Author Topic: ScreenOS 5.3r3 is out!!!  (Read 28538 times)

vlho

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +0/-0
    • View Profile
ScreenOS 5.3r3 is out!!!
« on: March 28, 2006, 04:39:03 am »
yippee

signal15

  • Administrator
  • Hero Member
  • *****
  • Posts: 530
  • Karma: +1/-0
    • View Profile
    • JuniperForum.com
Re: ScreenOS 5.3r3 is out!!!
« Reply #1 on: March 28, 2006, 11:58:18 am »
Correct me if I'm wrong, but isn't the r2 to r3 upgrade minor one?  I seem to remember something about a change in the way it pulled down AV data or licensing. 

Are there more fixes than this?

Amorphous

  • Newbie
  • *
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #2 on: March 28, 2006, 03:21:59 pm »
6. Addressed Issues

The following sections identify which major bugs have been fixed in each release of ScreenOS 5.3.0.

6.1 Addressed Issues in ScreenOS 5.3.0r3

04092 When converting a policy to a set of rules, the ASIC sometimes used a conversion algorithm that created a different number of rules than had previously been generated for the same policy.

04221 (WebUI) The remove option did not remove a CA certificate.

04334 Setting traffic to a vsys had problems. Debugging the device would show traffic that was going to the vsys was incorrectly classified to the root vsys.

04457 A disabled IKE user could successfully connect through the VPN.

04522 Incoming mail did not pass through a MIP when AV was enabled.

04553 Occasionally, packets were not routed correctly even though they matched
the session.


04819 An IGMP proxy to multiple host interfaces for the same group was disallowed.

04978 (WebUI) Antivirus information was incorrectly contained as Recent Event information.

05284 After a reboot, policy-based VPN tunnel, with SRC-NAT and DIP configured, was inactivate due to an incorrectly set proxy-ID.

05471 The discard counter did not increment properly.

05515 The get service any CLI command displayed the default timeout value as one
minute.

05733 In some cases, a track-ip ping response was lost.

05738 (WebUI) The Local Auth server timeout field was incorrectly limited to a three digit value when the value should have been four digits.

05903 A session failed when DI was enabled and the DI was unable to handle half-close state.

05981 (WebUI) An error occurred when deleting an aggregate interface or subinterface.

06161 (ISG-2000) In transparent mode, configuring a large number of policies resulted in a policy look up timeout and dropped packets.

06240 Source-based NAT did not occur on traffic from Trust to DMZ security zones.

06295 There was intermittent device failure due to policy database failure.

06297 In some cases, the RADIUS authentication over policy based tunnels stopped working.

06441 The antivirus option was unavailable when a policy was configured for multicell context.

06990 Corrupt mis-interpreted and mis-directed HA message caused the backup device to coredump and loose connectivity with the primary device.

06991 (NetScreen-50) Coredump and reboot occurred in an active/passive NSRP configuration, when secure-ID user inserted a long user name and password.

07059 DHCP requests from clients on untrust side of any NS device in X-mode acting as VPN initiator will be relayed to DHCP server behind the VPN responder through the VPN tunnel.

07101 DSCP marking for IPSec pass through traffic in route mode did not work properly on some platforms.

07132 Dial backup did not work (modem does not return dial) due to PPPLCP keepalives not being sent.

07133 Sometimes there were a few differences on SA's SPI between Master's SA and Backup's SA when running the NSRP hot-sync.

07177 After an IGMP configured subinterface had participated in multicast, it could no longer be deleted or assigned to the null zone.

07178 In some cases, IPSec sessions were not cleaned up in the session table resulting in VPN failure.

07217 Modifying or adding an L2TP policy corrupted the system configuration.

07218 (WebUI) When modifying a policy ID and adding a service of ICMP-any to the untrust to trust policy, the device reloaded with a software forced error.

07259 (NetScreen-200 Series) Sometimes a device failed due to an ALG cookie between MSRPC and H.323 because the NAT cookie allocation and free process were not protected.

07279 A message, indicating that there was a corrupted session, was displayed on the console every 5 to 10 minutes on a backup device in an active/passive NSRP configuration.

07295 The exec policy verify CLI command returned incorrect results.

07301 (NetScreen ISG-2000) When using slow speed links, latency caused fragmented packets to be re-assembled incorrectly in the device because small fragments arrived fast but large fragment takes too long.

07354 (NetScreen-5XT) Issues occurred when a device was upgraded from 4.0 to 5.3.


07402 (NetScreen-5GT) When a device was configured as a DHCP client and connected to DHCP Server A but was disconnected from DHCP server A and connected to DHCP server B on a different network, the system continued to try to renew its IP address with the older network to which it was previously connected.

