ScreenOS 5.4.0r3

  • Global Moderator

    Wow, that’s a big step to pull it.  Still, seeing as it’s something almost everyone uses I’m not that shocked.

    Thanks for the update.  Maybe r3a will be the version I have been waiting for…

    Or maybe they’ll break ICMP.

  • Well, it’s official, Juniper pulled the 5.4r3 code off their site because of the https issue. They are releasing a fix next week: 5.4r3a, hopefully after they QA it for a while.

  • Yes, I’m using self-signed certs on the boxes. It’s definitely a bug, Juniper knows it, but I don’t have any word on a patch or when 5.4r4 is due out. What pisses me off is this release was needed to fix the DST 2007 problem for the 5.4 train, but they can’t get something as simple as https admin working. I’m about done with  Juniper firewalls, although I’m still clinging on for hope. I like the Peribits and I like the SSL boxes, but Juniper’s QA and roadmap for security and security management(NSM)  leaves a lot to be desired.

  • Global Moderator

    @oldo: Yea I tried playing with both the NS generated cert and 2 other certs I’d created.  None of them worked correctly.

    To be fair though I got pissed off with the whole thing fairly quickly and just went back to 5.3, so I didn’t test it heavily.

  • Could it be you guys are using the self-signed certificate in the box? The two boxes I upgraded both work fine, but both of them have bogus openssl signed certificates. As mentioned before, no problems with HTTPS, I have not disabled TLS1 in IE. Any thoughts on this?

  • Hi

    I had this up with Tier2 and they found out that it’s an error. A workaround is to disable TLS1 in IE advanced settings.

  • well, there is a workaround I discovered, it’s silly, but here goes:

    Admin the Netscreen by console, ssh or http, then:

    1. enable http->https redirect
    2. ensure web manage is enabled on your management interfaces along with ssl
    3. connect to the Netscreen using http, you will get redirected to https and then logon normally.
    4. try connecting again, this time with just https:// (viola! works)

    if you reset the Netscreen you have to repeat steps 3 and 4 again.

    Engineering is going to look pretty stupid with this one….expect a fix very soon.

  • Global Moderator

    There’s no solution I can find, nope.

    I agree with what junipoint said, I just can’t understand how you can cock something so simple up.

    I am still back down at 5.3 because for me it’s “bug free”

  • I just upgraded my SSG5 from r2 to r3 and I have the problem you are describing.

    Has anyone found a solution?

  • Has anyone viewed the self-signed cert that is being generated to look at the timestamp? I wonder if the cert is being created with a timestamp one hour in the future……

    I tried to load 5.4.0r3 onto an SSG5 and it failed the first time. Possibly because I’m upgrading from an engineering release… not quite sure.

  • I just upgraded an SSG520 and a a 5GT and can’t login to the web interface using https, http works fine.(IE6 and firefox 2.0). I opened a case on it. Bugs like these are starting to make me wonder where ScreenOS is headed…if they can’t QA something as simple as the WebUI on a new release…what else should we expect?

  • Engineer

    I tried with https and I have no problems.  This is using the self-signed certs, and with Firefox 2.  Also tried with IE6, and it works fine.

  • Tried 5.4.0r3 on a SSG5 and SSG20. Both of these run fine with regards to SSL (HTTPS). Haven’t had the time to see if SNMP still is broken…

  • Global Moderator

    Yea, I just rebooted again and now it’s broken.

    I think if I wait for 10-20 minutes it’ll work again.

    I say this because when I went out shopping with my GF this morning, it was broken, but when I got back it was working.

    A reboot broke it again, now changing certs and other things that I thought fixed it haven’t.  I think it’s a bug!  I will test it again in a few hours and I’ll bet it works…

  • strange, after waiting a while (longer than normal) access was possible….
    Hope this works more than once.

  • Same WEBUI-Problem hier with an netscreen-50.
    Please tell me more detailed how to resolve this.


  • Global Moderator

    Well, after playing with certificates, it seems now to work. Still very werid though…

  • Global Moderator

    I think I’ve found a bug in 5.4.0r3 already!

    It seems that I can’t login the webui via HTTPS anymore, it just keeps acting like I got the wrong password.

    Logging in via HTTP plain works fine though.  Strange.

    Anyone else seen this?  I’m on a 5GT btw.

  • Today, ScreenOS5.4.0r3 is released!


  • the new 5.40r3 release does not have much new features in it. but rather solves a lot of bugs in that os. but still there are many bugs left with no workarounds in them. i thought the r3 release will be a purely bug fixing release. with solving many bugs i guesswe will have to wait for 5.40r4 release to get rid of bugs.

    couldn;t there be a release with no bugs in it.