[AusNOG] Older Juniper J series routers - time bomb
Jonathan Thorpe
jthorpe at Conexim.com.au
Fri Mar 28 10:15:44 EST 2014
Hi All,
I wonder if this affects the last generation of J-Series (x350) before Juniper came out with the SRX?
I have a couple of J-4350s (and also some J-6350s, not currently powered on) running in a lab environment that run a rather antiquated 10.0R3.10 release and they appear to be running fine. The certificates in /etc/db/certs/ all show the same expiry date that was mentioned in the post and the time/date is correct, however " show system license" doesn't show any errors regarding the certificates, it just shows:
---
License usage: none
Licenses installed: none
---
I know for a fact that these routers never had any additional licenses installed, so that looks normal to me.
One of the posts mentioned that "When the J-series was initially released, there were order numbers that came with some ports software-disabled, and you could pay for a key to enter to unlock the additional ports. It looks like the certificate
used to check the keys has expired.".
To the best of my knowledge, the last of the J-Series didn't have restrictions on activated ports so they may therefore be unaffected.
What does worry me slightly is that MX-series routers do rely on licenses and on a couple I have in production, all have license files that show expired certificates. These are running fine and "show system license" shows everything I'd expect.
Kind Regards,
Jonathan
-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Matt Palmer
Sent: Friday, 28 March 2014 7:44 AM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Older Juniper J series routers - time bomb
On Thu, Mar 27, 2014 at 05:57:40PM +0100, Tom Storey wrote:
> Perusing the j-nsp list I came across this thread:
>
> http://www.gossamer-threads.com/lists/nsp/juniper/50450
>
> If youre running any older J series (i.e. x300), or were thinking of
> digging them out to use for some purpose, you might be in for a
> slightly rude shock.
>
> Otherwise its a "sad" thing to see. I have a J2300 in my lab at home
> which works great in such a role, it would be a shame to have to ditch
> it due to an expired certificate.
I really hope someone with a bit of money and an evil gleam in their eye decides to take Juniper to task for this. I'm fairly certain that hard-coding a drop-dead date into your devices would be frowned upon by the courts.
- Matt
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list