Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Authentication Keychains may fail to successfully commit

0

0

Article ID: JSA10362 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
PSN-2006-04-007
Product Affected:
JUNOS software 7.6R1
Problem:
Under certain circumstances, an attempt to commit changes to authentication keychains may fail. BGP and LDP protocol connections configured to use authentication keychains may instead proceed with no authentication being used. If the remote peer is mistakenly configured without authentication, an unauthenticated TCP session with that peer may erroneously be established.
Solution:
In some circumstances, an authentication keychain may remain in the JUNOS kernel even after it has been removed from the router's configuration. This can occur if there are TCP sessions using the keychain which cannot be immediately terminated because of outstanding retransmissions. This requires JUNOS to retain the old keychain data within the kernel until all TCP sessions using that keychain have terminated.

When this occurs, a subsequent attempt to commit a configuration with a new authentication keychain having the same name as the previous keychain will fail and messages similar to the following will be displayed:
warning: Command exited: PID 3815, status 255, command keyadmin
error: failed to revise keyadmin database for /var/etc/keyadmin.conf
commit complete
Further attempts to commit the configuration will appear to succeed, but the authentication keychain may not take effect. This situation can persist for up to nine minutes, the maximum amount of time that TCP retransmissions can wait.

Once this has occurred, TCP sessions configured to use affected authentication keychains will be unable to access the authentication data within the kernel. Instead, the TCP sessions will proceed unauthenticated.

Note: Deactivating an authentication keychain and reactivating it (with a commit in between) can also trigger this problem.

This problem is tracked within Juniper as PR/68853.
Implementation:
This problem can be avoided by changing the affected authentication keychain to have a unique name, and changing all references to the keychain to use the new name.

Alternatively, you can wait for nine minutes to allow all TCP sessions which may be using the previous version of the keychain to time out, and then use the commit full command to force reconfiguration of the authentication keychains in the JUNOS kernel.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search