Knowledge Search


×
 

[SRX] Common issues causing enrollment failure for SKYATP

  [KB31793] Show Article Properties


Summary:

There are many pre-requisites for the successful enrollment of the SRX/vSRX device into SKY-ATP. This article discusses the common issues seen during enrollment and provides recommendations and workarounds.

Symptoms:

This article is a general guide for troubleshooting typical problems you may encounter on Sky Advanced Threat Prevention enrollment.

Solution:
  1. Verify that the SRX/vSRX is running on the supported OS version. Please check the Sky Advanced Threat Prevention Supported Platforms Guide.

  2. Verify the DNS can resolve Sky ATP servers to an IP address on the SRX. The following domain names should be resolvable on the device.

    For US - amer.sky.junipersecurity.net & srxapi.us-west-2.sky.junipersecurity.net
    For EU - euapac.sky.junipersecurity.net & srxapi.eu-west-1.sky.junipersecurity.net
    For Canada - canada.sky.junipersecurity.net & srxapi.ca-central-1.sky.junipersecurity.net
    For APAC - apac.sky.junipersecurity.net & srxapi.ap-northeast-1.sky.junipersecurity.net
    Enrollment - ca.junipersecurity.net & va.junipersecurity.net

  3. Verify the device time is correct. It is recommended to have an NTP to sync time.

  4. Verify routing from RE and PFE to SKY ATP cloud servers. Ping from the firewall to the server in the region you are enrolling to confirm the connectivity.
    For US:
    root@srx> ping connect.us-west-2.sky.junipersecurity.net
    For EU:
    root@srx> ping connect.eu-west-1.sky.junipersecurity.net
    For Canada
    root@srx> ping connect.ca-central-1.sky.junipersecurity.net
    For APAC
    root@srx>ping connect.ap-northeast-1.sky.junipersecurity.net

  5. Verify the ports 80, 8080 and 443 are open to the internet from the firewall. You can telnet from the SRX on these ports to the SKYATP servers.

  6. To verify that different daemons are working properly on the firewall, please check the following connectivity:

    1. For aamw-ca daemon, verify connectivity to ca.junipersecurity.net port 8080

      root@srx% cd /var/tmp
      root@srx% fetch -v -o cacert.testfile "http://ca.junipersecurity.net:8080/ejbca/publicweb/apply/scep/SRX/pkiclient.exe?operation=GetCACert"
      

      This will download a file from the CA server. Some firewalls can block this URL because it contains '.exe'. It is normal to receive an HTTP 400 Message. 'Timeout' indicates there is a connectivity issue which needs to be fixed.

    2. For aamw-secintel-ca, verify connectivity to va.junipersecurity.net port 80

      root@srx% cd /var/tmp
      root@srx% fetch  http://va.junipersecurity.net/ca/SecInteljunipersecuritynetCA.pem
      
    3. For aamw-cloud-ca daemons, verify connectivity to va.junipersecurity.net port 80

      root@srx% cd /var/tmp
      root@srx% fetch http://va.junipersecurity.net/ca/SecInteljunipersecuritynetsubCAforCloud.pem 
      
  7. When you enroll an SRX/vSRX Series device, the ops script installs two CA certificates: one for the client(SRX/vSRX) and one for the server(cloud). Client-side CA certificates are associated with serial numbers. Use the CLI command to get your device’s certificate details and serial number.

        show security pki local-certificate
        show security pki ca-certificate
        show security pki crl detail
        show security pki local-certificate detail 
    
  8. Verify that the services are running on the firewall:

    show services advanced-anti-malware status 
    Note: Ideally the output should be:
    root@srx> show services advanced-anti-malware status
    Server connection status:
    Server connection status:
      Server hostname: juniper.cloud.com
      Server port:     443
        Control Plane:
          Connection Time: 2017-05-25 02:30:20 UTC
          Connection Status: Connected
        Service Plane:
          fpc0
            Connection Active Number: 16
            Connection Failures : 41
    

If all of the above points are correct and the enrollment still fails, please run the diagnostics and contact JTAC for further assistance.

Modification History:
2018-09-28: Updated fetch command syntax in step 6a.
2019-10-30: Updated available realms in Step 2, updated ping test servers in Step 4.
Related Links: