一台Juniper ssg140 系统故障处理

windows 下tftpd32
吧固件放到tftp 目录下.
直接输入 新镜像名称

Juniper Networks SSG-140 Boot Loader Version 3.2.3 (Checksum: ECD688CB)
Copyright (c) 1997-2006 Juniper Networks, Inc.
    Total physical memory: 512MB
    Test -  Pass 
    Initialization - Done

Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
Hit any key to run loader

Loading system image "$BABOOT$.BIN" from on-board flash disk...
Done! (size = 12,582,912 bytes)
cksum = 18852bb0, p_hdr->cksum = 729e802
### image corrupted ###

Loading default system image from on-board flash disk...
Done! (size = 12,582,912 bytes)
cksum = d01dc97f, p_hdr->cksum = f8e14337
### image corrupted ###

Serial Number [0185092007001229]: READ ONLY
HW Version Number [1010]: READ ONLY
Self MAC Address [001b-c055-a280]: READ ONLY
Boot File Name [ssg140.6.3.0r19.0]: 

用户名和密码都是 防火墙 后面的序列号.

登录名和密码为 netscreen


Validating the Image Authentication Certificate

It is important to ensure the integrity of the image key itself before you load it on the Juniper Networks security device. You can confirm the image key’s integrity by comparing the checksum of the imagekey.cer certificate file to the value below. A tool such as md5sum, sha1sum, and sha256sum for Unix/Linux can be used.

New Image Key (download)
Note: Image is in .zip compressed format and requires decompression for use and image integrity check

$ md5sum imagekey.cer 
99def4b80b75ed65aad52a5fc3ed1131  imagekey.cer

$ sha1sum imagekey.cer 
06c3c15b88de548b18814d4389d18a20f65a5845  imagekey.cer

$ sha256sum imagekey.cer 
02b107f0679bc5d5aa0ab49be52043bb31f2a010a980573c53dc3fc815e1d7f3  imagekey.cer

Old Image Key (download)
Note: Image is in .zip compressed format and requires decompression for use and image integrity check

$ md5sum imagekey.cer 
ccfcd027e20c9cc38b5d8dac17c7199f  imagekey.cer

$ sha1sum imagekey.cer 
2af0d97abbb58821650445cd517050fd0cfa2684  imagekey.cer

$ sha256sum imagekey.cer 
bab2f722cbba13a73d9af4c17af9c34d62ac71b4c9e8bbb9bac5df1fdceb0261  imagekey.cer

Validating the Boot Loader and the ScreenOS Firmware

There are no code or contents changes on the newly released boot loaders and ScreenOS firmwares, these files are signed with the new image key only. Therefore, the version numbers are same as before.

In order to distinguish whether the device is running with old ScreenOS firmware that is signed with the old image key, you can check the non-zero values of the image key using hidden CLI exec pki test skey command. Refer to 2. Checking the Installed Image Key. Also you can refer to KB29296 - ScreenOS and Boot Loader Checksum Values Signed by Old and New Image Key.

Finally when you feel confident about the integrity of the new image key and know that the currently running ScreenOS firmware is signed by the old image key, you can follow the below steps to install the new image key, and boot loader/ScreenOS firmware that are signed with the new image key.

NOTE: If you manage ScreenOS devices using NSM, please refer to KB29456, which includes an application note - Upgrading ScreenOS through NSM (supplement of TSB16495).

1. Saving the Configuration
Before you proceed the following steps, please make sure to backup the configuration, you can do it through either the WebUI and the CLI.

On the WebUI, navigate to Configuration > Update > Config File > click "Save to File"

On the CLI, type save config to tftp <IP address of TFTP server> <config filename>

For example,

SSG550-> save config to tftp ssg550_config_backup 
Read the current config.
 Save configurations (3064 bytes) to ssg550_config_backup on TFTP server
tftp transferred records = 6
tftp success!

TFTP Succeeded

2. Checking the Installed Image Key
If an image key is already installed, you will see output similar to the below (non-zero values). If the output shows all zero (0), then there is no installed image key.

NOTE: The device cannot store more than one image key. When you install the new image key, it overwrites the previous key. The installation status of the image key can be checked through hidden CLI exec pki test skey command only.

SSG550-> exec pki test skey


KEY1  N/A len =432
 308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0
KEY2  N/A len =432
 308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0
KEY3  N/A len =432
 308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0

NOTE: The above non-zero values are indicating the old image key (308201ac ....). If you wish to update the image key to the new key, then go to next step 3. Updating the Image Key. The new image key’s values are starting with (308201ad ....) from left to right direction. If the new image key is installed already, then go to step 4. Upgrading ScreenOS.

The following example shows that an image key is not installed (all zero values).

