Juniper SSG5 關於imagekey的問題及移除與載入imagekey

-
關於image key新舊版的問題及移除與載入image key

關於image keyScreenOS的檢查請參考下列的網路連結:
檢查下載的JUNOSScreenOS檔案的Checksum來判斷檔案是否遭到竄改或損毀

自從ScreenOS 6.3.0r19版本開始,Juniper SSG5級韌體就要先載入imagekey.cer後,才能更新版本,之前則不需要,也導致我們在更新BootLoaderScreenOS時遭遇到不少的困難,嚴重的甚至需要回原廠維修才行,故我們在此探討此問題。
根據Juniper官方文件(如下連結所示)image key有新舊版本的差異,而其下載連結如下所示:
How to Update the New Image Authentication Key and Upgrade Boot Loader/ScreenOS Firmware

New Image Key (download) --- 適用於6.3.0r19()以後之版本
Old Image Key (download) --- 適用於6.3.0r18()以前之版本

在此我們只探討SSG5(本人所擁有的設備)的部分,根據個人實驗的結果,新版的Image Key適用於6.3.0r19()以後之版本,而舊版的Image Key則適用於6.3.0r18()以前之版本,記住千萬不要用錯版本,否則會發生嚴重的問題!

而我們又要如何分辨手上的Image Key 版本為何呢?
雖然官方連結文件中有說明,但是太複雜了,本人在此提供一個簡單辨別的方式如下:

開啟檔案總管,直接點擊imagekey.cer檔案兩下,就會跳出如下畫面。


不清楚作用嗎?可以再點擊imagekey-new.cerimagekey-old.cer兩個檔案(這是個人為了方便辨識給檔案加上的-new-old)





原來是有效期限不一樣,新的Image Key有效期限自2014/7/192022/7/19,而舊的Image Key有效期限自2008/10/12025/11/17

因為新版與舊版imagekey不同所衍生的問題!
自從6.3.0r19開始,SSG升級韌體就要先載入imagekey.cer後,才能更新版本,之前則不需要,也導致:

一、NetscreenSSG系列升級BootLoader,會出現以下錯誤訊息,導致更新BootLoader失敗。
********Invalid DSA signature
********Bogus image - not authenticated

會發生這個問題的原因是因為您運行中的ScreenOS版本在6.3.0r19以後,也就是說如果您先將ScreenOS更新到6.3.0r19以後,然後再升級BootLoader時,就會發生這個問題。若您運行中的ScreenOS版本在6.3.0r18以前,那您升級BootLoader就不會有此問題。
此問題的解決辦法則是在升級BootLoader前,先行移除image key,待升級完成並重開機後,再載入image key即可。請參考以下連結:
Juniper SSG5 升級boot loader詳細流程

PS:在執行delete crypto auth-key之後會造成開機過程出現以下訊息:
Loading default system image from on-board flash disk...
Done! (size = 13402112 bytes)
Ignore image authentication!          ##沒有image key無法認證
所以必須執行save image-key tftp 192.168.1.11 imagekey.cer來載入image key,若成功則開機過程會出現以下之訊息:
Loading default system image from on-board flash disk...
Done! (size = 13402112 bytes)
Image authenticated!                 ##認證成功


二、J-Web無法降級到低版本。(此為問題為新版的image key無法直接降級到舊版的image key)
解決辦法標準程序如下:
連接並登入CONSOLE後在CLI命令列輸入下列命令來移除image key
SSG5-serial-> delete crypto auth-key
然後在CLI輸入以下命令來來載入image key,執行前記得先確認載入的image key版本是否與要升級的ScreenOS版本搭配:
SSG5-serial-> save image-key tftp 192.168.1.11 imagekey.cer
Load file  from TFTP 192.168.1.11 (file: imagekey.cer).
!!!!!
tftp received octets = 863
tftp success!
Done
TFTP Succeeded

然後參照以下程序更新ScreenOS
Juniper SSG5 防火牆ScreenOS的升級或降級
Juniper SSG5 usb升級ScreenOS
Juniper SSG5 Bootloader升級ScreenOS

重開機後再登入CONSOLE後在CLI輸入以下命令來確認ScreenOS版本。
SSG5-serial-> get sys
Product Name: SSG5-Serial
Serial Number: 0162112009009151Control Number: 00000000
Hardware Version: 0710(0)-(00)FPGA checksum: 00000000VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r19.0Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Mon Aug 31 01:57:19 PDT 2009
Base Mac: b0c6.9a46.0400
File Name: ssg5ssg20.6.3.0r19.0Checksum: a644202a
Total Memory: 128MB
Date 11/23/2017 19:17:52Daylight Saving Time disabled
The Network Time Protocol is Enabled
Up 0 hours 3 minutes 37 seconds Since 23Nov2017:19:14:15
Total Device Resets: 11Last Device Reset at: 11/21/2017 15:51:15
System in NAT/route mode.
Use interface IPConfig Port: 80
Manager IP enforced: False
Manager IPs: 0
--- more ---
SSG5-serial->

大功告成!!


