Memorise

Debugging a Site to Site VPN on an Juniper SRX series

Within this article we will look at the various steps required in debugging a Site to Site VPN on an SRX series gateway.

1. CONFIRM CONFIGURATION

First of all check the VPN configuration. This is also useful if and when you need to confirm the Phase 1 and Phase 2 parameter’s with the remote end.

admin@srx> show configuration security ike
admin@srx> show configuration security ipsec

2. CONFIRM PHASE 1

To confirm the successful completion of Phase 1 run the following command. If Phase 1 fails to complete revisit your Phase 1 parameters using the commands shown in Section 1.

admin@srx> show security ike security-associations
node1:
————————————————————————–
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
6950    [LOCAL PEER IP]  UP     33204fba87663d94  70acacd5f938f89b  Main

3. CONFIRM PHASE 2

To confirm the successful completion of Phase 2 run the following command. If Phase 2 fails to complete revisist your Phase 2 parameters using the commands shown in Section 1.

admin@srx> show security ipsec security-associations
node1:
————————————————————————–
Total active tunnels: 2
ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
<131073 [LOCAL PEER IP] 500   ESP:aes-128/sha1 4fb2c1cc 2041/ unlim  –   root
>131073 [LOCAL PEER IP] 500   ESP:aes-128/sha1 3e576ead 2041/ unlim  –   root

If Phase 2 has completed you can confirm further details on each of the SA`s (Security Associations) by using the SA index.

admin@srx> show security ipsec security-associations index 131073
node1:
————————————————————————–
Virtual-system: root
Local Gateway: [REMOTE PEER IP], Remote Gateway: [LOCAL PEER IP]
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
DF-bit: clear
Direction: inbound, SPI: 4fb2c1cc, AUX-SPI: 0
, VPN Monitoring: –
Hard lifetime: Expires in 2028 seconds
Lifesize Remaining:  Unlimited
Soft lifetime: Expires in 1448 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: 3e576ead, AUX-SPI: 0
, VPN Monitoring: –
Hard lifetime: Expires in 2028 seconds
Lifesize Remaining:  Unlimited
Soft lifetime: Expires in 1448 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

4. IPSEC STATISTICS

To confirm statistics based on the Phase 2 SA run the following command. The output will contain a number of counters. The most interesting of these (for troubleshooting purposes) are the Encrypted and Decrypted counters.

admin@srx> show security ipsec statistics index 131073
node1:
————————————————————————–
ESP Statistics:
Encrypted bytes:        133593600
Decrypted bytes:       1128704777
Encrypted packets:         923864
Decrypted packets:        1438716
AH Statistics:
Input bytes:                    0
Output bytes:                   0
Input packets:                  0
Output packets:                 0
Errors:
AH authentication failures: 0, Replay errors: 1021
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

5. PERFORM DEBUG (TRAFFIC)

If Phase 1 and Phase 2 are both establishing but traffic is still not passing the VPN tunnel, a packet-filter traffic debug of the tunnel will provide further granularity into each of the steps the packet takes.

admin@srx> configuration
admin@srx# edit security flow traceoptions

[edit security flow traceoptions]
admin@srx# set file vpn-debug
admin@srx# set flag basic-datapath
admin@srx# set flag packet-drops
admin@srx# set level 15

admin@srx# set packet-filter filter1 source-prefix [LOCAL PEER IP]
admin@srx# set packet-filter filter1 destination-prefix [REMOTE PEER IP]
admin@srx# set packet-filter filter1 protocol esp
admin@srx# set packet-filter filter2 destination-prefix [LOCAL PEER IP]
admin@srx# set packet-filter filter2 source-prefix [REMOTE PEER IP]
admin@srx# set packet-filter filter2 protocol esp

admin@srx# set packet-filter filter3 destination-prefix [INTERNAL SERVER IP]
admin@srx# set packet-filter filter3 destination-port ssh
admin@srx# set packet-filter filter3 protocol tcp
admin@srx# set packet-filter filter4 source-prefix [INTERNAL SERVER IP]
admin@srx# set packet-filter filter4 destination-port ssh
admin@srx# set packet-filter filter4 protocol tcp

admin@srx# run show log vpn-debug

6. PERFORM DEBUG (CRYPTO)

To debug the crypto engine the following commands are run.

admin@srx> configuration
admin@srx# edit security ike traceoptions

[edit security ike traceoptions]
admin@srx# set file vpn-debug-ike
admin@srx# set flag all
admin@srx# set level 15
admin@srx# top

