Juniper SSG5 關於imagekey的問題及移除與載入imagekey

關於image key新舊版的問題及移除與載入image key

關於image keyScreenOS的檢查請參考下列的網路連結:

自從ScreenOS 6.3.0r19版本開始,Juniper SSG5級韌體就要先載入imagekey.cer後,才能更新版本,之前則不需要,也導致我們在更新BootLoaderScreenOS時遭遇到不少的困難,嚴重的甚至需要回原廠維修才行,故我們在此探討此問題。
根據Juniper官方文件(如下連結所示)image key有新舊版本的差異,而其下載連結如下所示:

New Image Key (download) --- 適用於6.3.0r19()以後之版本
Old Image Key (download) --- 適用於6.3.0r18()以前之版本

在此我們只探討SSG5(本人所擁有的設備)的部分,根據個人實驗的結果,新版的Image Key適用於6.3.0r19()以後之版本,而舊版的Image Key則適用於6.3.0r18()以前之版本,記住千萬不要用錯版本,否則會發生嚴重的問題!

而我們又要如何分辨手上的Image Key 版本為何呢?
雖然官方連結文件中有說明,但是太複雜了,本人在此提供一個簡單辨別的方式如下:

開啟檔案總管,直接點擊imagekey.cer檔案兩下,就會跳出如下畫面。


不清楚作用嗎?可以再點擊imagekey-new.cerimagekey-old.cer兩個檔案(這是個人為了方便辨識給檔案加上的-new-old)





原來是有效期限不一樣,新的Image Key有效期限自2014/7/192022/7/19,而舊的Image Key有效期限自2008/10/12025/11/17

因為新版與舊版imagekey不同所衍生的問題!
自從6.3.0r19開始,SSG升級韌體就要先載入imagekey.cer後,才能更新版本,之前則不需要,也導致:

一、NetscreenSSG系列升級BootLoader,會出現以下錯誤訊息,導致更新BootLoader失敗。
********Invalid DSA signature
********Bogus image - not authenticated

會發生這個問題的原因是因為您運行中的ScreenOS版本在6.3.0r19以後,也就是說如果您先將ScreenOS更新到6.3.0r19以後,然後再升級BootLoader時,就會發生這個問題。若您運行中的ScreenOS版本在6.3.0r18以前,那您升級BootLoader就不會有此問題。
此問題的解決辦法則是在升級BootLoader前,先行移除image key,待升級完成並重開機後,再載入image key即可。請參考以下連結:
PS:在執行delete crypto auth-key之後會造成開機過程出現以下訊息:
Loading default system image from on-board flash disk...
Done! (size = 13402112 bytes)
Ignore image authentication!          ##沒有image key無法認證
所以必須執行save image-key tftp 192.168.1.11 imagekey.cer來載入image key,若成功則開機過程會出現以下之訊息:
Loading default system image from on-board flash disk...
Done! (size = 13402112 bytes)
Image authenticated!                 ##認證成功


二、J-Web無法降級到低版本。(此為問題為新版的image key無法直接降級到舊版的image key)
解決辦法標準程序如下:
連接並登入CONSOLE後在CLI命令列輸入下列命令來移除image key
SSG5-serial-> delete crypto auth-key
然後在CLI輸入以下命令來來載入image key,執行前記得先確認載入的image key版本是否與要升級的ScreenOS版本搭配:
SSG5-serial-> save image-key tftp 192.168.1.11 imagekey.cer
Load file  from TFTP 192.168.1.11 (file: imagekey.cer).
!!!!!
tftp received octets = 863
tftp success!
Done
TFTP Succeeded

然後參照以下程序更新ScreenOS

重開機後再登入CONSOLE後在CLI輸入以下命令來確認ScreenOS版本。
SSG5-serial-> get sys
Product Name: SSG5-Serial
Serial Number: 0162112009009151Control Number: 00000000
Hardware Version: 0710(0)-(00)FPGA checksum: 00000000VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r19.0Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Mon Aug 31 01:57:19 PDT 2009
Base Mac: b0c6.9a46.0400
File Name: ssg5ssg20.6.3.0r19.0Checksum: a644202a
Total Memory: 128MB
Date 11/23/2017 19:17:52Daylight Saving Time disabled
The Network Time Protocol is Enabled
Up 0 hours 3 minutes 37 seconds Since 23Nov2017:19:14:15
Total Device Resets: 11Last Device Reset at: 11/21/2017 15:51:15
System in NAT/route mode.
Use interface IPConfig Port: 80
Manager IP enforced: False
Manager IPs: 0
--- more ---
SSG5-serial->

大功告成!!


