Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS/UAC/MAG] How to troubleshoot connectivity issues between the Infranet Controller and Infranet Enforcer (Firewall)

0

0

Article ID: KB11119 KB Last Updated: 08 Jul 2013Version: 10.0
Summary:

A customer is attempting to add an Infranet Enforcer (Juniper Firewall) to an Infranet Controller (IC) and is failing.  This article gives solutions to messages displayed in the Event Log.

Symptoms:

Below is a list of several scenarios where the connection between the Infranet Controller (IC) and Infranet Enforcer (IE) fail and the methods to resolve them.

Infranet controller status shows 'closed' on backup device and 'connected' on master'.

* The following messages are seen on the firewall event logs:

"Infranet Enforcer could not connect to the Infranet Controller because no IP address is set for the Controller"


"Infranet Enforcer could not connect to Infranet Controller <Name> (ip 0.0.0.0)"


* The 'get infranet controller' status shows 'connected' on Master device and not on the backup.


Cause:

Solution:

First and foremost, you must have administrative privileges on both the IC and IE in order for this article to be of assistance.  Configuration changes may need to be made on either device to resolve these issues.

The easiest way to determine the cause of the failed connection is by use of the Firewall CLI (Command Line Interface).  This will require Telnet or SSH access to the firewall. (For more information on how to open the CLI, refer to KB4082 - Accessing the Command Line Interface Using Telnet.)

In the scenarios, we will use the 'get event' command on the firewall.  It is suggested that you also take the time to set the page size for log messages.  To do this, issue the following command:

set console page 24

This will cause the display to show 24 lines worth of text and then pause.
 

As well as the event log on the firewall, you may also need to review the EVENT LOG on the IC for messages indicating the failure.   The EVENT LOG on the IC is located under the System > Log/Monitoring menu on the left side of the administrator interface.

Assuming that you have followed the directions in the UAC documentation for adding an Infranet Enforcer to the IC, we will begin by troubleshooting the connection from the firewall perspective.


The following is a list of common errors and scenarios seen in the Event Log on the firewall and the IC.
 

You may click the error message or scenario to jump to the appropriate section.

Event Log entries on the IE (Firewall):

Scenario 1 - PKI: Failed to obtain CRL for CA

Scenario 2 - PKI: Cert is not yet valid

Scenario 4 - SSH: Password authentication failed for admin user 'admin' at host.192.168.1.20


Event Log entries on the IC
:

Scenario 3 - NACN message from Netscreen-5GT(192.168.1.1) has wrong password

Scenario 4 - Gateway not initialized. Failed to establish SSH connection to enforcer Netscreen-5GT(192.168.1.1).

Additional Scenarios:

Scenario 5 - Manager-ip is configured on ScreenOS firewall and interface IP or VIP of IC isn't in the permit IP list of the Firewall.

Scenario 6 - Time is out of sync between Infranet Enforcer (Firewall) and Infranet controller.
 

Scenario 1: CRL Checking Causing the Failure

Issue the command 'get event' on the firewall.  The Event Log lists the newest events at the top.  Look for log entries that refer to the 'Intranet Enforcer'.  The output from 'get event' may show something similar to the following:

2008-03-11 11:35:47 system notif 00015 Infranet Enforcer could not connect to
                                       Infranet Controller VM IC (ip
                                       172.25.69.168).
2008-03-11 11:35:47 system notif 00015 Infranet Enforcer could not connect to
                                       the Infranet Controller because the
                                       Controller could not be reached on the
                                       network.
2008-03-11 11:35:47 system notif 00535 PKI: Failed to obtain CRL for CA
                                       issuing cert with subject name
                                       CN=vm-ic.testlab.local,O=JTAC,.
2008-03-11 11:35:47 system notif 00535 PKI: Cannot compose HTTP packet to
                                       send to URL ca.testlab.local

This error is caused by a failed CRL check between the firewall and the issuing certificate authority. Verify the device certificate issued to the IC has a valid CDP (Certificate Distribution Point) included as well as checking the firewall's configuration to ensure that the proper CRL checking protocol and configuration parameters are setup.

