Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Common issues causing enrollment failure for SKYATP

0

0

Article ID: KB31793 KB Last Updated: 30 Oct 2019Version: 3.0
Summary:

There are many pre-requisites for the successful enrollment of the SRX/vSRX device into SKY-ATP. This article discusses the common issues seen during enrollment and provides recommendations and workarounds.

Symptoms:

This article is a general guide for troubleshooting typical problems you may encounter on Sky Advanced Threat Prevention enrollment.

Solution:
  1. Verify that the SRX/vSRX is running on the supported OS version. Please check the Sky Advanced Threat Prevention Supported Platforms Guide.

  2. Verify the DNS can resolve Sky ATP servers to an IP address on the SRX. The following domain names should be resolvable on the device.

    For US - amer.sky.junipersecurity.net & srxapi.us-west-2.sky.junipersecurity.net
    For EU - euapac.sky.junipersecurity.net & srxapi.eu-west-1.sky.junipersecurity.net
    For Canada - canada.sky.junipersecurity.net & srxapi.ca-central-1.sky.junipersecurity.net
    For APAC - apac.sky.junipersecurity.net & srxapi.ap-northeast-1.sky.junipersecurity.net
    Enrollment - ca.junipersecurity.net & va.junipersecurity.net

  3. Verify the device time is correct. It is recommended to have an NTP to sync time.

  4. Verify routing from RE and PFE to SKY ATP cloud servers. Ping from the firewall to the server in the region you are enrolling to confirm the connectivity.
    For US:
    root@srx> ping connect.us-west-2.sky.junipersecurity.net
    For EU:
    root@srx> ping connect.eu-west-1.sky.junipersecurity.net
    For Canada
    root@srx> ping connect.ca-central-1.sky.junipersecurity.net
    For APAC
    root@srx>ping connect.ap-northeast-1.sky.junipersecurity.net

  5. Verify the ports 80, 8080 and 443 are open to the internet from the firewall. You can telnet from the SRX on these ports to the SKYATP servers.

  6. To verify that different daemons are working properly on the firewall, please check the following connectivity:

    1. For aamw-ca daemon, verify connectivity to ca.junipersecurity.net port 8080

      root@srx% cd /var/tmp
      root@srx% fetch -v -o cacert.testfile "http://ca.junipersecurity.net:8080/ejbca/publicweb/apply/scep/SRX/pkiclient.exe?operation=GetCACert"
      

      This will download a file from the CA server. Some firewalls can block this URL because it contains '.exe'. It is normal to receive an HTTP 400 Message. 'Timeout' indicates there is a connectivity issue which needs to be fixed.

    2. For aamw-secintel-ca, verify connectivity to va.junipersecurity.net port 80

      root@srx% cd /var/tmp
      root@srx% fetch  http://va.junipersecurity.net/ca/SecInteljunipersecuritynetCA.pem
      
    3. For aamw-cloud-ca daemons, verify connectivity to va.junipersecurity.net port 80

      root@srx% cd /var/tmp
      root@srx% fetch http://va.junipersecurity.net/ca/SecInteljunipersecuritynetsubCAforCloud.pem 
      
  7. When you enroll an SRX/vSRX Series device, the ops script installs two CA certificates: one for the client(SRX/vSRX) and one for the server(cloud). Client-side CA certificates are associated with serial numbers. Use the CLI command to get your device’s certificate details and serial number.

        show security pki local-certificate
        show security pki ca-certificate
        show security pki crl detail
        show security pki local-certificate detail 
    
  8. Verify that the services are running on the firewall:

    show services advanced-anti-malware status 
    Note: Ideally the output should be:
    root@srx> show services advanced-anti-malware status
    Server connection status:
    Server connection status:
      Server hostname: juniper.cloud.com
      Server port:     443
        Control Plane:
          Connection Time: 2017-05-25 02:30:20 UTC
          Connection Status: Connected
        Service Plane:
          fpc0
            Connection Active Number: 16
            Connection Failures : 41
    

If all of the above points are correct and the enrollment still fails, please run the diagnostics and contact JTAC for further assistance.

Modification History:
2018-09-28: Updated fetch command syntax in step 6a.
2019-10-30: Updated available realms in Step 2, updated ping test servers in Step 4.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search