[j-nsp] J2300/J4300 FPCs cannot go online
Blake Willis
jnsp at 2112.net
Thu Mar 27 09:16:26 EDT 2014
Greetings Mircho,
Had a similar issue on Monday on a J2320 running 9.6, it won't validate its RR license anymore.
# cr2.mix.mil> show system license
# /config/license/JUNOS403108.lic:1:(0) JUNOS403108: invalid signature: cannot validate /etc/db/certs/FeatureLicense-v2.pem
# certificate has expired: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=FeatureLicense-v2/emailAddress=ca at juniper.net
# /config/license/JUNOS403108.lic:1:(0) JUNOS403108: invalid signature: cannot validate /etc/db/certs/FeatureLicense-v2.pem
# certificate has expired: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=FeatureLicense-v2/emailAddress=ca at juniper.net
# License usage:
# Licenses Licenses Licenses Expiry
# Feature name used installed needed
# bgp-reflection 1 0 1 invalid
# /config/license/JUNOS403108.lic:1:(0) JUNOS403108: invalid signature: cannot validate /etc/db/certs/FeatureLicense-v2.pem
# certificate has expired: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=FeatureLicense-v2/emailAddress=ca at juniper.net
Luckily for me it doesn't seem to have actually killed the RR sessions.
Interesting that you mention that your boxes won't even validate their FPCs...
Here's the decode of the referenced self-signed SSL cert in question; as you can see it expired on Monday morning:
$ openssl x509 -text -noout -in FeatureLicense-v2.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=Sunnyvale, O=Juniper Networks, OU=Juniper CA, CN=FeatureCA/emailAddress=ca at juniper.net
Validity
Not Before: Mar 13 03:26:10 2004 GMT
Not After : Mar 24 03:26:10 2014 GMT
Subject: C=US, ST=CA, L=Sunnyvale, O=Juniper Networks, OU=Juniper CA, CN=FeatureLicense-v2/emailAddress=ca at juniper.net
<bla bla lots of keys>
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
Object Signing
X509v3 Subject Key Identifier:
D4:11:DE:37:37:70:7C:D0:4A:4A:45:99:08:61:10:FC:8A:77:2A:79
X509v3 Authority Key Identifier:
keyid:D8:1D:C7:19:73:05:8A:84:C0:F0:20:35:4B:28:75:42:7E:25:CD:BC
DirName:/C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=JuniperRootCA/emailAddress=ca at juniper.net
serial:02
Netscape CA Revocation Url:
http://crl.juniper.net/crl?ca=FeatureCA
I decoded the certs in a lot of other JunOS versions and they didn't add a cert with a better expiry date (in 2021) until the "v4" cert added in 12.1.
Obviously that caused a bit of panic around here...
Luckily JTAC confirmed that MXs don't use that certificate to validate stuff. I
still have some testing to do on the JSR but all the boxes we have running 9.6
are scheduled for an upgrade to 12.1 anyway so that's the priority for us to
make sure that we don't have further license issues.
I'm not sure how recent an OS you can put on your older J2300 routers but we did
manage to get 12.1 working fine on our J2320s in the field with 512M internal
flash by reformatting the internal CF to only have a 5MB config partition &
leave the rest for the OS (all our routers have 2GB of DRAM though, you'll need
at least a gig to run anything newer than 10.2; I do have a low-flash box still
running 10.2 that's not complaining about its license though).
Good luck & best regards,
---
Blake Willis
Network Engineering Consultant
"Education enabling individuals to overcome their reluctance or inability to
take full advantage of technological advances and product innovation can be a
means of increasing economic opportunity."
--Alan Greenspan
More information about the juniper-nsp
mailing list