SRX Services Gateway
Highlighted
SRX Services Gateway

SRX enrol with JATP problem

‎03-29-2019 02:56 AM

Hi,
I think that is the first post on this forum about SRX enroled with JATP.


I follow documentation here: https://www.juniper.net/documentation/en_US/release-independent/jatp/topics/concept/jatp-srx-integra...

 

OP script seems works perfectly, in fact I see on the SRX setting on JATP my SRX enabled, but NOT online.

And here is the problem.

 

Checking "show services advanced-threat-detection- status" show "disconnect due HTTP error.

Too much generic message and I don't find anywhere solutions.

 

Here the extract of op script:

root@vSRX-HQ> op url "https://10.20.20.166:443/cyadmin/cgi-bin/srx_enrollment?operation=enroll&api_key=d315e3ceea71sssssccbc28a9aa&config=.slax" 
Platform is supported by JATP: VSRX.
[WARNING] More than 1 license found with name: Sky ATP. Invalid licenses might cause enrolling/disenrolling failure. Please remove invalid licenses.
Enrolling with Sky ATP license serial number: 91730sss217.
Version JUNOS Software Release [15.1X49-D140.3] is valid for bootstrapping.
Going to enroll single device for VSRX: 2514Csss7C@91730D0ss17 with hostname vSRX-HQ.
Clear CA profile aamw-ca...
Clear CA profile aamw-cloud-ca...
Clear CA profile aamw-secintel-ca...
Start downloading Application Signature DB update...
Configure CA...
Request aamw-secintel-ca CA...
Load aamw-secintel-ca CA...
Retrieve CA profile aamw-ca...
CA certificate ready: aamw-ca...
CA certificate ready: aamw-secintel-ca...
Clear local certificate aamw-srx-cert with CA server...
Clear key pair: aamw-srx-cert...
Generate key pair: aamw-srx-cert...
Enroll local certificate aamw-srx-cert with CA server #1...
Configure advanced-anti-malware services...
Configuration added successfully for advanced-anti-malware services.
Checking configuration on SRX...
SSL profile:                          [OK]
SecIntel CA:                          [OK]
Client cert found:                    [OK]
SSL profile action:                   [OK]
URL for advanced-anti-malware:        [OK]
Profile for advanced-anti-malware:    [OK]
URL for security-intelligence:        [OK]
Profile for security-intelligence:    [OK]
All SRX configurations are correct for enrollment.
Communicate with JATP server...
SRX status changed to Registered successfully...
Checking Application Signature DB download status...
Wait for Application Signature DB signature download status #1...
Start installing Application Signature DB update...
Wait for Application Signature DB signature install status #1...
Wait for Application Signature DB signature install status #2...
Wait for Application Signature DB signature install status #3...
Wait for Application Signature DB signature install status #4...
Wait for Application Signature DB signature install status #5...
Wait for aamw connection status #1...
Wait for aamw connection status #2...
Wait for aamw connection status #3...
Wait for aamw connection status #4...
Wait for aamw connection status #5...
Enroll SRX is finished. However aamw connection status is incorrect: Disconnected because of HTTP error (expecting 'Connected'). 
Please check your network connection and other configuration. Running diagnostics process is recommended.
Please run diagnostic process with the following cli command:
request services advanced-anti-malware diagnostics 10.20.20.166/ detail pre-detection
[WARNING] Failed to update Application Identification Signature package.
This package is necessary for latest Sky ATP features. Please update it manually.
For more information, please see: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/services-application-package-manually-updating.html

Interesting here the last thing about "excepting connected" on HTTP error.

If i start the test diagnostic:

root@vSRX-HQ> request services advanced-anti-malware diagnostics jatpdfdfdfb.italy.local detail pre-detection    
    [INFO]    Try to get IP address for hostname jatpdfdfdfb.italy.local
DNS check                                            : [OK]
    [INFO]    Try to test SKYATP server connectivity
    [INFO]    Successfully connected to jatpdfdfdfb.italy.local443
    [INFO]    Successfully connected to ca.junipersecurity.net:8080
    [INFO]    Successfully connected to va.junipersecurity.net:80
SKYATP reachability check                            : [OK]
    [INFO]    Time difference between SKYATP server and this device: 19 second(s)
Time check                                           : [OK]
    [INFO]    Configuration checking passed: PKI
    [INFO]    Configuration checking passed: SSL
    [INFO]    Configuration checking passed: AAMW Connection
    [INFO]    Configuration checking passed: SecIntel URL
    [INFO]    Configuration checking passed: SecIntel Authentication
Configuration activation check                       : [OK]
    [INFO]    Try ICMP service in SKYATP
SKYATP ICMP service check                            : [OK]
    [INFO]    To-SKYATP connection is using ge-0/0/2.0, according to route
Interface configuration check                        : [OK]
Outgoing interface MTU is default value
    [INFO]    Check IP MTU with length 1472
IP Path MTU is 1472
    [INFO]    VSRX detected. Checking system licenses
VSRX License check                                   : [OK]

Everything seems correct!

 

But from services advanced-anti-malware-status:

root@vSRX-HQ> show services advanced-anti-malware status    
Server connection status:
  Server hostname: 10.20.20.166
  Server port: 443
    Control Plane:
      Connection time: 2019-03-29 10:52:39 CET
      Connection status: Requesting client certificate
    Service Plane:
      fpc0
        Connection active number: 0
        Connection retry statistics: 0

root@vSRX-HQ> show services advanced-anti-malware status    
Server connection status:
  Server hostname: 10.20.20.166
  Server port: 443
    Control Plane:
      Connection time: 2019-03-29 10:52:40 CET
      Connection status: Disconnected because of HTTP error
    Service Plane:
      fpc0
        Connection active number: 0
        Connection retry statistics: 0

NOPE.

 

From JATP enrol page:

Screenshot_20190329_105617.png

 

 

Any suggestion?

 

Many regards

 

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: SRX enrol with JATP problem

‎03-29-2019 10:28 AM

Hi,

 

This issue is generally seen when there is some kind of validation failure.

 

Please check the licenses on the vSRX. Sometimes presence of more than 1 licenses for JATP or presence of an expired license may lead to it too.

 

Besides, what is the version of your vSRX and JATP ?

 

Thanks!

Highlighted
SRX Services Gateway
Solution
Accepted by topic author alfaromeo
‎04-01-2019 03:17 AM

Re: SRX enrol with JATP problem

‎04-01-2019 03:17 AM

Hi, problem solved.

Usually in JATP just installed, it needed to wait some hours in order to give JATP possibility to download images and software for SRX connection.

On top, if it's still not working I did:

1) disenroll from JATP the SRX

2) reload SRX

3) enroll SRX once again

4) reload the JATP

5) wait the next day

....

then I found JATP and SRX connected!!! 


Hope that this help someone else.

 

regards