您也可以參考以下的說明:
舊的Image Key適用於ScreenOS 6.3.0r18()以前之版本,新的Image Key適用於ScreenOS 6.3.0r19()以後的版本。
更新ScreenOS的標準程序步驟:
l   先準備好要安裝的ScreenOS映像檔及相對應的image key檔。
l   先移除運行中的imagekey.cer,再載入要安裝的imagekey.cer
l   接著才安裝ScreenOS映像檔。

一般我們在更新Juniper SSG5防火牆ScreenOS時會遇到下列兩種不同的情況:
一、升、降級ScreenOS版本的範圍會跨越新、舊版的Image Key適用版本範圍。
如果您升、降級ScreenOS版本的範圍會跨越新、舊Image Key適用的版本範圍,則您就必須採用標準程序才行。例如要從ssg5ssg20.6.0.0r1.0升級到ssg5ssg20.6.3.0r22.0,或是從ssg5ssg20.6.3.0r23降級到ssg5ssg20.6.3.0r5.0等情形,其過程都必須依照標準程序來作業。

二、升、降級ScreenOS版本的範圍是在個別新、舊版的Image Key適用版本之內。
如果您原來的Image Key是新版的,而若您升、降級ScreenOS版本的範圍是在新版的Image Key適用版本範圍之內(適用於6.3.0r19以後的版本),則您的升、降ScreenOS的程序可以省略掉移除與載入Image Key的步驟,只要直接執行下列命令即可
save software from tftp 192.168.1.11 ssg5ssg20.6.3.0r22.0 to flash
reset
舉例來說,若您運行中的ScreenOS版本為ssg5ssg20.6.3.0r21.0,則您可以直接在CLI模式中任意升降至ssg5ssg20.6.3.0r24ssg5ssg20.6.3.0r23ssg5ssg20.6.3.0r22.0ssg5ssg20.6.3.0r20.0ssg5ssg20.6.3.0r19.0等版本,而不用去執行移除與載入Image Key的步驟,因為現有的Image Key適用。
相同的道理,如果您原來的Image Key是舊版的,若您升、降ScreenOS版本的範圍是在舊版的Image Key適用版本範圍之內(適用於6.3.0r18以前之版本),同樣可以省略掉移除與載入Image Key的步驟



而當image key版本用錯,又會產生甚麼樣的問題呢?
以下乃從console直接擷取的實作畫面及過程(要示範進行ScreenOS降級作業失敗過程)
SSG5-serial-> delete crypto auth-key         ##故意刪除image key而不載入,然後安裝ScreenOS,好觀察沒有Image key的影響
SSG5-serial-> save software from tftp 192.168.1.11 ssg5ssg20.6.1.0r7.0 to flash    ##進行降級作業
Load software from TFTP 192.168.1.11 (file: ssg5ssg20.6.1.0r7.0).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
.
... 過程太長省略 ...
.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
tftp received octets = 12338145
tftp success!
TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 25cpu = 12version = 18
 update new flash image (02ab2ec012338145)
platform = 25cpu = 12version = 18
offset = 20address = 5800000size = 12338067
date = 1919sw_version = 30808000cksum = fa119bf3
Program flash (12338145 bytes) ...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++done
Done
SSG5-serial-> reset       ##ScreenOS降級作業最後要重新開機
System resetare you sure? y/[n] y
In reset ...

 Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
 Copyright (c) 1997-2006 Juniper NetworksInc.
 Total physical memory: 128MB
     Test - Pass
     Initialization - Done
 Hit any key to run loader
 Hit any key to run loader
 Hit any key to run loader
 Hit any key to run loader
 Loading default system image from on-board flash disk...
 100% Done! (size = 12353536 bytes)
 Ignore image authentication!       ##因為沒有image key所以映像檔沒有被認證
Start loading...
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................
Done.
 Juniper NetworksInc
 SSG5/SSG20 System Software
 Copyright1997-2006
 Version 6.1.0r7.0       ##ScreenOS降級作業完成了
Load Manufacture Information ... Done
Initialize FBTL 0........ Done
Load NVRAM Information ... (6.3.0)Done
Install module init vectors
Install modules (0105480001d773b8) ...
load dns table . Done
PPP IP-POOL initiated256 pools
Initializing DI 3.4.133952-idp2p_r7
System config (1624 bytes) loaded
Done.
Load System Configuration .........................................................................modem is not detected
......................................................Disabled licensekey auto update
...............Done
system init done..
login: ethernet0/0 interface change physical state to Up
ethernet0/3 interface change physical state to Up
bgroup0 interface change physical state to Up
System change state to Active(1)

