ScreenOS 5.4.0r3

  • It is available now…

    I installed it on a 5GT-201 at home and all is well. MRTG stats work properly (they did not in 5.4.0r2). I was running 5.4.0r1 since it came out.

    I’m planning upgrading a semi-production NS-204 at a hosting facility in the coming weeks.

  • JTAC Technical Bulletin SRN-2007-02-009

    Title ScreenOS 5.4.0r3 has been removed from the download website


    SRN Description : Reports of problems logging into the device via the WebUI, using HTTPS has made it necessary to pull the 5.4.0r3 release from the download website. HTTPS connections to the firewall device for administrative purposes may fail.

    Solution: There will be a repaired version of ScreenOS posted the week of 2/12/07. The new version will be named 5.4.0r3a

    Solution Implementation: Workaround for customer needing 5.4.0r3
    Log in via HTTP
    Log out of the HTTP session
    Using the same Login credentials, log in via HTTPS. After proper Authentication, you will be logged into the WebUI via HTTPS.


  • probably they will fix the https bug and end with a new bug while trying to solve the older one. they took so much time to release the new 5.4.0r3 and got with so many bugs and hardly any new features man.

    cisco is really trying to improve the code for asa in 8.0 code.

    their 7.2.2 code didn;t have any new features but was purely a bug fixing release.

    i guess juniper should try it;s best to not piss off their loyal customers cause there are many more options in the market which are equally good, and less expensive too.

    cisco try to get such irritated customers of juniper . cause juniper is far behind in giving quality support as compared to cisco.

    juniper is not at all a customer oriented company .



  • Global Moderator

    Wow, that’s a big step to pull it.  Still, seeing as it’s something almost everyone uses I’m not that shocked.

    Thanks for the update.  Maybe r3a will be the version I have been waiting for…

    Or maybe they’ll break ICMP.

  • Well, it’s official, Juniper pulled the 5.4r3 code off their site because of the https issue. They are releasing a fix next week: 5.4r3a, hopefully after they QA it for a while.

  • Yes, I’m using self-signed certs on the boxes. It’s definitely a bug, Juniper knows it, but I don’t have any word on a patch or when 5.4r4 is due out. What pisses me off is this release was needed to fix the DST 2007 problem for the 5.4 train, but they can’t get something as simple as https admin working. I’m about done with  Juniper firewalls, although I’m still clinging on for hope. I like the Peribits and I like the SSL boxes, but Juniper’s QA and roadmap for security and security management(NSM)  leaves a lot to be desired.

  • Global Moderator

    @oldo: Yea I tried playing with both the NS generated cert and 2 other certs I’d created.  None of them worked correctly.

    To be fair though I got pissed off with the whole thing fairly quickly and just went back to 5.3, so I didn’t test it heavily.

  • Could it be you guys are using the self-signed certificate in the box? The two boxes I upgraded both work fine, but both of them have bogus openssl signed certificates. As mentioned before, no problems with HTTPS, I have not disabled TLS1 in IE. Any thoughts on this?

  • Hi

    I had this up with Tier2 and they found out that it’s an error. A workaround is to disable TLS1 in IE advanced settings.

  • well, there is a workaround I discovered, it’s silly, but here goes:

    Admin the Netscreen by console, ssh or http, then:

    1. enable http->https redirect
    2. ensure web manage is enabled on your management interfaces along with ssl
    3. connect to the Netscreen using http, you will get redirected to https and then logon normally.
    4. try connecting again, this time with just https:// (viola! works)

    if you reset the Netscreen you have to repeat steps 3 and 4 again.

    Engineering is going to look pretty stupid with this one….expect a fix very soon.

  • Global Moderator

    There’s no solution I can find, nope.

    I agree with what junipoint said, I just can’t understand how you can cock something so simple up.

    I am still back down at 5.3 because for me it’s “bug free”

  • I just upgraded my SSG5 from r2 to r3 and I have the problem you are describing.

    Has anyone found a solution?

  • Has anyone viewed the self-signed cert that is being generated to look at the timestamp? I wonder if the cert is being created with a timestamp one hour in the future……

    I tried to load 5.4.0r3 onto an SSG5 and it failed the first time. Possibly because I’m upgrading from an engineering release… not quite sure.

  • I just upgraded an SSG520 and a a 5GT and can’t login to the web interface using https, http works fine.(IE6 and firefox 2.0). I opened a case on it. Bugs like these are starting to make me wonder where ScreenOS is headed…if they can’t QA something as simple as the WebUI on a new release…what else should we expect?

  • Engineer

    I tried with https and I have no problems.  This is using the self-signed certs, and with Firefox 2.  Also tried with IE6, and it works fine.

  • Tried 5.4.0r3 on a SSG5 and SSG20. Both of these run fine with regards to SSL (HTTPS). Haven’t had the time to see if SNMP still is broken…

  • Global Moderator

    Yea, I just rebooted again and now it’s broken.

    I think if I wait for 10-20 minutes it’ll work again.

    I say this because when I went out shopping with my GF this morning, it was broken, but when I got back it was working.

    A reboot broke it again, now changing certs and other things that I thought fixed it haven’t.  I think it’s a bug!  I will test it again in a few hours and I’ll bet it works…

  • strange, after waiting a while (longer than normal) access was possible….
    Hope this works more than once.

  • Same WEBUI-Problem hier with an netscreen-50.
    Please tell me more detailed how to resolve this.


  • Global Moderator

    Well, after playing with certificates, it seems now to work. Still very werid though…