the issue is more of the PC sending frag packets, then changing the application may not really help.

Found the problem, I was using cisco vpn client, which had changed the mtu size on my network card. All sorted now. Thanks

 

 

Hi Collyf

 

TKS!!!

 

 

Ok. when I hit any key at the load new firmware, It asked for a filename. What would I use at that point. Also, when reloading the screen OS will this over write the cfg?

 

Thanks

 

Not sure what version of screenOS this box was running.  Recommend you load the same version.

 

you'll need the file such as:

 

     ssg500.6.0.0r7.0

 

you'll need to download and unzip this file.

 

This will not delete your config as long as you do not load a different version of screenos than was running previously

I realoaded the screenOS to the same version that was on there - ssg500.5.4.0r2.0. Still receiveing the same error message.

 

etwork_ready = 1
ssg500.5.4.0r2.0
buf_read = 27375, fp->maxposition = 9497327
offset = 0, maxposition = 9497327
9497327 bytes downloaded from tftp server

hdr->magic_number = 81ba16ee, hdr->platform_type = 1700, hdr->cpu_type = 11

Ignore image authentication!

Save to on-board flash disk? (y/[n]/m) No

Run downloaded system image? ([y]/n) Yes
SkGe_reset
loading elf format....
<0x4000000:0x48f5:0x0>
move image from 1001020 -> 4000000, size = 18677
<0x4005000:0x908000:0x50d8>
move image from 1006020 -> 4005000, size = 9490648
real_entry_addr = 4000000, entry_addr = 4000000
Uncompressing Kernel...
inflate returned
exit

Thanks for trying.  I believe an RMA is in order.

 

bummer

Ok thats what I thought.. I did want to try one last thing but unable to get it to work. I was trying to set to factory defaults but un able to do so with the reset conf. button on front of firewall. Or is the SSG handled differently?

 

So I just need to call to have the RMA setup?

I haven't tried the reset on the SSG500's.  Even if it did work, it would only affect the config, and would not help in the actual bootup process.  And for the reset button to work, you already need to be booted up in ScreenOS...

 

 

Yes, please, and you can reference this thread as reference.

Thanks for all the help. Having the device RMA'd.

 

Thanks