login: netscreen
password:
SSG5-serial-> get sys       ##再次檢查運行中的ScreenOS版本
Product Name: SSG5-Serial
Serial Number: 0162112009009151Control Number: 00000000
Hardware Version: 0710(0)-(00)FPGA checksum: 00000000VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.1.0r7.0Type: Firewall+VPN       ##ScreenOS版本正確
Feature: AV-K
Compiled by build_master at: Mon Aug 31 01:57:19 PDT 2009
Base Mac: b0c6.9a46.0400
File Name: ssg5ssg20.6.1.0r7.0Checksum: a644202a
Total Memory: 128MB
Date 11/23/2017 19:17:52Daylight Saving Time disabled
The Network Time Protocol is Enabled
Up 0 hours 3 minutes 37 seconds Since 23Nov2017:19:14:15
Total Device Resets: 11Last Device Reset at: 11/21/2017 15:51:15
System in NAT/route mode.
Use interface IPConfig Port: 80
Manager IP enforced: False
Manager IPs: 0
--- more ---
SSG5-serial-> save image-key tftp 192.168.1.11 imagekey.cer       ##進行載入image key作業,但用的是新版的image key,故意製造錯誤
Load file  from TFTP 192.168.1.11 (file: imagekey.cer).     ##正確的做法是用舊版的image key,但是為了示範只好....
!!!!!
tftp received octets = 863
tftp success!
Done
TFTP Succeeded
SSG5-serial-> reset      ##載入image key作業成功後要重新開機
System resetare you sure? y/[n] y
In reset ...

 Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
 Copyright (c) 1997-2006 Juniper NetworksInc.
 Total physical memory: 128MB
     Test - Pass
     Initialization - Done
 Hit any key to run loader
 Hit any key to run loader
 Hit any key to run loader
 Hit any key to run loader
 Loading default system image from on-board flash disk...
 100% Done! (size = 12353536 bytes)
 ********Invalid DSA signature
 ********Bogus image - not authenticated      ##因為載入了錯誤的image key,所以出現錯誤訊息

 Serial Number [0162112009009151]: READ ONLY     ##然後系統會自動重新開機,並進入了bootloader模式中
 HW Version Number [0710]: READ ONLY
 Self MAC Address [b0c6-9a46-0400]: READ ONLY
 Boot File Name [ssg5ssg20.6.1.0r7.0]: imagekey-old.cer      ##故意輸入非映像檔測試
 Self IP Address [192.168.1.1]: 192.168.1.1
 TFTP IP Address [192.168.1.11]: 192.168.1.11
 IP MASK [255.255.255.0]:
 GW IP Address [192.168.1.11]:
 Save loader config (108 bytes)... Done
 Loading file "imagekey-old.cer"...
 rtata
 Loaded Successfully! (size = 865 bytes)
 ### invalid image file ###      ##檔案錯誤,只接受ScreenOSbootloader兩種種類的檔案,並自動重新開機

 Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
 Copyright (c) 1997-2006 Juniper NetworksInc.
 Total physical memory: 128MB
     Test - Pass
     Initialization - Done
 Hit any key to run loader
 Hit any key to run loader
 Serial Number [0162112009009151]: READ ONLY
 HW Version Number [0710]: READ ONLY
 Self MAC Address [b0c6-9a46-0400]: READ ONLY
 Boot File Name [imagekey-old.cer]: ssg5ssg20.6.3.0r23   ##因為先前載入的是新的image key,所以只要我們載入的ScreenOS版本大於6.3.r19即可正常開機
 Self IP Address [192.168.1.1]:
 TFTP IP Address [192.168.1.11]:
 IP MASK [255.255.255.0]:
 GW IP Address [192.168.1.11]:
 Save loader config (108 bytes)... Done
 Loading file "ssg5ssg20.6.3.0r23"...
rtatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat
 ### TFTP server time outTFTP process terminated ###   ##嚴重的問題來了,TFTP檔案傳輸到一半就中斷了,並會自動重開機

 Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
 Copyright (c) 1997-2006 Juniper NetworksInc.
 Total physical memory: 128MB
     Test - Pass
     Initialization - Done
 Hit any key to run loader
 Hit any key to run loader
 Hit any key to run loader
 Serial Number [0162112009009151]: READ ONLY
 HW Version Number [0710]: READ ONLY
 Self MAC Address [b0c6-9a46-0400]: READ ONLY
 Boot File Name [ssg5ssg20.6.3.0r23]:             ##空白表示沿用先前的設定
 Self IP Address [192.168.1.1]:
 TFTP IP Address [192.168.1.11]:
 IP MASK [255.255.255.0]:
 GW IP Address [192.168.1.11]:
 Loading file "ssg5ssg20.6.3.0r23"...
rtatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat
 ### TFTP server time outTFTP process terminated ###   ##嚴重的問題又來了,TFTP檔案傳輸到一半就又中斷了,並自動重開機

 Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
 Copyright (c) 1997-2006 Juniper NetworksInc.
 Total physical memory: 128MB
     Test - Pass
     Initialization - Done
 Hit any key to run loader
 Serial Number [0162112009009151]: READ ONLY
 HW Version Number [0710]: READ ONLY
 Self MAC Address [b0c6-9a46-0400]: READ ONLY
 Boot File Name [ssg5ssg20.6.3.0r23]:
 Self IP Address [192.168.1.1]:
 TFTP IP Address [192.168.1.11]:
 IP MASK [255.255.255.0]:
 GW IP Address [192.168.1.11]:
 Loading file "ssg5ssg20.6.3.0r23"...
rtatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat
 ### TFTP server time outTFTP process terminated ###   ##嚴重的問題還來....