SSG550-> exec pki test skey 


KEY1  N/A len =0
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=dead1234
KEY2  N/A len =0
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=dead1234
KEY3  N/A len =0
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=dead1234

NOTE: If no image key is installed and you do not want to authenticate the boot loader (for ISG Series and NetScreen Series only) and ScreenOS in future, skip Step 3. Updating the Image Key.

3. Updating the Image Key
If a WebUI access or a TFTP server is available, you can install the new image key through the WebUI or the CLI.

On the WebUI :

    Download the new image key (imagekey.zip) 
        New Image Key (download)
    Save it to accessible local storage
    Decompress downloaded .zip file
    Login to the device.
    Navigate to ''Configuration > Update > ScreenOS/Keys'' using the navigation tree on the left side of the screen
    Select the ''Image Signature Key Update'' radio button and click Browse
    Navigate to the location where the saved decompressed imagekey.cer and click Open
    Click Apply

On the CLI :

    Download the new image key (imagekey.zip)
        New Image Key (download)
    Decompress downloaded .zip file
    Save decompressed imagekey.cer to TFTP server
    Make a console, Telnet, or SSH connection to the Juniper Networks security device
    Login to the device
    Type save image-key tftp (IP address of tftp server) imagekey.cer command

For example,

SSG550-> save image-key tftp new/imagekey.cer
Load file  from TFTP (file: new/imagekey.cer).
tftp received octets = 863
tftp success!

TFTP Succeeded

If the image key is installed successfully, you will see output similar to the below (non-zero values). If the output shows all zero (0), then the image key is not installed.

SSG550-> exec pki test skey


KEY1  N/A len =433
 308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0
KEY2  N/A len =433
 308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0
KEY3  N/A len =433
 308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0

If only a CLI access is available without TFTP server, you cannot install the new image key, then delete the installed old image key using CLI delete crypto auth-key command and go to next step 4. Upgrading ScreenOS.
The following example shows that no image key is available after deleting the image key.

SSG550-> delete crypto auth-key 
SSG550-> exec pki test skey 


KEY1  N/A len =0
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=0
KEY2  N/A len =0
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=0
KEY3  N/A len =0
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=0

NOTE: Please do not execute CLI delete crypto file command. It will delete all crypto files in the device that might be used for other services.

NOTE: You cannot delete image key through WebUI.

4. Upgrading ScreenOS

On ISG1000/2000, NS5200/NS5400 (boot loader upgrade is required) :

In general you must have a console connection and a TFTP server that can be reachable through the ‘mgt’ interface because the device will prompt you to install a boot loader if it cannot authenticate the installed boot loader using the new image key. While the device boots up, it checks the integrity of installed boot loader and ScreenOS firmware. However, the special ScreenOS firmwares (6.3.0r17-dht1.0 and 6.2.0r18-crq1.0) includes a new CLI command to update the bootloader on the CLI without a console connection via TFTP server.

For more information of the special ScreenOS firmware, please refer to KB29456 - How to Upgrade Bootloader (OS Loader) Without a Console Connection on ISG1000/2000 and NS5200/5400.

NOTE: If the old image key is deleted using CLI delete crypto auth-key command, the device skips integrity check of the boot loader and ScreenOS firmware while boots up. You will see Ignore image authentication! message on the console while the device boots up.

On the CLI :

1. Download the ScreenOS firmware signed with the new image key from the ScreenOS Download site
2. Download the new bootloader signed with new image key

        Netscreen 5200/5400 :

        ISG 2000 :

        ISG 1000 :

3. Save files to TFTP server
4. Login to the device through the console port
5. Type save software from tftp (IP address of TFTP server) (ScreenOS image filename) to flash command

For example,

ns5200-> save software from tftp new/ns5000.6.3.0-M2A.r17.0 to flash 
Load software from TFTP (file: new/ns5000.6.3.0-M2A.r17.0).
tftp received octets = 13541072
tftp success!

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 15, cpu = 16, version = 18
 update new flash image (04243150,13541072)
platform = 15, cpu = 16, version = 18
offset = 20, address = 4000000, size = 13540994
date = 71c0efb8, sw_version = 71c0efbc, cksum = c491f61c
Image authenticated!
Program flash (13541072 bytes) ...

5. Reboot the device, type reset command and install the boot loader that is singed with the new image key

NOTE: While the device boots up, it will generate the following messages on the console to guide you to install the boot loader that is signed by the new image key.

OS Loader File Name []: (type boot loader file name)
Self IP Address []: (TFTP client (device) IP address)
TFTP IP Address []: (TFTP server IP address)
For example,

ns5200-> reset
System reset, are you sure? y/[n] y
In reset ...

Juniper Networks NS-5000-II BootROM Version 1.0.0 (Checksum: FE499CCD)
Copyright (c) 1998-2004 Juniper Networks, Inc.

Total physical memory: 2048MB
    Test - Pass
    Initialization................ Done

Hit key 'X' and 'A' sequentially to update OS Loader....

