Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Bogus image message

    Posted 06-07-2020 07:25
    I am running to install Screen OS firmware and seeing 'bogus image not authenticated' message.
    This is the third time I am facing an error while doing this process . Is there a step by step process guide or procedure guide to help me with the process? Does this cause harm to my activity?


  • 2.  RE: Bogus image message

    Posted 06-07-2020 08:11

    Hello Reload,

    Greetings !!

    From the problem i can see there is a problem while install Screen OS firmware and you are getting erorr mentioned 

    Kindly follow the below steps 

     

    1. Upload an image on the firewall signed by the old key.
    2. Once that is done the firewall will boot without throwing the same error.
    3. Once booted run the command “delete crypto auth key”
    4. Run the command “exec pki test skey” to verify. (Output should be all zeros)
    5. Then you can load latest version.

    For more Clarification Kindly find the below docs
    https://kb.juniper.net/InfoCenter/index?page=content&id=TSB16495&actp=METADATA

     

     

    The below docs will help in upgrade/load ScreenOS software via the Boot/Diag mode
    You do need a TFTP server on your laptop and this connected to the device with the files for the process installed and follow the steps in below KB

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB5519&actp=search

     

    If this solves your problem, please mark this post as "Accepted Solution".
    If you think that my answer was helpful, please spend some Kudos.

     



  • 3.  RE: Bogus image message

    Posted 06-07-2020 08:32

    Hi Reload,

     

    I believe this is where you are getting stuck at:

     

    SSG550-> save software from tftp 172.22.152.251 new/ssg500.6.3.0r17.0 to flash 
Load software from TFTP 172.22.152.251 (file: new/ssg500.6.3.0r17.0).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(snip)
tftp received octets = 11627247
tftp success!

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 23, cpu = 11, version = 2
 update new flash image (02572fd0,11627247)
platform = 23, cpu = 11, version = 2
offset = 20, address = 0, size = 11627169
date = 9422, sw_version = 808031, cksum = 954806c3
********Invalid image!!! ********Bogus image - not authenticated!!!

(snip)

     

    If you would like to update the boot loader that is signed with the new image key on SSG Series, you must have a console connection and a TFTP server that can be reachable through the pre-assigned interface(s) in the boot loader mode (mostly ‘eth0/0’ interface) and manually interrupt the boot sequence by holding ‘Shift key’ and hit 'X' and ‘A’ sequentially when the “Hit 'X' and 'A' to upgrade bootloader” message is shown on the console.

    After installing the new image key, type CLI reset command to reboot the device. Then keep the ‘Shift key’ down and hit 'X' and ‘A’ sequentially.
    SSG550-> reset
System reset, are you sure? y/[n] y
In reset ...

(snip)

ScreenOS Saipanloader V1.0.7
Built Mar 19 2009/15:54:12
watchdog_probe, 1132 bus/dev/fn = 0/248 ich = 2640
boot_drive = 80
start1 = 0768, start2 = 3840

Hit 'X' and 'A' to upgrade bootloader   <- Hold ‘Shift key’ and hit ‘X’ and ‘A’ in sequence
Loader File Name:new/Loadssg500v107.d   <- Bootloader filename signed with the new image key
Self IP Address :172.22.152.35          <- TFTP client IP address
TFTP IP Address :172.22.152.251         <- TFTP server IP address
IP MASK :255.255.255.0
Gateway IP Address :172.22.152.1


Saipan motherboard proto 3 or later detected
Probing...[Ethernet0/0 and Ethernet0/1]

Initiating hardware and waiting for link up ...


Initiating hardware and waiting for link up ...
self_ip = 172.22.152.35, tftp_server_ip = 172.22.152.251
ip = 172.22.152.35 mask = 255.255.255.0 gw = 172.22.152.1 svr = 172.22.152.251
network_ready = 1
new/Loadssg500v107.d


121078 bytes downloaded from tftp server
old img size = 121032, new img size = 121032, load = 121078, sig = 46
S
Image authenticated!    <- Bootloader is authenticated using the new image key 

     <snip>

    write boot2's start sector back at sector 1051
write mbr back at sector 0
mounting FAT16 partition
file size = 112
size = 112, sizeof(nvram_rec) = 112
system rebooting...  <- After successful bootloader installation, the device will automatically try to reboot

    <snip> 

     

    The below document should help you:

    https://www.juniper.net/documentation/software/screenos/screenos6.3.0/630_upgrade.pdf

     

    Hope this helps 🙂

     

    Please mark "Accepted Solution" so that it can help others.

    Kudos are always appreciated!



  • 4.  RE: Bogus image message

    Posted 06-07-2020 12:17

    Hi Reload, 

     

    Greetings, 

    I believe these logs, i.e. bogus image not authenticated are observed because the ScreenOS firmware is not successfully authenticated by the new image key during installation.

    ********Invalid DSA signature <- The installed boot loader (OS Loader) cannot be authenticated using the new image key
********Bogus image - not authenticated

    date = 9422, sw_version = 808031, cksum = 954806c3
********Invalid image!!! ********Bogus image - not authenticated!!!

    These logs have been reported through TSB.
    Link: How to Update the New Image Authentication Key and Upgrade Boot Loader/ScreenOS Firmware 

     

    Hope this helps. 

     

    Please mark "Accept as solution" if this answers your query. 

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur



  • 5.  RE: Bogus image message
    Best Answer

    Posted 06-07-2020 17:24

    The issue comes from the change in signing key from Juniper in 2017

    When you get this error follow these instructions.

    More information is in this blog. http://puluka.com/home/networking/screenos/critical-screenos-security-flaw/

    Once recovered by deleting the key upload the new key version from the download links posted on the Juniper web site.

    Error: Bogus image – not authenticated!!!

    This error will occur if you upgrade to the new ScreenOS image and still have the OLD signing key on your device.  The boot screen on the console port will show this message:

    ********Invalid image!!!
    ********Bogus image – not authenticated!!!

    Fips check failed
    Done

    To recover from this error and allow the device to boot you need to delete the signing key.

    delete crypto auth-key

    Then reboot the device and the new ScreenOS should load.

     

     



  • 6.  RE: Bogus image message

     
    Posted 06-08-2020 00:22

    Hi Reload,

     

    Good day!!

     

    Can you use following link to downgrade the OS?

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB5519&actp=search

     

    Note:- While device boots up, you have to take action as per the KB when following message appears.

     

    you hit the enter key during this prompt

    Hit any key to run loader
    Hit any key to run loader
    Hit any key to run loader < Press the 'Enter' key at this point

     

    Then follow the steps in kb from there.  You do need a TFTP server on your laptop and this connected to the device with the files for the process installed

     

    Please mark "Accepted Solution" if this helps.

    Kudos are always appreciated

     

    Thanks 

    Suraj