ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Can't Up or Downgrade ssg20 from r20

‎12-20-2015 11:52 PM

Hi All,

 

i have a pair of SSG20's which i can't up or downgrade from r20.

I have tried upgrading to r21 and also downgrading to r19b

 

Even upon updating the imagekey ( which was already upgraded) the devices reboot.

When i perform the Upgrade through webinterface,TFTP or scp doesn't matter, devices simply reboot to r20.

 

Bootloader has previously been upgraded

 

Given the severity of the VPN malicious code, not upgrading is unacceptable

1 ACCEPTED SOLUTION

Accepted Solutions
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author licensebox@arseus.com
‎12-21-2015 09:23 AM

Re: Can't Up or Downgrade ssg20 from r20

‎12-21-2015 08:28 AM

I had the same issue with r20. 

 

I found the following worked.

 

1) Delete Auth Key

 

delete crypto auth-key 

 

2) Perform upgrade

3) Reinstall Auth Key

 

Good luck.

5 REPLIES 5
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Can't Up or Downgrade ssg20 from r20

‎12-21-2015 03:22 AM

I've heard of this behaviour when the internal flash drive has problems and requires a replacment.  On some devices this is removable and others it will require an RMA of the whole firewall.

 

Other things to confirm:

 

Have you confirmed that the new signing key is actually on the device?

 

The new and correct signing key for ScreenOS 6.3R21 begins with  308201ad as shown below.  

The old key begins with 308201ac.

 

ssg5-serial-> exec pki test skey

exec pki test <skey>.

Flash base = 0x51000000, Flash end = 0x0, sector size= 0x4000

KEY1  N/A len =433

 308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651magic1 = f7e9294b magic2=0

KEY2  N/A len =433

 308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651magic1 = f7e9294b magic2=0

KEY3  N/A len =433

 308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651magic1 = f7e9294b magic2=0

 

 

you could try the "B" version of the 6.3R20 code that removes the exploit to see if your device accepts this one.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author licensebox@arseus.com
‎12-21-2015 09:23 AM

Re: Can't Up or Downgrade ssg20 from r20

‎12-21-2015 08:28 AM

I had the same issue with r20. 

 

I found the following worked.

 

1) Delete Auth Key

 

delete crypto auth-key 

 

2) Perform upgrade

3) Reinstall Auth Key

 

Good luck.

ScreenOS Firewalls (NOT SRX)

Re: Can't Up or Downgrade ssg20 from r20

‎12-21-2015 09:04 AM

This is a known issue.  It is part of the reason r20 was removed, as the crash happens due to the image authentication.  You can either remove the image authentication key before upgrading or upgrade from the bootloader (interupt the boot process).  The bootloader uses a different authentication than the OS does, so it is not affected by this issue.

ScreenOS Firewalls (NOT SRX)

Re: Can't Up or Downgrade ssg20 from r20

‎12-21-2015 09:23 AM

works like a charm...

 

 

thanks !

ScreenOS Firewalls (NOT SRX)

Re: Can't Up or Downgrade ssg20 from r20

‎12-23-2015 07:21 AM

thank you, it works!

 

to reinject key with USB :

save image-key usb imagekey.cer