Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Error 'The Device Was Unable to Reach the Entitlement Server to Retrieve License Keys' When Attempting to Update AV License



Article ID: KB6926 KB Last Updated: 07 Jul 2015Version: 7.0

This article explains this error message received when attempting to update AV license:

The device was unable to reach the entitlement server to retrieve license keys.



  • From the firewall, pings to IP addresses of hosts on the Internet were successful.

Symptoms and Errors:

  • From the firewall, when trying to update the AV (anti-virus) license, the following message was reported:  "The device was unable to reach the entitlement server to retrieve license keys."
  • After 4 hours could not retrieve subscription update
  • After 4 hours could not retrieve AV license key

The error "The device was unable to reach the entitlement server to retrieve license keys." is generated if DNS is not configured properly or if there is not a working Internet connection when attempting to update the antivirus (AV) license key. For information on how to configure DNS on a firewall device, go to KB4200 - Defining DNS Server Addresses and Scheduling Lookups .

note: If the time and time zone are not correct, the device may not be able to retrieve the license keys due to the expiration of the AV license.

If the DNS has been configured correctly on the firewall and yet the error comes up while trying to run the exec license-key update, one might need to check the validity of the certificates involved in the license-key update process on the firewall.

One might get the following message in the logs of debug pki detail while running the command exec license-key update, which confirms that the correct certificate is not loaded on the firewall.

## 2015-05-27 13:16:45 : No local authority configuration with D: CN=URL,CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at (c)10,OU=VeriSign Trus
## 2015-05-27 13:16:45 : per CA revocation resource not available.

The issue may be resolved after loading the corresponding certificate on the firewall. The certificate may be downloaded from the following link:

<<<< >>>

To load the certificate on the device, please follow these steps:

  1. Go to Objects --> Certificate --> Select Load --> Choose file
  2. Upload the certificate downloaded from the given link.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search