Loading OS Loader from on-board flash memory... ++++

********Invalid DSA signature <- The installed boot loader (OS Loader) cannot be authenticated using the new image key

********Bogus image - not authenticated

OS Loader File Name [new/ns5000.6.3.0-M2A.r17.0]: new/Load5000v104.d  <- Boot loader file signed with the new image key
Self IP Address []:
TFTP IP Address []:

Save loader config (56 bytes)... Done

Loading file "new/Load5000v104.d"...
Loaded successfully! (size = 447,576 bytes)

Image authenticated!  <- Boot loader is authenticated using the new image key

Program OS Loader to on-board flash memory... ++++

Start loading...

Juniper Networks NS-5000-II OS Loader Version 1.0.4

Initialize FBTL 0.. Done

Hit any key to load new firmware
Hit any key to load new firmware
Hit any key to load new firmware
Hit any key to load new firmware

Loading default system image from on-board flash disk...
Done! (size = 13,631,488 bytes)

Image authenticated! <- ScreenOS firmware is authenticated using the new image key

Start loading...
Configuring Imperial FPGA... Done

Juniper Networks, Inc
NS-5000 System Software
Copyright, 1997-2008

Version 6.3.0r17.0

NOTE: After the device boots up successfully, you can check the version of the installed boot loader through the CLI get system command, look for the value of “OS Loader Version”.

ns5200-> get system
Product Name: NetScreen-5200-II
Serial Number: 0040012001000011, Control Number: 00000000
Hardware Version: 3010(0)-(04), FPGA checksum: 00000000, VLAN1 IP (
Software Version: 6.3.0r17.0, Type: Firewall+VPN
BOOT ROM Version: 1.0.0
OS Loader Version: 1.0.4


On SSG 20/140/320M/350M/520/520M/550/550M :

It is not required to update the current boot loader because the integrity check of the boot loader is only done during the installation of a boot loader. During boot-up of the device there is no integrity check done for the boot loader using the image key. Therefore the existing boot loader on the SSG device will keep working correctly after updating the image key on the device.

NOTE: If the old image key is deleted using CLI delete crypto auth-key command, the device skips the integrity check of the ScreenOS firmware while the device boots up. You will see the Ignore image authentication! message on the console while the device boots up.

On the WebUI :

    Download the ScreenOS firmware signed with the new image key from the ScreenOS Download site
    Save it to accessible local storage.
    Login to the device.
    Navigate to ''Configuration > Update > ScreenOS/Keys'' using the navigation tree on the left side of the screen.
    Select the ''Firmware Update (ScreenOS)'' radio button and click Browse.
    Navigate to the location where you saved the ScreenOS image and click Open.
    Click Apply.

NOTE: If the device has the old image key and you try to install a ScreenOS firmware image that is signed by the new image key, the installation process will stop because the ScreenOS firmware cannot be authenticated using the old image key. You will see a pop-up window displaying “Firmware update failed”. In this case, you need to either install the new image key prior to installing the new ScreenOS firmware or delete the image key (refer to the above step 3. Updating the Image Key).

On the CLI :

1. Download the ScreenOS firmware signed with the new image key from the ScreenOS Download site
2. Save it to accessible local storage.
3. Login to the device
4. Type save software from tftp (IP address of TFTP server) (ScreenOS image filename) to flash command

SSG550-> save software from tftp new/ssg500.6.3.0r17.0 to flash 
Load software from TFTP (file: new/ssg500.6.3.0r17.0).

tftp received octets = 11627247
tftp success!

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 23, cpu = 11, version = 2
 update new flash image (02572fd0,11627247)
platform = 23, cpu = 11, version = 2
offset = 20, address = 0, size = 11627169
date = 9422, sw_version = 808031, cksum = 954806c3
Program flash (11627247 bytes) ...


5. After successful ScreenOS firmware installation, type reset command to reboot the device

NOTE: If the ScreenOS firmware is not successfully authenticated by the new image key during installation, the error messages “Invalid image!!!” and “Bogus image - not authenticated!!!” will be displayed. When the upgrade went successfully, on the next reboot the device will show ''Image authenticated!''on the console.

SSG550-> reset
System reset, are you sure? y/[n] y
In reset ...


ScreenOS Saipanloader V1.0.7
Built Mar 19 2009/15:54:12
watchdog_probe, 1132 bus/dev/fn = 0/248 ich = 2640
boot_drive = 80
start1 = 0768, start2 = 3840

Hit 'X' and 'A' to upgrade bootloadermounting FAT16 partition
file size = 112
size = 112, sizeof(nvram_rec) = 112

Hit any key to load new firmware
Hit any key to load new firmware
Hit any key to load new firmware
Hit any key to load new firmware/$nsboot$.bin 
file size = 11627247

hdr->magic_number = 81ba16ee, hdr->platform_type = 1700, hdr->cpu_type = 11

Image authenticated! 