First, find the ID of your CA on the firewall by issuing this command:

get pki x509 list ca-cert

You should see output similar to this:

Getting CA CERT ...
IDX ID num X509 Certificate Subject Distinguish Name
================================================================================
0000 217055236 CA CERT friendly name <4>
CN=Test Lab CA,DC=testlab,DC=local,
Expire on 08-13-2016 18:39, Issued By:
CN=Test Lab CA,DC=testlab,DC=local

Now that you know the ID of your CA, issue this command: (remember to substitute your ID into the command)

get pki auth [ID of your CA] cert-status

You should see output similar to this:

Revocation status resources:
revocation protocol: CRL BEST-EFFORT
inter update refresh crl information: <0> minutes
CRL resource:
URL:
http type url: none
OCSP resource:
verify responde signature: yes
verify OCSP signing certificate: yes
verify OCSP signing certificate revocation status: yes
URL:
http type url: none
OCSP verify cert not configured.

If the CA server settings are correct and do not believe that the CRL check is failing, try temporarily disabling CRL checking. Do this by issuing the following command: (Remember to substitute your CA's ID number into the command below)

set pki auth [ID of your CA] cert-status revocation-check none

Once you have issued this command, force the firewall to attempt a connection to the IC.

Issue this command:

exec infranet controller connect

Next, issue this command to check the status:

get infranet controller

If all goes well, you should see this status:

INSTANCE HOST Port Interface State (SSL/SSH)
==========================================================================
VM IC 172.25.69.168 11122 ethernet0/0 Connected/Connected
Contact Interval: 10 seconds
Timeout Action: Close

Note that the status of Connected/Connected should be displayed. This indicates that both an SSL and SSH connection are active between the IC and the firewall.

 

Scenario 2 : PKI: Cert is not yet valid

Issue the command 'get event' on the firewall.  The output from 'get event' may show something similar to the following:

2007-01-01 12:00:28 system notif 00015 Infranet Enforcer could not connect to
Infranet Controller The-New-IC (ip 192.168.1.20).
2007-01-01 12:00:28 system notif 00015 Infranet Enforcer could not connect to
the Infranet Controller because the Controller could not be reached on the network.
2007-01-01 12:00:28 system notif 00535 PKI: Cert is not yet valid (subject
name Email=ICAdmin@testlab, CN=ic.testlab.local,OU=Lab,
O=Test Co,L=Cambridge,ST=MA,C=US,
).

This scenario can occur if you have just created the device certificate for the IC and the time settings are not correctly set on the firewall.

Use the 'get clock' and 'set clock' commands on the firewall to view and set the system time and timezone. Once you have corrected the system time, we will want to force the firewall to attempt a connection to the IC. Issue this command:

exec infranet controller connect

Next, issue this command to check the status:

get infranet controller

If all goes well, you should see this status:

INSTANCE HOST Port Interface State (SSL/SSH)
==========================================================================
VM IC 192.168.1.20 11122 ethernet0/0 Connected/Connected
Contact Interval: 10 seconds
Timeout Action: Close


Scenario 3 : NACN message from Netscreen-5GT(192.168.1.1) has wrong password

This scenario involves reviewing the EVENT log on the IC.  The IC event log may report the following:

2008-03-14 06:41:09 - Home - [127.0.0.1] System()[] - NACN message from Netscreen-5GT(192.168.1.1) has wrong password

Verify that the NACN password on the firewall matches the NACN password entered on the IC. In most cases, it is just easier to change or re-enter the NACN passwords on both devices. Once you have re-entered the NAC passwords on both the IC and firewall, you should force the firewall to attempt a new connection to the IC. Issue this command:

exec infranet controller connect

Next, issue this command to check the status:

get infranet controller

If all goes well, you should see this status:

INSTANCE HOST Port Interface State (SSL/SSH)
==========================================================================
VM IC 192.168.1.20 11122 ethernet0/0 Connected/Connected
Contact Interval: 10 seconds
Timeout Action: Close

 

Scenario 4: SSH: Password authentication failed for admin user 'admin' at host.192.168.1.20 or Gateway not initialized. Failed to establish SSH connection to enforcer Netscreen-5GT (192.168.1.1).

Issue the command 'get event' on the firewall.   The output from 'get event' may show something similar to the following:

2008-03-14 12:26:21 system warn 00528 SSH: Password authentication failed
for admin user 'admin' at host. 192.168.1.20

You may also see this error in the IC's EVENT LOG:

2008-03-14 06:59:13 - Home - [127.0.0.1] System()[] - Gateway not initialized. Failed to establish SSH connection to enforcer Netscreen-5GT(192.168.1.1).

If you see either of these messages, you should verify that the ADMIN user name and password match both on the IC and IE (firewall). In most cases it is best to re-enter them to ensure they match. Once you have re-entered the administrator credentials on both the IC and firewall, you should force the firewall to attempt a new connection to the IC. Issue this command:

exec infranet controller connect

Next, issue this command to check the status:

     get infranet controller

You may get more detail info regarding Infranet Controller on Firewall by following command:

    get infranet controller name INSTANCE_NAME_OF_IC  
(In this KB, the instance name of IC is "VM IC")

If all goes well, you should see this status:

      INSTANCE HOST Port Interface State (SSL/SSH)
      ==========================================================================
      VM IC 192.168.1.20 11122 ethernet0/0 Connected/Connected
      Contact Interval: 10 seconds
      Timeout Action: Close

Scenario 5:  Manager-ip is configured on ScreenOS firewall and interface IP address of Infranet Controller or VIP of Infranet Controller cluster isn't in the permit IP list of the Firewall.

        
Issue command 'get admin manager-ip' on Firewall to check current manager-ip list:   

            nsisg2000-> get admin manager-ip
            Manager IP enforced: False
            Manager IPs: 1

            Address                  Mask                    Vsys
            -------------------- -------------------- --------------------
           192.168.90.2   255.255.255.255      Root 

Add the IP address of Infranet Controller as manager-ip, for example, if the Infranet Controller IP address you used is 172.16.80.9,

            set admin manager-ip 172.16.80.9
            save



Scenario 6: Time is out of sync between Infranet Enforcer (Firewall) and Infranet controller.

SSH connection won't be established if there's time difference between Infranet Enforcer (firewall) and Infranet controller. you may check the time of ScreenOS firewall by command 'get clock'
you may manually set time of ScreenOS firewall by command 'set clock' or sync firewall's time with NTP server.

            set ntp server IP_ADDR_OF_NTP_SERVER
            save   

Adjust time of Infranet Controller:
     
     Admin WebUI-> System-> Status-> Edit (Date & Time)


* If the output of 'get infranet controller' status shows 'closed' on the backup device then try the following:

get infranet controller

INSTANCE HOST Port Interface State (SSL/SSH)
==========================================================================
Thwate IC 172.20.18.1 11122 ethernet0/0 closed/Closed
Contact Interval: 10 seconds
Timeout Action: None

* Goto Infranet auth---->Controller and check if 'Selected CA' option is chosen correctly.

* If yes, then go to Objects--->Certificates and select 'CA' option from the 'show' tab.

* Check if the certificates on the infranet controller matches the one on the firewall.

For example: If there are two certificates on the infranet controller (say as root and server) the same certificates should be present on the firewall.

Note: Even the date under the 'expired' option should match.

* If some certificate is missing, add the required certificates.

After that you would see the infranet controller status on the firewall as 'connected' as below:

get infranet controller

INSTANCE HOST Port Interface State (SSL/SSH)
==========================================================================
Thwate IC 172.20.18.1 11122 ethernet0/0 connected/Connected
Contact Interval: 10 seconds
Timeout Action: None


If you check back on the event logs, you would be able to see the below message:


"Infranet Enforcer could not connect to Infranet Controller <Name> (ip 172.20.18.1)"

You will be able to see that the connectivity is established to the infranet server.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search