ScreenOS 5.4.0r3

  • Hi everybody,
    does anyone know when ScreenOS 5.4.0r3 will be released?


  • Anyone have any serious issues with upgrading NS-50 (cluster/stand-alone), NS-204, and NS-208 (cluster/stand-alone) to 5.4.0r3a? We need policy based routing but have gotten a “feel” from some Juniper TAC’s that they are recommending the 5.3 train.


  • Open-up the JavaScript Console in Firefox and check the errors… Click nervously on the Juniper logo in the upper left corner. Why can’t you enter after the password and need to press the Login button? Had lots of ‘waiting on gui’ issues the last couple of releases. It’s amazing how you can degrade a further pretty logical GUI with weak code… Please fix it Juniper!

  • 5.4.0r3a is now out.

  • Where can I download the actual ScreenOS? I’m still running 5.1.0r1 I think. Can someone give me a link or ftp?

  • It is available now…

    I installed it on a 5GT-201 at home and all is well. MRTG stats work properly (they did not in 5.4.0r2). I was running 5.4.0r1 since it came out.

    I’m planning upgrading a semi-production NS-204 at a hosting facility in the coming weeks.

  • JTAC Technical Bulletin SRN-2007-02-009

    Title ScreenOS 5.4.0r3 has been removed from the download website


    SRN Description : Reports of problems logging into the device via the WebUI, using HTTPS has made it necessary to pull the 5.4.0r3 release from the download website. HTTPS connections to the firewall device for administrative purposes may fail.

    Solution: There will be a repaired version of ScreenOS posted the week of 2/12/07. The new version will be named 5.4.0r3a

    Solution Implementation: Workaround for customer needing 5.4.0r3
    Log in via HTTP
    Log out of the HTTP session
    Using the same Login credentials, log in via HTTPS. After proper Authentication, you will be logged into the WebUI via HTTPS.


  • probably they will fix the https bug and end with a new bug while trying to solve the older one. they took so much time to release the new 5.4.0r3 and got with so many bugs and hardly any new features man.

    cisco is really trying to improve the code for asa in 8.0 code.

    their 7.2.2 code didn;t have any new features but was purely a bug fixing release.

    i guess juniper should try it;s best to not piss off their loyal customers cause there are many more options in the market which are equally good, and less expensive too.

    cisco try to get such irritated customers of juniper . cause juniper is far behind in giving quality support as compared to cisco.

    juniper is not at all a customer oriented company .



  • Global Moderator

    Wow, that’s a big step to pull it.  Still, seeing as it’s something almost everyone uses I’m not that shocked.

    Thanks for the update.  Maybe r3a will be the version I have been waiting for…

    Or maybe they’ll break ICMP.

  • Well, it’s official, Juniper pulled the 5.4r3 code off their site because of the https issue. They are releasing a fix next week: 5.4r3a, hopefully after they QA it for a while.

  • Yes, I’m using self-signed certs on the boxes. It’s definitely a bug, Juniper knows it, but I don’t have any word on a patch or when 5.4r4 is due out. What pisses me off is this release was needed to fix the DST 2007 problem for the 5.4 train, but they can’t get something as simple as https admin working. I’m about done with  Juniper firewalls, although I’m still clinging on for hope. I like the Peribits and I like the SSL boxes, but Juniper’s QA and roadmap for security and security management(NSM)  leaves a lot to be desired.

  • Global Moderator

    @oldo: Yea I tried playing with both the NS generated cert and 2 other certs I’d created.  None of them worked correctly.

    To be fair though I got pissed off with the whole thing fairly quickly and just went back to 5.3, so I didn’t test it heavily.

  • Could it be you guys are using the self-signed certificate in the box? The two boxes I upgraded both work fine, but both of them have bogus openssl signed certificates. As mentioned before, no problems with HTTPS, I have not disabled TLS1 in IE. Any thoughts on this?

  • Hi

    I had this up with Tier2 and they found out that it’s an error. A workaround is to disable TLS1 in IE advanced settings.

  • well, there is a workaround I discovered, it’s silly, but here goes:

    Admin the Netscreen by console, ssh or http, then:

    1. enable http->https redirect
    2. ensure web manage is enabled on your management interfaces along with ssl
    3. connect to the Netscreen using http, you will get redirected to https and then logon normally.
    4. try connecting again, this time with just https:// (viola! works)

    if you reset the Netscreen you have to repeat steps 3 and 4 again.

    Engineering is going to look pretty stupid with this one….expect a fix very soon.

  • Global Moderator

    There’s no solution I can find, nope.

    I agree with what junipoint said, I just can’t understand how you can cock something so simple up.

    I am still back down at 5.3 because for me it’s “bug free”

  • I just upgraded my SSG5 from r2 to r3 and I have the problem you are describing.

    Has anyone found a solution?

  • Has anyone viewed the self-signed cert that is being generated to look at the timestamp? I wonder if the cert is being created with a timestamp one hour in the future……

    I tried to load 5.4.0r3 onto an SSG5 and it failed the first time. Possibly because I’m upgrading from an engineering release… not quite sure.

  • I just upgraded an SSG520 and a a 5GT and can’t login to the web interface using https, http works fine.(IE6 and firefox 2.0). I opened a case on it. Bugs like these are starting to make me wonder where ScreenOS is headed…if they can’t QA something as simple as the WebUI on a new release…what else should we expect?

  • Engineer

    I tried with https and I have no problems.  This is using the self-signed certs, and with Firefox 2.  Also tried with IE6, and it works fine.