07425 Under certain circumstances in an NSRP configuration, the device suddenly stopped forwarding traffic, and the ARP table was empty. The device was unable to ping other hosts. This problem also caused the NSRP configuration to not failover to
the backup device.

07462 SSL based FTP server was inaccessible when AV was enabled on the policy.

07488 NetScreen-Security Manager returned a error when trying to set physical link-down of any interface on an ISG device.

07508 In some cases, during IKE negotiation, device failure occurred when the IP ID was generated

07519 In an ECMP configuration, when devices were connected through more than one point-to-point physical link, OSPF advertised next-hop as 0.0.0.0 instead of the actual IP address.

07562 In some situations, when processing BGP updates, a second withdrawn message was sent 30s after the first withdrawn message.

07614 When multiple services were added to a policy, a hidden service group was created, members of which were the services attached to the policy. When a user removed the custom defined service, a hidden service group without a member was left. Under this circumstance, when a user tried to access a member, the device failed.

07623 Inter vsys routing was handled improperly.

07627 In a route based VPN multi-VR environment, the security device incorrectly performed a route lookup in the wrong VR.

07633 Out of order TCP packets caused a lot of TCP Seq check failed error messages. These messages led the debug buffer to fill up because the debugging capability was hindered.

07637 When an FTP client established the connection with an FTP server through the device, the device created a stand-alone FTP data session, but did not create FTP control sessions for the child session.

07660 Passive FTP traffic was translated incorrectly.

07661 Interface last_change attribute was sometimes displayed incorrectly and did not get updated when the interface state was changed to up.


07729 An ARP packet buffer was increased to improve performance.

07760 (WebUI) Having the same IP address for interface track IP & NSRP track-IP
was not permitted.

07772 Internal mishandling of H.323 traffic caused device failure.

07803 While using Web Authentication, the vsys pointer for a secure-id path was set improperly, causing the response failure. This action resulted in a Web Auth failure inside a vsys.

07814 A device failure occurred when user configured the ninth DHCP server.

07816 In some cases, CPU utilization displayed a spike due to ARP aging out
incorrectly.

07871 The device failed while handling ISAKMP packets with invalid and/or
abnormal contents.

07884 (NetScreen-5200) The get log sys saved CLI command sometimes displayed trace dump on the device console.

07887 (NetScreen-25) The device failed to ping to a local interface due to failure in freeing the allocated net-pak and caused failure in getting ICMP response from local subnets.

07888 In some cases, outbound SIP calls caused device failure.

07931 The device passed traffic incorrectly when using address groups.

07964 In some cases, the device failed when issuing the debug flow CLI command.

07995 When a user upgraded from 5.1.0pw7.0 to 5.3, there were problems passing
traffic to a VPN site behind a NAT firewall.

08032 Internal mishandling of RADIUS traffic caused device failure.

08053 (NetScreen-204) The unset nsrp vsd-group id 0 CLI command required that the device be reset if there was any interface assigned to the management zone.

08066 Unresolved unicast route had a missing null ptr check which caused device
failure.

08073 An internal task incorrectly increased the CPU usage.

08077 large number of VPN tunnels and traffic caused the device to fail.

08079 Dial Line remained open even though there was no interesting traffic as idle timer was reset every few seconds.

08080 (WebUI) When a user clicked the hangup button on the Modem-Trustee page, the serial interface was brought down. This button should only disconnect the modem, not bring down the interface.

08085 (WebUI) While entering a TCP port with a trailing blank into the custom service page, the firewall set the port to 0 without providing errors.

08109 The device accepted the default route on the serial interface through the PPP connection made which resulted in the leakage of data through the default route if no other route was available to send traffic.

08113 In some cases, the device management was delayed after about an hour.

08161 Syn cookie mechanism was working incorrectly on logical interfaces.

08164 Due to incorrect storage of buffer packet for reassembly, a device reset and displayed the console error "### No DIMM found on board ###".



08256 (NetScreen-5000 Series) The get flow CLI command incorrectly displayed that the rcp-rst-invalid session was unsupported.

08257 (NetScreen-5GT) Due to possible zero length option or EOL which processing TCP header options, the device performed a coredump on the console after downloading an image/file from any TFTP server.

08265 Overlapping UDP customer service port range with IKE port (UDP port 500) caused incorrect session timeout for IKE sessions.

08279 (WebUI) After configuring an Xauth local authentication user group, the CHAP Only was automatically selected and it was impossible to disable it.

08293 Sometimes an internal error page was displayed when a page was browsed with a zero byte content length and the connection was closed by the server.

TuomasK

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #3 on: April 04, 2006, 08:23:03 am »
Hi all.

Does anyone have experiences from the 5.3r3? Any new bugs/features?
Is it stable, etc..