您也可以參考以下的說明:
舊的Image Key適用於ScreenOS 6.3.0r18()以前之版本,新的Image Key適用於ScreenOS 6.3.0r19()以後的版本。
更新ScreenOS的標準程序步驟:
l   先準備好要安裝的ScreenOS映像檔及相對應的image key檔。
l   先移除運行中的imagekey.cer,再載入要安裝的imagekey.cer
l   接著才安裝ScreenOS映像檔。

一般我們在更新Juniper SSG5防火牆ScreenOS時會遇到下列兩種不同的情況:
一、升、降級ScreenOS版本的範圍會跨越新、舊版的Image Key適用版本範圍。
如果您升、降級ScreenOS版本的範圍會跨越新、舊Image Key適用的版本範圍,則您就必須採用標準程序才行。例如要從ssg5ssg20.6.0.0r1.0升級到ssg5ssg20.6.3.0r22.0,或是從ssg5ssg20.6.3.0r23降級到ssg5ssg20.6.3.0r5.0等情形,其過程都必須依照標準程序來作業。

二、升、降級ScreenOS版本的範圍是在個別新、舊版的Image Key適用版本之內。
如果您原來的Image Key是新版的,而若您升、降級ScreenOS版本的範圍是在新版的Image Key適用版本範圍之內(適用於6.3.0r19以後的版本),則您的升、降ScreenOS的程序可以省略掉移除與載入Image Key的步驟,只要直接執行下列命令即可
save software from tftp 192.168.1.11 ssg5ssg20.6.3.0r22.0 to flash
reset
舉例來說,若您運行中的ScreenOS版本為ssg5ssg20.6.3.0r21.0,則您可以直接在CLI模式中任意升降至ssg5ssg20.6.3.0r24ssg5ssg20.6.3.0r23ssg5ssg20.6.3.0r22.0ssg5ssg20.6.3.0r20.0ssg5ssg20.6.3.0r19.0等版本,而不用去執行移除與載入Image Key的步驟,因為現有的Image Key適用。
相同的道理,如果您原來的Image Key是舊版的,若您升、降ScreenOS版本的範圍是在舊版的Image Key適用版本範圍之內(適用於6.3.0r18以前之版本),同樣可以省略掉移除與載入Image Key的步驟



而當image key版本用錯,又會產生甚麼樣的問題呢?
以下乃從console直接擷取的實作畫面及過程(要示範進行ScreenOS降級作業失敗過程)
SSG5-serial-> delete crypto auth-key         ##故意刪除image key而不載入,然後安裝ScreenOS,好觀察沒有Image key的影響
SSG5-serial-> save software from tftp 192.168.1.11 ssg5ssg20.6.1.0r7.0 to flash    ##進行降級作業
Load software from TFTP 192.168.1.11 (file: ssg5ssg20.6.1.0r7.0).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
.
... 過程太長省略 ...
.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
tftp received octets = 12338145
tftp success!
TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 25cpu = 12version = 18
 update new flash image (02ab2ec012338145)
platform = 25cpu = 12version = 18
offset = 20address = 5800000size = 12338067
date = 1919sw_version = 30808000cksum = fa119bf3
Program flash (12338145 bytes) ...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++done
Done
SSG5-serial-> reset       ##ScreenOS降級作業最後要重新開機
System resetare you sure? y/[n] y
In reset ...

 Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
 Copyright (c) 1997-2006 Juniper NetworksInc.
 Total physical memory: 128MB
     Test - Pass
     Initialization - Done
 Hit any key to run loader
 Hit any key to run loader
 Hit any key to run loader
 Hit any key to run loader
 Loading default system image from on-board flash disk...
 100% Done! (size = 12353536 bytes)
 Ignore image authentication!       ##因為沒有image key所以映像檔沒有被認證
Start loading...
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................
Done.
 Juniper NetworksInc
 SSG5/SSG20 System Software
 Copyright1997-2006
 Version 6.1.0r7.0       ##ScreenOS降級作業完成了
Load Manufacture Information ... Done
Initialize FBTL 0........ Done
Load NVRAM Information ... (6.3.0)Done
Install module init vectors
Install modules (0105480001d773b8) ...
load dns table . Done
PPP IP-POOL initiated256 pools
Initializing DI 3.4.133952-idp2p_r7
System config (1624 bytes) loaded
Done.
Load System Configuration .........................................................................modem is not detected
......................................................Disabled licensekey auto update
...............Done
system init done..
login: ethernet0/0 interface change physical state to Up
ethernet0/3 interface change physical state to Up
bgroup0 interface change physical state to Up
System change state to Active(1)

login: netscreen
password:
SSG5-serial-> get sys       ##再次檢查運行中的ScreenOS版本
Product Name: SSG5-Serial
Serial Number: 0162112009009151Control Number: 00000000
Hardware Version: 0710(0)-(00)FPGA checksum: 00000000VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.1.0r7.0Type: Firewall+VPN       ##ScreenOS版本正確
Feature: AV-K
Compiled by build_master at: Mon Aug 31 01:57:19 PDT 2009
Base Mac: b0c6.9a46.0400
File Name: ssg5ssg20.6.1.0r7.0Checksum: a644202a
Total Memory: 128MB
Date 11/23/2017 19:17:52Daylight Saving Time disabled
The Network Time Protocol is Enabled
Up 0 hours 3 minutes 37 seconds Since 23Nov2017:19:14:15
Total Device Resets: 11Last Device Reset at: 11/21/2017 15:51:15
System in NAT/route mode.
Use interface IPConfig Port: 80
Manager IP enforced: False
Manager IPs: 0
--- more ---
SSG5-serial-> save image-key tftp 192.168.1.11 imagekey.cer       ##進行載入image key作業,但用的是新版的image key,故意製造錯誤
Load file  from TFTP 192.168.1.11 (file: imagekey.cer).     ##正確的做法是用舊版的image key,但是為了示範只好....
!!!!!
tftp received octets = 863
tftp success!
Done
TFTP Succeeded
SSG5-serial-> reset      ##載入image key作業成功後要重新開機
System resetare you sure? y/[n] y
In reset ...

 Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
 Copyright (c) 1997-2006 Juniper NetworksInc.
 Total physical memory: 128MB
     Test - Pass
     Initialization - Done
 Hit any key to run loader
 Hit any key to run loader
 Hit any key to run loader
 Hit any key to run loader
 Loading default system image from on-board flash disk...
 100% Done! (size = 12353536 bytes)
 ********Invalid DSA signature
 ********Bogus image - not authenticated      ##因為載入了錯誤的image key,所以出現錯誤訊息

 Serial Number [0162112009009151]: READ ONLY     ##然後系統會自動重新開機,並進入了bootloader模式中
 HW Version Number [0710]: READ ONLY
 Self MAC Address [b0c6-9a46-0400]: READ ONLY
 Boot File Name [ssg5ssg20.6.1.0r7.0]: imagekey-old.cer      ##故意輸入非映像檔測試
 Self IP Address [192.168.1.1]: 192.168.1.1
 TFTP IP Address [192.168.1.11]: 192.168.1.11
 IP MASK [255.255.255.0]:
 GW IP Address [192.168.1.11]:
 Save loader config (108 bytes)... Done
 Loading file "imagekey-old.cer"...
 rtata
 Loaded Successfully! (size = 865 bytes)
 ### invalid image file ###      ##檔案錯誤,只接受ScreenOSbootloader兩種種類的檔案,並自動重新開機

 Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
 Copyright (c) 1997-2006 Juniper NetworksInc.
 Total physical memory: 128MB
     Test - Pass
     Initialization - Done
 Hit any key to run loader
 Hit any key to run loader
 Serial Number [0162112009009151]: READ ONLY
 HW Version Number [0710]: READ ONLY
 Self MAC Address [b0c6-9a46-0400]: READ ONLY
 Boot File Name [imagekey-old.cer]: ssg5ssg20.6.3.0r23   ##因為先前載入的是新的image key,所以只要我們載入的ScreenOS版本大於6.3.r19即可正常開機
 Self IP Address [192.168.1.1]:
 TFTP IP Address [192.168.1.11]:
 IP MASK [255.255.255.0]:
 GW IP Address [192.168.1.11]:
 Save loader config (108 bytes)... Done
 Loading file "ssg5ssg20.6.3.0r23"...
rtatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat
 ### TFTP server time outTFTP process terminated ###   ##嚴重的問題來了,TFTP檔案傳輸到一半就中斷了,並會自動重開機

 Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
 Copyright (c) 1997-2006 Juniper NetworksInc.
 Total physical memory: 128MB
     Test - Pass
     Initialization - Done
 Hit any key to run loader
 Hit any key to run loader
 Hit any key to run loader
 Serial Number [0162112009009151]: READ ONLY
 HW Version Number [0710]: READ ONLY
 Self MAC Address [b0c6-9a46-0400]: READ ONLY
 Boot File Name [ssg5ssg20.6.3.0r23]:             ##空白表示沿用先前的設定
 Self IP Address [192.168.1.1]:
 TFTP IP Address [192.168.1.11]:
 IP MASK [255.255.255.0]:
 GW IP Address [192.168.1.11]:
 Loading file "ssg5ssg20.6.3.0r23"...
rtatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat
 ### TFTP server time outTFTP process terminated ###   ##嚴重的問題又來了,TFTP檔案傳輸到一半就又中斷了,並自動重開機

 Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
 Copyright (c) 1997-2006 Juniper NetworksInc.
 Total physical memory: 128MB
     Test - Pass
     Initialization - Done
 Hit any key to run loader
 Serial Number [0162112009009151]: READ ONLY
 HW Version Number [0710]: READ ONLY
 Self MAC Address [b0c6-9a46-0400]: READ ONLY
 Boot File Name [ssg5ssg20.6.3.0r23]:
 Self IP Address [192.168.1.1]:
 TFTP IP Address [192.168.1.11]:
 IP MASK [255.255.255.0]:
 GW IP Address [192.168.1.11]:
 Loading file "ssg5ssg20.6.3.0r23"...
rtatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat
 ### TFTP server time outTFTP process terminated ###   ##嚴重的問題還來....

 Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
 Copyright (c) 1997-2006 Juniper NetworksInc.
 Total physical memory: 128MB
     Test - Pass
     Initialization - Done
 Hit any key to run loader
 Serial Number [0162112009009151]: READ ONLY
 HW Version Number [0710]: READ ONLY
 Self MAC Address [b0c6-9a46-0400]: READ ONLY
 Boot File Name [ssg5ssg20.6.3.0r23]:       ##接下來就不再重複示範了,若有興趣各位大大自己嘗試下,後果自行負責

經過無數的努力與耕耘,終於皇天不負苦心人,找到了嚴重問題的解答!
原來問題出在這裡: Self IP Address [192.168.1.1]:
在設定bootloader參數時,Self IP Address必須避開192.168.1.1這個位址,否則就會出現上述的嚴重問題:TFTP檔案傳輸到一半就又中斷了,並自動重開機
只能推測192.168.1.1這個位址是跟出廠預設Gateway IP相同有關吧。



SSG5系統開機後就直接進入bootloader模式中,而無法正常開基的解決辦法。
其解決問題過程敘述如下:
當降級失敗,開機過程console畫面會出現以下錯誤訊息:
********Invalid DSA signature
********Bogus image - not authenticated

並且在自動重開機後直接進入bootloader模式,Console畫面如下:
Juniper Networks SSG5 Boot Loader Version 1.3.2 (Checksum: A1EAB858)
Copyright (c) 1997-2006 Juniper NetworksInc.
Total physical memory: 128MB
    Test - Pass
    Initialization - Done
Serial Number [0162112011005923]: READ ONLY
HW Version Number [0710]: READ ONLY
Self MAC Address [78fe-3d95-7e80]: READ ONLY
Boot File Name [Loadssg5ssg20v133.d]:

此時請先確認tftp server是否已經啟動,且本機電腦IP必須設定成固定IP,而TFTP目錄中必須存放版本至少為ssg5ssg20.6.3.0r19.0以上之兩個不同的ScreenOS這是因為ScreenOS6.3.0r19版本以後,就算沒有正確的安裝imagekeyScreenOS也能正常開機進入系統,好讓我們能進行災害搶救措施
在本例我們會使用ssg5ssg20.6.3.0r19.0以及ssg5ssg20.6.3.0r21.0這兩個檔案,另外imagekey.cer也要準備好,最後聲明以下方法乃個人經過數次實驗得到的經驗,僅供參考用。

