SRX Services Gateway
Highlighted
SRX Services Gateway

Account Works in SSH but not HTTP after Firmware Upgrade

‎05-20-2019 11:29 AM

This morning I upgraded our SRX100 firmware to the latest version available to us (12.1X46-D86).  The upgrade completed successfully, though afterward I could no longer sign into the GUI (the GUI loads, and when I input credentials, I get "Invalid username or password specified").  I can confirm that this username and password are accurate as I can still log in via serial and SSH connections.  I tried rebooting the system, and the behavior remains.  I also tried removing HTTP access then reinstating it, again with no improvement.  Lastly, I tried creating a new username and password via CLI (with super-user status) and that isn't working either.  Since the SRX100 passed into EOL 10 days ago, Juniper is unable to provide support.  Does anybody have recommendations on how to bring the SRX100 web interface back online?  Thanks in advance!

9 REPLIES 9
SRX Services Gateway

Re: Account Works in SSH but not HTTP after Firmware Upgrade

‎05-20-2019 10:12 PM

Hi,

Its same as this , already reported .
 
https://forums.juniper.net/t5/SRX-Services-Gateway/Jweb-Incorrect-user-password-after-Junos-upgrade-...

 

I see the same issue on an SRX running 12.1X46-D86. After upgrade, J-web login fails,while SSH works fine. J-Web shows the following message- Invalid username or password specified - both for root as well as non-root user login attempts.

 

May 18 10:21:19 SRX checklogin[1806]: warning: can't get client address: Bad file descriptor
May 18 10:21:19 SRX checklogin[1806]: WEB_AUTH_FAIL: Unable to authenticate httpd client (username root)
May 18 10:21:35 SRX checklogin[1810]: warning: can't get client address: Bad file descriptor
May 18 10:21:35 SRX checklogin[1810]: WEB_AUTH_FAIL: Unable to authenticate httpd client (username pradeep)
May 18 10:22:08 SRX sshd[1813]: unlink(): failed to delete .perm file: No such file or directory
May 18 10:22:08 SRX sshd[1811]: Accepted keyboard-interactive/pam for pradeep from 10.10.10.1 port 54074 ssh2
May 18 10:22:11 SRX mgd[1816]: UI_AUTH_EVENT: Authenticated user 'pradeep' at permission level 'j-operator'

Seems to be an issue with this particular Junos version. Will update this thread later, if there is any fix.

 

Regards,
Pradeep 2xJNCIE(SEC/ENT)
SRX Services Gateway

Re: Account Works in SSH but not HTTP after Firmware Upgrade

[ Edited ]
‎05-20-2019 11:50 PM

Hi pcamis,

 

I believe this is a bug so if you are able to open a JTAC case it will be great. For testing purposes can you confirm if you have the following line in your configuration. If not, please add it and try again.

 

set system syslog file messages any any

 

Also in the meantime you could downgrade the junos version so you dont run in to this issue. As stated you are not the only one seeing the problem so I guess it will be fixed soon. Please let us know.

 

SRX Services Gateway

Re: Account Works in SSH but not HTTP after Firmware Upgrade

‎05-20-2019 11:56 PM

Hi.

 

We see the same on a couple of SRX210 devices, both SRX210H and SRX210HE.

 

Is there only way to wait for a new firmware or is there some other way to solve this ?

 

 


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
SRX Services Gateway

Re: Account Works in SSH but not HTTP after Firmware Upgrade

‎05-21-2019 12:06 AM

TRK,

 

The issue also started when upgraded to 12.1X46-D86? Can you confirm the information I requested in my previous comment?

 

As of now it looks like downgrading to previous junos version is the only option that has been mentioned. It will be great if someone can confirm if the issue gets fixed when downgraded to previous version.

 

SRX Services Gateway

Re: Account Works in SSH but not HTTP after Firmware Upgrade

‎05-21-2019 05:10 AM

Thanks all, and sorry for the slow reply - didn't realize that J-Net didn't automatically subscribe you to threads you initiate.


lpaniagua - I've set my logging per your suggestion and found no other relevant messages than those that Pradeep posted earlier:

May 21 06:44:25  SRX100JS checklogin[3446]: warning: can't get client address: Bad file descriptor
May 21 06:44:25  SRX100JS checklogin[3446]: WEB_AUTH_FAIL: Unable to authenticate httpd client (username juniper)

 

I would love to open a JTAC case, but don't believe that I can since the SRX100 is EOL.  Additionally, because of that fact, will future SRX firmware updates even support the SRX100?

 

I will be back onsite with this device Thursday and will be able to test downgrading the firmware then.  Do we know if this issue was present on version 12.1X46-D82?  We skipped a few versions, so cannot confirm.

SRX Services Gateway
Solution
Accepted by topic author pcamis
‎05-28-2019 03:35 AM

Re: Account Works in SSH but not HTTP after Firmware Upgrade

‎05-21-2019 11:40 PM
Hi , This is confirmed to be an issue with Software, for now no workarounds other than Software fix. I just checked by downgrade to 12.1X46-D82 and can confirm that we do not have this issue (not able to login to J-web) in D82. With 12.1X46-D82, J-web works.
Regards,
Pradeep 2xJNCIE(SEC/ENT)
SRX Services Gateway

Re: Account Works in SSH but not HTTP after Firmware Upgrade

‎05-21-2019 11:58 PM

pcamis,

 

You are right, that junos version is EoL and the SRX model as well, so I dont expect Engineering to work on this, or at least we could not demand it. As confirmed you can move to the previous version where the problem is not showing.

 

Regarding the syslog file commands I shared previously, it wasnt for logging purposes. I saw one case (in a high end SRX) where they were facing the same problem and the workaround was to upgrade to the faulty version again, then configure the messages log file in the way I specified and commit the configuration. After this they were able to access via J-Web. I know it doesnt make sense but thats what a bug is all about. Maybe you can try luck with these steps.

 

I hope this gets resolved.

 

SRX Services Gateway

Re: Account Works in SSH but not HTTP after Firmware Upgrade

‎05-22-2019 07:26 AM

Had the same issue after upgrading to junos-srxsme-12.1X46-D86-domestic.tgz on a SRX210BE. Downgraded to junos-srxsme-12.1X46-D82-domestic.tgz problem fixed. I can now access the web interface.

SRX Services Gateway

Re: Account Works in SSH but not HTTP after Firmware Upgrade

‎05-22-2019 10:53 AM

Hi.

 

Information about the SR releases for low memory devices can be found here:

https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17084

 

I hope we will see an updated D86 or a fixeb WebUI in a later release.


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN