Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] VMHost software downgrade fails with certain NG-RE RE types that support Secure BIOS

0

0

Article ID: KB33942 KB Last Updated: 29 Mar 2019Version: 1.0
Summary:

On the Next Generation Routing Engine (NG-RE) for MX/PTX, there are some cases where the VMHost software downgrade fails on certain RE types that support Secure BIOS.

If the junos-vmhost-install image is installed with any release prior to Junos OS 17.4R1 on certain RE types (Secure BIOS), then the install will fail with a warning message. This is because the Secure BIOS SKU (Stock Keeping Unit) is not supported in Junos OS 17.3, but it is supported from Junos OS 17.4R1.

Symptoms:

Test Setup:

Both RE0 and RE1 have different FRU Model Numbers (RE0:Secure BIOS SKU and RE1:Legacy SKU).

RE   RE type       FRU Model Number
------------------------------------
RE0  RE-S-2X00x6   RE-S-X6-128G-S-S <------- Secure BIOS SKU
RE1  RE-S-2X00x6   RE-S-X6-64G-S    <------- Legacy BIOS SKU

 
User@mx-re0> show chassis hardware models
Hardware inventory:
Item             Version  Part number  Serial number     FRU model number
Midplane         REV 04   710-017414   TR1231            CHAS-BP-MX480-S
FPM Board        REV 02   710-017254   KC7193            CRAFT-MX480-S
PEM 1            Rev 05   740-029970   QCS1024U07B       PWR-MX480-2520-AC-S
PEM 2            Rev 05   740-029970   QCS1024U07R       PWR-MX480-2520-AC-S
Routing Engine 0 REV 05   750-072925   CALV3515          RE-S-X6-128G-S-S
Routing Engine 1 REV 15   750-054758   CAHS3001          RE-S-X6-64G-S

User@mx-re0> show chassis hardware detail
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                JN10B95A2AFB      MX480
Midplane         REV 04   710-017414   TR1231            MX480 Midplane
FPM Board        REV 02   710-017254   KC7193            Front Panel Display
PEM 1            Rev 05   740-029970   QCS1024U07B       PS 1.4-2.52kW; 90-264V AC in
PEM 2            Rev 05   740-029970   QCS1024U07R       PS 1.4-2.52kW; 90-264V AC in
Routing Engine 0 REV 05   750-072925   CALV3515          RE-S-2X00x6 <--- RE type
  vtbd0 17408 MB                                         Virtio Block Disk
  vtbd1 15360 MB                                         Virtio Block Disk
  ada0    511 MB  QEMU HARDDISK        QM00002           Emulated IDE Disk
  usb0 (addr 0.1) XHCI root HUB 0      0x8086            uhub0
Routing Engine 1 REV 15   750-054758   CAHS3001          RE-S-2X00x6  <-- RE type
  vtbd0 17408 MB                                         Virtio Block Disk
  vtbd1 15360 MB                                         Virtio Block Disk
  ada0    511 MB  QEMU HARDDISK        QM00002           Emulated IDE Disk
  usb0 (addr 0.1) XHCI root HUB 0      0x8086            uhub0

Test 1:

RE0 [RE-S-X6-128G-S-S:SB SKU] software downgrade from 18.2R1-S2.1 down to 17.3R1.10 fails with warning message.

--- JUNOS 18.2R1-S2.1 Kernel 64-bit  JNPR-11.0-20180816.8630ec5_buil
User@MX-re0> request vmhost software add /var/tmp/junos-vmhost-install-mx-x86-64-17.3R1.10.tgz no-validate
warning: Packages /var/tmp/junos-vmhost-install-mx-x86-64-17.3R1.10.tgz is not signed and can not be loaded on this RE, please try the supported version

Reason:  Secure BIOS SKU is not supported in 17.3.
 

Test 2:

RE0 [RE-S-X6-128G-S-S:SB SKU] software downgrade from 18.2R1-S2.1 down to 17.4R1.16 completes.