Thanks.

signal15

  • Administrator
  • Hero Member
  • *****
  • Posts: 530
  • Karma: +1/-0
    • View Profile
    • JuniperForum.com
Re: ScreenOS 5.3r3 is out!!!
« Reply #4 on: April 04, 2006, 11:27:04 am »
I'm running it now and haven't noticed any issues.  Multiple VPN's and OSPF running. 

vlho

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #5 on: April 04, 2006, 01:48:38 pm »
I updated over 10 box (NS-5GT) and all is meantime OK.
VPN vs Traffic Shapping is also already good.
No crash, no unfounded reboot

luder74

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #6 on: April 05, 2006, 12:53:53 am »
sounds like a good time to lab it before my deployment.

you have to wonder with a few of the bug fixes.

muppet

  • Global Moderator
  • Full Member
  • *****
  • Posts: 211
  • Karma: +0/-0
  • I Like Beer
    • View Profile
    • LiCe for EPIC5
Re: ScreenOS 5.3r3 is out!!!
« Reply #7 on: April 06, 2006, 10:13:02 pm »
Edited: Someone was able to help me out - Thank you very much.

« Last Edit: April 10, 2006, 05:05:16 pm by muppet »

mwdmeyer

  • Full Member
  • ***
  • Posts: 245
  • Karma: +0/-0
    • View Profile
    • Bluetrait
Re: ScreenOS 5.3r3 is out!!!
« Reply #8 on: April 07, 2006, 05:06:16 am »
I've been getting core dumps with 5.3.0r3 when I do a lot of changes via the web interface on my NS-5GT. I've since downgraded to 5.3.0r2 and all is fine.

luder74

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #9 on: April 07, 2006, 06:08:46 am »
thanks mwdmeyer

although it fixes a few issues i am having, if it is core dumping then i might let it pass as to upgrade.

oldo

  • Sr. Member
  • ****
  • Posts: 496
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #10 on: April 07, 2006, 07:57:12 am »
I've upgraded a few 5GT's and 25/50's. I had some bad experience with 5.3r2 and r1. But this version works good as far as I can tell. Running with VopIP, VPN, etc.. No dynamic routing though..
JNCIA-FW, JNCIA-AC, JNCIS-SSL, Ironport ICSP, xSeries Specialist,

muppet

  • Global Moderator
  • Full Member
  • *****
  • Posts: 211
  • Karma: +0/-0
  • I Like Beer
    • View Profile
    • LiCe for EPIC5
Re: ScreenOS 5.3r3 is out!!!
« Reply #11 on: April 10, 2006, 05:04:49 pm »
I've also seen some werid errors (debugging core dumps according to the Juniper support site) that are now gone with r3.  Doesn't seem to have done anything for my ADSL Line Drop problems, but I'm pretty sure this is just some weridness between my Juniper box and the DSLAM.

luder74

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #12 on: April 21, 2006, 12:47:42 am »
i killed 5.3.0r3.0 in 5 minutes flat.

memory dump then reboot, over and over......

ggcc

  • Newbie
  • *
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #13 on: April 21, 2006, 06:30:33 pm »
Do you need to upgrade version 5.3.0-up-0 before 5.3.0r3.0 ???

luder74

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #14 on: April 22, 2006, 03:46:33 am »
not if your running 5.3.0r2.0 but i am sure you have to with previous versions.

it's on juniper site wehn you go to download the OS what you have to do.

muppet

  • Global Moderator
  • Full Member
  • *****
  • Posts: 211
  • Karma: +0/-0
  • I Like Beer
    • View Profile
    • LiCe for EPIC5
Re: ScreenOS 5.3r3 is out!!!
« Reply #15 on: April 22, 2006, 03:52:35 am »
I upgraded from the factory 5.0.0r6 to 5.3.0r2 with no problems and then it was just a step up.

But that doesn't seem to match the release notes, maybe I was just lucky?

sebastan_bach

  • Sr. Member
  • ****
  • Posts: 349
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #16 on: April 23, 2006, 05:14:58 am »
does anyone has the ScreenOS 5.3.0r3 for ns-500.

sebastan

luder74

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #17 on: April 23, 2006, 07:20:30 pm »
there is also a nasty bug when the ike gateway IP configured, learns the same route vis routing protocol it makes the NS go into a loop and simply dump its memory contents and reboot itself.

sebastan_bach

  • Sr. Member
  • ****
  • Posts: 349
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #18 on: April 24, 2006, 06:26:14 am »
i feel netscreen should stabilise its screenos and should be like cisco pix ios whch is filled with bugs in it. they almost released 6 revisions of the new ios in 3 to 4 months with no new features but just clearing up bugs.

sebastan

luder74

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +0/-0
    • View Profile
Re: ScreenOS 5.3r3 is out!!!
« Reply #19 on: May 03, 2006, 06:48:12 pm »
5.3.0r4.0 is about to be released.

the 5.1 + series has been riddled with bugs.