[j-nsp] J2300/J4300 FPCs cannot go online

Per Granath per.granath at gcc.com.cy
Thu Apr 3 05:56:40 EDT 2014


Duct tape or super glue ...

-----Original Message-----
From: Tom Storey [mailto:tom at snnap.net] 
Sent: Thursday, April 03, 2014 12:01 PM
To: Per Granath
Cc: Mircho Mirchev; Juniper Maillist
Subject: Re: [j-nsp] J2300/J4300 FPCs cannot go online

Juniper's solution is perhaps a little more "elegant".

They suggest:

1. Deactivate existing NTP configuration 2. Set date back ~10 years

root> set date 200403250000.00

3. Disable sw -> hw time sync (incl. at boot time via rc script)

root% sysctl -w machdep.disable_rtc_set=1 root% touch /cf/etc/rc.custom root% chmod +x /cf/etc/rc.custom root% echo "sysctl -w machdep.disable_rtc_set=1" > /cf/etc/rc.custom root% cat /cf/etc/rc.custom

4. Re-activate NTP configuration
5. Reboot (doesnt seem strictly necessary, but maybe worthwhile as a test)

So basically youre setting the hw clock back ~10 years which allows the FPC to come online. You disable sw -> hw time sync so even when running NTP, if the device reboots the hw clock is still in the past, the FPC will come online because the certificate is still valid, and then NTP will update the time on the box to the present.

Genius even if still a little hacky. :-)

On 31 March 2014 09:38, Per Granath <per.granath at gcc.com.cy> wrote:
> Change the date to 2004, and do not use NTP.
>
> set date 200403311010.10
>
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On 
> Behalf Of Mircho Mirchev
> Sent: Saturday, March 29, 2014 11:32 PM
> To: Tom Storey
> Cc: Juniper Maillist
> Subject: Re: [j-nsp] J2300/J4300 FPCs cannot go online
>
> Hi,
> Same here....
> Seems there are more expired certificates.
> We'll have to try JTAC - however, I'm not sure if they can help - these boxes are long out of support.
> Any other ideas?
>



More information about the juniper-nsp mailing list