[j-nsp] J2300/J4300 FPCs cannot go online

Tom Storey tom at snnap.net
Thu Apr 3 05:00:51 EDT 2014


Juniper's solution is perhaps a little more "elegant".

They suggest:

1. Deactivate existing NTP configuration
2. Set date back ~10 years

root> set date 200403250000.00

3. Disable sw -> hw time sync (incl. at boot time via rc script)

root% sysctl -w machdep.disable_rtc_set=1
root% touch /cf/etc/rc.custom
root% chmod +x /cf/etc/rc.custom
root% echo "sysctl -w machdep.disable_rtc_set=1" > /cf/etc/rc.custom
root% cat /cf/etc/rc.custom

4. Re-activate NTP configuration
5. Reboot (doesnt seem strictly necessary, but maybe worthwhile as a test)

So basically youre setting the hw clock back ~10 years which allows
the FPC to come online. You disable sw -> hw time sync so even when
running NTP, if the device reboots the hw clock is still in the past,
the FPC will come online because the certificate is still valid, and
then NTP will update the time on the box to the present.

Genius even if still a little hacky. :-)

On 31 March 2014 09:38, Per Granath <per.granath at gcc.com.cy> wrote:
> Change the date to 2004, and do not use NTP.
>
> set date 200403311010.10
>
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Mircho Mirchev
> Sent: Saturday, March 29, 2014 11:32 PM
> To: Tom Storey
> Cc: Juniper Maillist
> Subject: Re: [j-nsp] J2300/J4300 FPCs cannot go online
>
> Hi,
> Same here....
> Seems there are more expired certificates.
> We'll have to try JTAC - however, I'm not sure if they can help - these boxes are long out of support.
> Any other ideas?
>


More information about the juniper-nsp mailing list