[AusNOG] Older Juniper J series routers - time bomb

[Tom Storey]

Not so much of a "fix" it seems.

For anyone that is interested, Juniper provided me with a solution
which is genius if still a little hacky.

They suggest:

1. Deactivate existing NTP configuration
2. Set date back ~10 years

root> set date 200403250000.00

3. Disable sw -> hw time sync (incl. at boot time via rc script)

root% sysctl -w machdep.disable_rtc_set=1
root% touch /cf/etc/rc.custom
root% chmod +x /cf/etc/rc.custom
root% echo "sysctl -w machdep.disable_rtc_set=1" > /cf/etc/rc.custom
root% cat /cf/etc/rc.custom

4. Re-activate NTP configuration
5. Reboot (doesnt seem strictly necessary, but maybe worthwhile as a test)

So basically youre setting the hw clock back ~10 years which allows
the FPC to come online. You disable sw -> hw time sync so even when
running NTP, if the device reboots the hw clock is still in the past,
the FPC will come online because the certificate is still valid, and
then NTP will update the time on the box to the present.

Hope that helps some one else out there.

On 28 March 2014 22:46, Tom Storey <tom at snnap.net> wrote:
> Juniper have released a fix.
>
> http://kb.juniper.net/InfoCenter/index?page=content&id=TSB16366
>
> Ive applied it to my J2300 running 9.3r4.4, and waiting patiently for
> my FPC to come back...
>
> On 27 March 2014 16:57, Tom Storey <tom at snnap.net> wrote:
>> Perusing the j-nsp list I came across this thread:
>>
>> http://www.gossamer-threads.com/lists/nsp/juniper/50450
>>
>> If youre running any older J series (i.e. x300), or were thinking of
>> digging them out to use for some purpose, you might be in for a
>> slightly rude shock.
>>
>> Otherwise its a "sad" thing to see. I have a J2300 in my lab at home
>> which works great in such a role, it would be a shame to have to ditch
>> it due to an expired certificate.