NoteInstallation from the loader-over-TFTP method does not work reliably over slow speeds or large latency networks.
注意:使用 loader-over-TFTP 方法進行的安裝在低速速度或大延遲時間的網路上無法可靠地運行。

當系統自動重開機後直接停在bootloader模式,請輸入以下資訊:
Boot File Name [ScreenOS_image]: ssg5ssg20.6.3.0r19.0      ##輸入新的檔名
Self IP Address [192.168.2.27]: 192.168.1.7   ##輸入SSG IP位址,必須避開192.168.1.1這個位址
TFTP IP Address [192.168.2.100]: 192.168.1.11             ##輸入TFTP SERVER IP位址
Loading file "ssg5ssg20.6.3.0r19.0"...
rtatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat
atatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat                                                                                
atatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatata 
Loaded Successfully! (size = 408395 bytes)
Ignore image authentication!          ##沒有image key無法認證
Save to on-board flash disk? (y/[n]/m) Yes!      ##Y就好
Run downloaded system image? ([y]/n) Yes!       ##千萬要按 Y

過程省略,待完成後,不要立刻重開機(因為要載入正確的image key),而是先執行以下命令:
save image-key tftp 192.168.1.11 imagekey.cer    ##載入image key,必須先確定Image key版本是否正確再載入,否則會發生嚴重的錯誤
reset
完成後系統即可恢復正常。



這個網誌中的熱門文章

如何測試網路連線--網路斷線了怎麼辦?

-
圖片
如何測試網路連線--網路斷線了怎麼辦? 如何測試網路連線 -- 網路不通了 DIY 自行檢測網路連線 當我們打開電腦,卻發現無法上網了,這時候我們該怎麼辦呢 ? 如果在公司的話,我們可以請電腦人員來處理,而若是在家裡,我們就必須 DIY 先自行檢查一遍,如果檢查後仍然不能上網的話,我們也只能請朋友或是廠商來維修了。 而我們又要如何 DIY 先自行檢查呢 ? 請您依照下列步驟來進行: 第一步:進入 DOS 命令列模式。 按 " 視窗鍵 +R 鍵 " ,開啟執行視窗並輸入 " cmd " 後按 enter 鍵來進入 DOS 命令列模式。 第二步:檢查 ip 是否正常。 請輸入 " ipconfig " 來 檢查有無取得正常 IP 或是 IP 設定是否正確。 若電腦要上網,則每台電腦 一 定都要配有一個 IP 位址才行,本例的 IP 位址為 192.168.1.11 。 而 IP 位址分成 公共 IP 與 私有 IP 兩種, 只有公共 IP 才能上網 ( 網際網路 ) ,私有 IP 是無法直接上網的,私有 IP 只能在區域網路中使用 。而因為公共 IP 太少,所以要搭配私有 IP 來上網才行,這樣就可以達到以 100 台電腦,或是以 10000 台電腦,使用私有 IP 經過網路設備的轉換而達成只需使用 1 個公共 IP 就能讓大家一起上網的目的了。 私有 IP 無法直接連接網際網路,需要使用 網絡地址轉換( Network Address Translator , NAT ) 或者 代理伺服器   ( proxy server ) 來實現。與公網 IP 相比,私有 IP 是免費的,同時節省了 IP 位址資源,適合在區域網使用。私有 IP 常被用於家庭,學校和企業的區域網。 私有 IP 的範圍: 192.168.XX. XX 172.16. XX.XX – - 172.31. XX.XX 10. XX.XX.XX 我們只要看到 IP 位址開頭為上述範圍的 IP ,就表示您的 IP 為私有 IP 。 還有一種 ip 位址為 169.254. X.X , 這種
閱讀完整內容

筆記電腦刷BIOS失敗無法開機—用CH341A編程器重刷BIOS教學!