NOTE: If the device has the old image key and you try to install ScreenOS firmware that is signed with the new image key, the installation process will stop because the ScreenOS firmware cannot be authenticated using the old image key. You will see output similar to the below. In this case, you need to either install the new image key prior to installing the ScreenOS firmware or delete the image key (refer to the above step 3. Updating the Image Key).

SSG550-> save software from tftp new/ssg500.6.3.0r17.0 to flash 
Load software from TFTP (file: new/ssg500.6.3.0r17.0).
tftp received octets = 11627247
tftp success!

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 23, cpu = 11, version = 2
 update new flash image (02572fd0,11627247)
platform = 23, cpu = 11, version = 2
offset = 20, address = 0, size = 11627169
date = 9422, sw_version = 808031, cksum = 954806c3
********Invalid image!!! ********Bogus image - not authenticated!!!


NOTE: If you would like to update the boot loader that is signed with the new image key on SSG Series, you must have a console connection and a TFTP server that can be reachable through the pre-assigned interface(s) in the boot loader mode (mostly ‘eth0/0’ interface) and manually interrupt the boot sequence by holding ‘Shift key’ and hit 'X' and ‘A’ sequentially when the “Hit 'X' and 'A' to upgrade bootloader” message is shown on the console.

After installing the new image key, type CLI reset command to reboot the device. Then keep the ‘Shift key’ down and hit 'X' and ‘A’ sequentially.

SSG550-> reset
System reset, are you sure? y/[n] y
In reset ...


ScreenOS Saipanloader V1.0.7
Built Mar 19 2009/15:54:12
watchdog_probe, 1132 bus/dev/fn = 0/248 ich = 2640
boot_drive = 80
start1 = 0768, start2 = 3840

Hit 'X' and 'A' to upgrade bootloader   <- Hold ‘Shift key’ and hit ‘X’ and ‘A’ in sequence
Loader File Name:new/Loadssg500v107.d   <- Bootloader filename signed with the new image key
Self IP Address :          <- TFTP client IP address
TFTP IP Address :         <- TFTP server IP address
Gateway IP Address :

Saipan motherboard proto 3 or later detected
Probing...[Ethernet0/0 and Ethernet0/1]

Initiating hardware and waiting for link up ...

Initiating hardware and waiting for link up ...
self_ip =, tftp_server_ip =
ip = mask = gw = svr =
network_ready = 1

121078 bytes downloaded from tftp server
old img size = 121032, new img size = 121032, load = 121078, sig = 46
Image authenticated!    <- Bootloader is authenticated using the new image key
mounting FAT12 partition
file /boot2 size was 121079, new size is 121078
getting sector information
boot1 size = 512
boot2 size = 512
boot1_sector = 807, boot2_sector = 1051
offset = 512
write boot2's start sector back at sector 1051
write mbr back at sector 0
mounting FAT16 partition
file size = 112
size = 112, sizeof(nvram_rec) = 112
system rebooting...  <- After successful bootloader installation, the device will automatically try to reboot


********Invalid DSA signature  <- But if the previously installed ScreenOS firmware is signed with the old image key, the new image key cannot authenticate the ScreenOS firmware, then the device prompt to you install a ScreenOS firmware signed with the new image key

********Bogus image - not authenticated
mounting FAT16 partition
file size = 112
Serial Number []: READ ONLYc) = 112
BOM Version Number []: READ ONLY
Self MAC Address [0000-0000-0000]: READ ONLYip = svr =
self_ip_buf =, tftp_ip_buf =

Firmware File Name [old/ssg500.6.3.0r17.0]: new/ssg500.6.3.0r17.0  <- Type the ScreenOS firmware filename signed with the new image key
Self IP Address []:   <- TFTP client IP address
TFTP IP Address []:  <- TFTP server IP address
Gateway IP Address []:

Save loader config (112 bytes)... Done

Saipan motherboard proto 3 or later detected
Probing...[Ethernet0/0 and Ethernet0/1]

Initiating hardware and waiting for link up ...
self_ip =, tftp_server_ip =
ip = mask = gw = svr =
network_ready = 1
offset = 0, maxposition = 11627247
11627247 bytes downloaded from tftp server

hdr->magic_number = 81ba16ee, hdr->platform_type = 1700, hdr->cpu_type = 11

Image authenticated!  ← ScreenOS is authenticated

Save to on-board flash disk? (y/[n]/m) No  <- You should press ‘n’ key 
Run downloaded system image? ([y]/n) Yes   <- You should press ‘y’ key


System change state to Active(1)


For additional information of image key, boot loader, and ScreenOS installation, please refer to the following References.

posted @ 2020-04-29 03:13  lvusyy  阅读(2378)  评论(0编辑  收藏  举报