 Juniper Networks SSG5 Boot Loader Version 1.3.3 (Checksum: D8BC25A8)
 Copyright (c) 1997-2006 Juniper NetworksInc.
 Total physical memory: 128MB
     Test - Pass
     Initialization - Done
 Hit any key to run loader
 Serial Number [0162112009009151]: READ ONLY
 HW Version Number [0710]: READ ONLY
 Self MAC Address [b0c6-9a46-0400]: READ ONLY
 Boot File Name [ssg5ssg20.6.3.0r23]:       ##接下來就不再重複示範了,若有興趣各位大大自己嘗試下,後果自行負責

經過無數的努力與耕耘,終於皇天不負苦心人,找到了嚴重問題的解答!
原來問題出在這裡: Self IP Address [192.168.1.1]:
在設定bootloader參數時,Self IP Address必須避開192.168.1.1這個位址,否則就會出現上述的嚴重問題:TFTP檔案傳輸到一半就又中斷了,並自動重開機
只能推測192.168.1.1這個位址是跟出廠預設Gateway IP相同有關吧。



SSG5系統開機後就直接進入bootloader模式中,而無法正常開基的解決辦法。
其解決問題過程敘述如下:
當降級失敗,開機過程console畫面會出現以下錯誤訊息:
********Invalid DSA signature
********Bogus image - not authenticated

並且在自動重開機後直接進入bootloader模式,Console畫面如下:
Juniper Networks SSG5 Boot Loader Version 1.3.2 (Checksum: A1EAB858)
Copyright (c) 1997-2006 Juniper NetworksInc.
Total physical memory: 128MB
    Test - Pass
    Initialization - Done
Serial Number [0162112011005923]: READ ONLY
HW Version Number [0710]: READ ONLY
Self MAC Address [78fe-3d95-7e80]: READ ONLY
Boot File Name [Loadssg5ssg20v133.d]:

此時請先確認tftp server是否已經啟動,且本機電腦IP必須設定成固定IP,而TFTP目錄中必須存放版本至少為ssg5ssg20.6.3.0r19.0以上之兩個不同的ScreenOS這是因為ScreenOS6.3.0r19版本以後,就算沒有正確的安裝imagekeyScreenOS也能正常開機進入系統,好讓我們能進行災害搶救措施
在本例我們會使用ssg5ssg20.6.3.0r19.0以及ssg5ssg20.6.3.0r21.0這兩個檔案,另外imagekey.cer也要準備好,最後聲明以下方法乃個人經過數次實驗得到的經驗,僅供參考用。

NoteInstallation from the loader-over-TFTP method does not work reliably over slow speeds or large latency networks.
注意:使用 loader-over-TFTP 方法進行的安裝在低速速度或大延遲時間的網路上無法可靠地運行。

當系統自動重開機後直接停在bootloader模式,請輸入以下資訊:
Boot File Name [ScreenOS_image]: ssg5ssg20.6.3.0r19.0      ##輸入新的檔名
Self IP Address [192.168.2.27]: 192.168.1.7   ##輸入SSG IP位址,必須避開192.168.1.1這個位址
TFTP IP Address [192.168.2.100]: 192.168.1.11             ##輸入TFTP SERVER IP位址
Loading file "ssg5ssg20.6.3.0r19.0"...
rtatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat
atatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat                                                                                
atatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatata 
Loaded Successfully! (size = 408395 bytes)
Ignore image authentication!          ##沒有image key無法認證
Save to on-board flash disk? (y/[n]/m) Yes!      ##Y就好
Run downloaded system image? ([y]/n) Yes!       ##千萬要按 Y

過程省略,待完成後,不要立刻重開機(因為要載入正確的image key),而是先執行以下命令:
save image-key tftp 192.168.1.11 imagekey.cer    ##載入image key,必須先確定Image key版本是否正確再載入,否則會發生嚴重的錯誤
reset
完成後系統即可恢復正常。



這個網誌中的熱門文章

如何測試網路連線--網路斷線了怎麼辦?

筆記電腦刷BIOS失敗無法開機—用CH341A編程器重刷BIOS教學!

查理王的電腦部落格-首頁