-
圖片
ASUS 筆記電腦更新 BIOS 失敗無法開機 —用 CH341A 編程 器重刷 BIOS 教學! 前一陣子買了一台新的筆記電腦 (∩_∩) ,因此讓跟了我多年的 ASUS A42JA 筆電因此就被束之高閣沒有再被使用了 ヽ (´ ー ` )┌ ,後來想說反正放著不用也是浪費,乾脆就整理一下拿到拍賣網站給便宜賣掉算了 (¬ ‿ ¬) ,於是便動手開始移除個人的資料, 把 WINDOWS 7 系統還原到出廠狀態,順便一起更新 BIOS 的版本 ,而更新的過程很順利,在寫入 100% 後便自行重開機,重開機後小弟發現電源燈與硬碟燈皆恆亮,且螢幕沒有畫面,但小弟當然得等著它繼續開機更新 BIOS ,可是 2 分鐘 .. , 5 分鐘過了 .. ,情況還是一樣,此時心中不禁起了疑惑   (• ิ _• ิ )? ,不會吧 ! 會不會更新失敗了 ? 難道這麼倒楣的事都讓小弟我給碰上了 ? 一直等到十分鐘過後,小弟我終於失去耐性了,便下定決心長按電源鍵來讓筆記電腦強行關機   ( ╯‵ □′) ╯ ︵ ╧═╧ ,然後再開機,結果依然還是沒有畫面,電源燈與硬碟燈都恆亮的情況,小弟仍不死心的又重試了幾次,問題最後終於明朗化了,他媽的 BIOS 真的更新失敗了,對小弟來說一直是傳說中的問題竟被我給遇上了 !!!   。゜゜ (´ O `) ゜゜。 因為這台 ASUS A42JA 筆電已購置多年,早就過保固了,因此小弟先上網 GOOGLE 下,發現這類問題 ASUS 原廠通常是換主機板(這是在論壇上討論的內容),且一片要價 $5000 元   ( ⊙ _ ⊙ ) ,所以送回原廠維修的方案小弟就不考慮了(超出了筆電的價值沒有維修的必要),小弟接著再努力的 GOOGLE 幾下,終於發現 BIOS 更新失敗後似乎可以自行使用燒錄器來重刷 BIOS  (¬_¬;) ,於是這便成為小弟唯一可行的解決方案了。 從網路上找到的刷 BIOS 案例中,發現大多是使用 ”CH341A 編程器 ( 燒錄器 ) ” 來進行燒錄作業,其基本作法是用烙鐵將主機板上的 BIOS 晶片( 芯片 ) 拆下,再用 CH341A 燒錄器將原廠下載的 BIOS 檔案燒入芯片中,最後再將 BIOS 芯片焊接回筆電主機板上。而因為小弟也是電子相關科系出身,也曾拿烙鐵來焊接電子零件,所以
閱讀完整內容

INTEL XTU使用教學以及對筆電應具備的XTU設定概念

-
圖片
INTEL XTU 使用教學以及對筆電應具備的 XTU 設定概念 這篇文章除了教您如何使用 Intel XTU 之外,還告訴您許多 XTU 設定上的觀念,以及如何使用 XTU 來優化您的筆電等,在文中還有新、舊版本的 Intel XTU 開機自啟動相關的設定方法提供給大家來參考看看。 本篇文章主要是從初學者的角度出發來撰寫的,所以內容較為初淺,且繁雜,尚請各位大大多多體諒 ! 內容多為網路上蒐集而來,由小弟加以整理並加入個人的看法,若有校稿不力或是觀念錯誤的地方,尚請各位大大不吝指正,小弟必盡速更正 ! 在此先萬分感謝各位大大的愛護與支持,感謝您 !   內文開始   Intel 原廠網站是這樣說明的: Intel® 極致調整公用程式( Intel ® Extreme Tuning Utility - Intel® XTU )是一種簡易的 Windows 效能調整應用程式,可讓新手和經驗豐富的愛好者超頻、監控和壓力系統。軟體介面有一系列強大的功能,在大部分玩家平臺中都很常見。這種介面在新的 Intel® 處理器和主機板上也有特殊功能。 PS:上面這段話的意思是 -- Intel XTU 是 Intel 所推出的 一種簡易的 Windows 效能調整應用程式,透過對 CPU 電壓與功耗限制等的調整,可讓新手和經驗豐富的愛好者來對 Intel CPU 進行 超頻 、 監控 和 做壓力測試 。以小弟的電腦來說, CPU 經過 XTU 適當的調教之後,可以憑空增加約 30% 左右的效能,這可是得多花好幾千塊錢買更好的電腦才辦的到的事哦 ! 適用於下列產品。     Intel® Core™ i3-7350K 處理器 ( 4M 快取記憶體, 4.20 GHz)     Intel® Core™ i3-8350K 處理器( 8M 快取記憶體, 4.00 GHz )     Intel® Core™ i3-9350K 處理器( 8M 快取記憶體,最高 4.60 GHz )     Intel® Core™ i3-9350KF 處理器( 8M 快取記憶體,最高 4.60 GHz )     Intel® Core™ i5-3570K 處理器 ( 6M 快取記憶體,最高 3.80 GHz)     I
閱讀完整內容