Screen OS

 View Only
last person joined: 11 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  SSG140 flash corrupted

    Posted 09-08-2023 10:59

    Hi

    First i now that this firewall is EOL 

     ("### image corrupted ###"  shown on the console)

    I tried the TFTP procedure to reinstall the OS(ssg140.6.3.0r27) but after the image is loaded successfully i got:

    > ********Invalid DSA signature
    > 
    > ********Bogus image - not authenticated

    I could be a problem of signature so I would like to try with an old firmware signed prior 2014 to see if i can resurrect the beast unfortunately Juniper does not offer these old firmware on  download area. Could someone provide an old version?

    Thanks

    Michael



    ------------------------------
    Michael Girard
    ------------------------------



  • 2.  RE: SSG140 flash corrupted

    Posted 09-08-2023 20:15

    To recover from this error and allow the device to boot you need to delete the signing key.

    delete crypto auth-key

    Then reboot the device and the new ScreenOS should load.

    kb is here:

    https://supportportal.juniper.net/s/article/How-to-Update-the-New-Image-Authentication-Key-and-Upgrade-Boot-Loader-ScreenOS-Firmware



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SSG140 flash corrupted

    Posted 09-11-2023 05:54

    Thanks Steve

    The problem of deleting the signing key is i that the firewall is only showing the loader with TFTP parameters.  I cannot issue any command via CLI, unless you know the way to access CLI via loader?  This is the reason why i was asking for an old signed firmware as an intermediate recovery step.



    ------------------------------
    Michael Girard
    ------------------------------



  • 4.  RE: SSG140 flash corrupted

    Posted 09-11-2023 15:59

    As I recall the command is issued at the bootloader and not the cli so you should be able to run this after the bogus image response then reboot again to bypass the check.

    Once this is up you can then follow the instructions to install the new signing key.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------