Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Can't Up or Downgrade ssg20 from r20

    Posted 12-20-2015 23:52

    Hi All,

     

    i have a pair of SSG20's which i can't up or downgrade from r20.

    I have tried upgrading to r21 and also downgrading to r19b

     

    Even upon updating the imagekey ( which was already upgraded) the devices reboot.

    When i perform the Upgrade through webinterface,TFTP or scp doesn't matter, devices simply reboot to r20.

     

    Bootloader has previously been upgraded

     

    Given the severity of the VPN malicious code, not upgrading is unacceptable



  • 2.  RE: Can't Up or Downgrade ssg20 from r20

    Posted 12-21-2015 03:22

    I've heard of this behaviour when the internal flash drive has problems and requires a replacment.  On some devices this is removable and others it will require an RMA of the whole firewall.

     

    Other things to confirm:

     

    Have you confirmed that the new signing key is actually on the device?

     

    The new and correct signing key for ScreenOS 6.3R21 begins with  308201ad as shown below.  

    The old key begins with 308201ac.

     

    ssg5-serial-> exec pki test skey

    exec pki test <skey>.

    Flash base = 0x51000000, Flash end = 0x0, sector size= 0x4000

    KEY1  N/A len =433

     308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651magic1 = f7e9294b magic2=0

    KEY2  N/A len =433

     308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651magic1 = f7e9294b magic2=0

    KEY3  N/A len =433

     308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651magic1 = f7e9294b magic2=0

     

     

    you could try the "B" version of the 6.3R20 code that removes the exploit to see if your device accepts this one.



  • 3.  RE: Can't Up or Downgrade ssg20 from r20
    Best Answer

    Posted 12-21-2015 08:28

    I had the same issue with r20. 

     

    I found the following worked.

     

    1) Delete Auth Key

     

    delete crypto auth-key 

     

    2) Perform upgrade

    3) Reinstall Auth Key

     

    Good luck.



  • 4.  RE: Can't Up or Downgrade ssg20 from r20

    Posted 12-21-2015 09:05

    This is a known issue.  It is part of the reason r20 was removed, as the crash happens due to the image authentication.  You can either remove the image authentication key before upgrading or upgrade from the bootloader (interupt the boot process).  The bootloader uses a different authentication than the OS does, so it is not affected by this issue.



  • 5.  RE: Can't Up or Downgrade ssg20 from r20

    Posted 12-21-2015 09:24

    works like a charm...

     

     

    thanks !



  • 6.  RE: Can't Up or Downgrade ssg20 from r20

    Posted 12-23-2015 07:22

    thank you, it works!

     

    to reinject key with USB :

    save image-key usb imagekey.cer