ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Bogus image message

‎06-07-2020 07:24 AM
I am running to install Screen OS firmware and seeing 'bogus image not authenticated' message.
This is the third time I am facing an error while doing this process . Is there a step by step process guide or procedure guide to help me with the process? Does this cause harm to my activity?
5 REPLIES 5
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Bogus image message

‎06-07-2020 08:10 AM

Hello Reload,

Greetings !!

From the problem i can see there is a problem while install Screen OS firmware and you are getting erorr mentioned 

Kindly follow the below steps 

 

1. Upload an image on the firewall signed by the old key.
2. Once that is done the firewall will boot without throwing the same error.
3. Once booted run the command “delete crypto auth key”
4. Run the command “exec pki test skey” to verify. (Output should be all zeros)
5. Then you can load latest version.

For more Clarification Kindly find the below docs
https://kb.juniper.net/InfoCenter/index?page=content&id=TSB16495&actp=METADATA

 

 

The below docs will help in upgrade/load ScreenOS software via the Boot/Diag mode
You do need a TFTP server on your laptop and this connected to the device with the files for the process installed and follow the steps in below KB

https://kb.juniper.net/InfoCenter/index?page=content&id=KB5519&actp=search

 

If this solves your problem, please mark this post as "Accepted Solution".
If you think that my answer was helpful, please spend some Kudos.

 

deeksha
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Bogus image message

‎06-07-2020 08:31 AM

Hi Reload,

 

I believe this is where you are getting stuck at:

 

SSG550-> save software from tftp 172.22.152.251 new/ssg500.6.3.0r17.0 to flash 
Load software from TFTP 172.22.152.251 (file: new/ssg500.6.3.0r17.0).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(snip)
tftp received octets = 11627247
tftp success!

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 23, cpu = 11, version = 2
 update new flash image (02572fd0,11627247)
platform = 23, cpu = 11, version = 2
offset = 20, address = 0, size = 11627169
date = 9422, sw_version = 808031, cksum = 954806c3
********Invalid image!!! ********Bogus image - not authenticated!!!

(snip)

 

If you would like to update the boot loader that is signed with the new image key on SSG Series, you must have a console connection and a TFTP server that can be reachable through the pre-assigned interface(s) in the boot loader mode (mostly ‘eth0/0’ interface) and manually interrupt the boot sequence by holding ‘Shift key’ and hit 'X' and ‘A’ sequentially when the “Hit 'X' and 'A' to upgrade bootloader” message is shown on the console.

After installing the new image key, type CLI reset command to reboot the device. Then keep the ‘Shift key’ down and hit 'X' and ‘A’ sequentially.
SSG550-> reset
System reset, are you sure? y/[n] y
In reset ...

(snip)

ScreenOS Saipanloader V1.0.7
Built Mar 19 2009/15:54:12
watchdog_probe, 1132 bus/dev/fn = 0/248 ich = 2640
boot_drive = 80
start1 = 0768, start2 = 3840

Hit 'X' and 'A' to upgrade bootloader   <- Hold ‘Shift key’ and hit ‘X’ and ‘A’ in sequence
Loader File Name:new/Loadssg500v107.d   <- Bootloader filename signed with the new image key
Self IP Address :172.22.152.35          <- TFTP client IP address
TFTP IP Address :172.22.152.251         <- TFTP server IP address
IP MASK :255.255.255.0
Gateway IP Address :172.22.152.1


Saipan motherboard proto 3 or later detected
Probing...[Ethernet0/0 and Ethernet0/1]

Initiating hardware and waiting for link up ...


Initiating hardware and waiting for link up ...
self_ip = 172.22.152.35, tftp_server_ip = 172.22.152.251
ip = 172.22.152.35 mask = 255.255.255.0 gw = 172.22.152.1 svr = 172.22.152.251
network_ready = 1
new/Loadssg500v107.d


121078 bytes downloaded from tftp server
old img size = 121032, new img size = 121032, load = 121078, sig = 46
S
Image authenticated!    <- Bootloader is authenticated using the new image key 

 <snip>

write boot2's start sector back at sector 1051
write mbr back at sector 0
mounting FAT16 partition
file size = 112
size = 112, sizeof(nvram_rec) = 112
system rebooting...  <- After successful bootloader installation, the device will automatically try to reboot

<snip> 

 

The below document should help you:

https://www.juniper.net/documentation/software/screenos/screenos6.3.0/630_upgrade.pdf

 

Hope this helps 🙂

 

Please mark "Accepted Solution" so that it can help others.

Kudos are always appreciated!

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Bogus image message

‎06-07-2020 12:17 PM

Hi Reload, 

 

Greetings, 

I believe these logs, i.e. bogus image not authenticated are observed because the ScreenOS firmware is not successfully authenticated by the new image key during installation.

********Invalid DSA signature <- The installed boot loader (OS Loader) cannot be authenticated using the new image key
********Bogus image - not authenticated

date = 9422, sw_version = 808031, cksum = 954806c3 ********Invalid image!!! ********Bogus image - not authenticated!!!

These logs have been reported through TSB.
Link: How to Update the New Image Authentication Key and Upgrade Boot Loader/ScreenOS Firmware 

 

Hope this helps. Smiley Happy

 

Please mark "Accept as solution" if this answers your query. 

Kudos are appreciated too! 

 

Regards, 

Sharat Ainapur

Highlighted
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author Reload
‎06-08-2020 01:52 AM

Re: Bogus image message

‎06-07-2020 05:24 PM

The issue comes from the change in signing key from Juniper in 2017

When you get this error follow these instructions.

More information is in this blog. http://puluka.com/home/networking/screenos/critical-screenos-security-flaw/

Once recovered by deleting the key upload the new key version from the download links posted on the Juniper web site.

Error: Bogus image – not authenticated!!!

This error will occur if you upgrade to the new ScreenOS image and still have the OLD signing key on your device.  The boot screen on the console port will show this message:

********Invalid image!!!
********Bogus image – not authenticated!!!

Fips check failed
Done

To recover from this error and allow the device to boot you need to delete the signing key.

delete crypto auth-key

Then reboot the device and the new ScreenOS should load.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Bogus image message

‎06-08-2020 12:21 AM

Hi Reload,

 

Good day!!

 

Can you use following link to downgrade the OS?

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB5519&actp=search

 

Note:- While device boots up, you have to take action as per the KB when following message appears.

 

you hit the enter key during this prompt

Hit any key to run loader
Hit any key to run loader
Hit any key to run loader < Press the 'Enter' key at this point

 

Then follow the steps in kb from there.  You do need a TFTP server on your laptop and this connected to the device with the files for the process installed

 

Please mark "Accepted Solution" if this helps.

Kudos are always appreciated

 

Thanks 

Suraj 

 

Feedback