--- JUNOS 18.2R1-S2.1 Kernel 64-bit  JNPR-11.0-20180816.8630ec5_buil
User@MX-re0> request vmhost software add /var/tmp/junos-vmhost-install-mx-x86-64-17.4R1.16.tgz no-validate reboot
Verified junos-vmhost-install-mx-x86-64-17.4R1.16 signed by PackageProductionEc_2017 method ECDSA256+SHA256
Running downgrade actions...
Copied the config and other data to the aux disk.
Transfer junos-host-upgrade.sh
Transfer Done
Transfer /packages/db/pkginst.22246/junos-vmhost-install*.tgz
Transfer Done
Starting upgrade ...
Preparing for upgrade...
-- snip --

--- JUNOS 17.4R1.16 Kernel 64-bit  JNPR-11.0-20171206.f4cad52_buil
User@MX-re0>
 Reason: Secure BIOS SKU is supported in 17.4R1.
 

Test 3:

RE0 [E-S-X6-128G-S-S:SB SKU] software downgrade from 17.4R1.16 down to 17.3R1.10 fails with warning message.  

--- JUNOS 17.4R1.16 Kernel 64-bit  JNPR-11.0-20171206.f4cad52_buil
User@mx-re0> request vmhost software add /var/tmp/junos-vmhost-install-mx-x86-64-17.3R1.10.tgz
warning: Packages /var/tmp/junos-vmhost-install-mx-x86-64-17.3R1.10.tgz is not signed and can not be loaded on this RE, please try the supported version
Reason: Secure BIOS SKU is not supported in 17.3.
 

Test 4:

RE1 [RE-S-X6-64G-S:Legacy SKU] software downgrade from 18.2R1-S2.1 down to 17.3R1.10 completes.
Legacy BIOS SKU does not do any signature validation.

 
--- JUNOS 18.2R1-S2.1 Kernel 64-bit  JNPR-11.0-20180816.8630ec5_buil
User@MX-re1> request vmhost software add /var/tmp/junos-vmhost-install-mx-x86-64-17.3R1.10.tgz no-validate
Verified junos-vmhost-install-mx-x86-64-17.3R1.10 signed by PackageProductionEc_2017 method ECDSA256+SHA256
Copied the config and other data to the aux disk.
Transfer junos-host-upgrade.sh
Transfer Done
 
-- snip --

Upgrade complete.
Restore Last Known good BIOS..
Cmos Write successfull
Cmos Write successfull for Boot_retry
Cmos Write successfull for Boot_retry
0
... upgrade complete.
A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY.
Use the 'request vmhost reboot' command to reboot the system.

User@MX-re1>

Cause:

Secure BIOS SKU is supported with Junos OS 17.4R1 and later.

Solution:

Confirm the SKUs before performing the upgrade. The SKU can be identified using the FRU model number in the "show chassis hardware" output.

show chassis hardware clei-models
show chassis hardware models
show chassis hardware extensive

The following table details the different SKUs and their model number:

RE Type       Model Number       Description
--------------------------------------------
RE-S-2X00x6   RE-S-X6-64G-S      Legacy SKU
RE-S-2X00x6   RE-S-X6-128G       SB SKU
RE-S-2X00x8   RE-MX2008-X8-64G   Legacy SKU
RE-S-2X00x8   RE-MX2008-X8-128G  SB SKU
RE-S-2X00x8   REMX2K-X8-64G      Legacy SKU
RE-S-2X00x8   REMX2K-X8-128G     SB SKU
RE-PTX-2X00x8 RE-PTX-X8-64G-S    Legacy SKU
RE-PTX-2X00x8 RE-PTX-X8-128G     SB SKU

Notes:
  • The Legacy and SB SKUs use the same pkg (junos-vmhost-install-, which is signed) for upgrading.
  • The SB SKU will validate the signature as the Secure BIOS demands. 
  • The Legacy SKU does not consider the signature (even if its signed), as the legacy BIOS does not do any signature validation.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search