[edit]
admin@srx# edit security ipsec traceoptions

[edit security ipsec traceoptions]
admin@srx# set file vpn-debug-ipsec
admin@srx# set flag all
admin@srx# set level 15

admin@srx# run show log vpn-debug-ike
admin@srx# run show log vpn-debug-ipsec

7. ADDITIONAL

A useful tip when viewing the debug logs is to tail the file via the shell whilst also removing the empty lines. This a) makes it easier to view and 2) also (as long as your ssh client buffer is configured correctly) allows you to go back over previous output should the debug log reach its maximum size.

root@srx100> start shell
root@srx100% tail -f /var/log/[logfile] | grep -Evi ^$


CAN NOT ACCESS TO HTTPS MANAGEMENT OF JUNIPER SSG VI CHROME (ERROR CODE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH)

Can not access to https management of Juniper SSG through Chrome (Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH)

A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Resolution 1:
1. Go to the "Chrome://flags" from the address bar.
2. Find "Minimum SSL/TLS" version support"
3. Select " SSLv3" option. 

Resolution 2:
Access to WEB UI of ScreenOS
1. Go to Configuration/Admin/Management
2. Change Cipher to DES-SHA1 / 3DES-SHA1
3. Apply

Excel formulas not updating

Symptoms: The value returned by your Excel formula does not update automatically, i.e. the formula continues to show the old value even after you’ve changed the values of the dependent cells.

When Excel formulas are not updating automatically, most likely it’s because the Calculationsetting has been changed to Manual instead of Automatic. To fix this, just set the Calculation option to Automatic again.

On the Excel ribbon, go to the Formulas tab > Calculation group, click the Calculation Optionsbutton, and select Automatic:
For Excel formulas to update automatically, enable 'Automatic' under Calculation Options.

Alternatively, you can change this setting in Excel Options:

  • In Excel 2003, click Tools > Options > Calculation > Calculation > Automatic.
  • In Excel 2007, click Office button > Excel options > Formulas > Workbook Calculation Automatic.
  • In Excel 2010Excel 2013, and Excel 2016, go to File > Options > Formulas > Calculation optionssection, and select Automatic under Workbook Calculation.

Another way to turn on the Automatic Calculation setting.


Unable to open ILO3 with TLS 1.2

In this case I was unable to connect to ILO3 on HP DL 380 G7 with Internet Explorer 11 from Windows 8.1 client workstation. ILO Firmware version was 1.20. Starting from Windows 8.1 and Internet Explorer 11 all TLS protocols are enabled and supported by default:

ILO was not failing back to lower version of TLS if TLS 1.2 was selected. After unselecting TLS 1.2 from Internet Explorer 11, I was able to connect to ILO interface. This is issue was resolved with later version ILO firmware. So, after patching the server with latest ILO firmware, I was able to connect to ILO3 interface using Internet Explorer 11 with TLS 1.2  selected.


Subnet Mask Cheat Sheet

IPv4 Subnet Mask Cheat Sheet


Addresses Netmask Amount of a Class C
/31 2 255.255.255.254 1/128
/30 4 255.255.255.252 1/64
/29 8 255.255.255.248 1/32
/28 16 255.255.255.240 1/16
/27 32 255.255.255.224 1/8
/26 64 255.255.255.192 1/4
/25 128 255.255.255.128 1/2
/24 256 255.255.255.0 1
/23 512 255.255.254.0 2
/22 1024 255.255.252.0 4
/21 2048 255.255.248.0 8
/20 4096 255.255.240.0 16
/19 8192 255.255.224.0 32
/18 16384 255.255.192.0 64
/17 32768 255.255.128.0 128
/16 65536 255.255.0.0 256
/15 131072 255.254.0.0 512
/14 262144 255.252.0.0 1024
/13 524288 255.248.0.0 2048
/12 1048576 255.240.0.0 4096
/11 2097152 255.224.0.0 8192
/10 4194304 255.192.0.0 16384
/9 8388608 255.128.0.0 32768
/8 16777216 255.0.0.0 65536

Guide to IPv4 subnets

/25 — 2 Subnets — 126 Hosts/Subnet

Network # IP Range Broadcast
.0 .1-.126 .127
.128 .129-.254 .255

/30 — 64 Subnets — 2 Hosts/Subnet

Network # IP Range Broadcast
.0 .1-.2 .3
.4 .5-.6 .7
.8 .9-.10 .11
.12 .13-.14 .15
.16 .17-.18 .19
.20 .21-.22 .23
.24 .25-.26 .27
.28 .29-.30 .31
.32 .33-.34 .35
.36 .37-.38 .39
.40 .41-.42 .43
.44 .45-.46 .47
.48 .49-.50 .51
.52 .53-.54 .55
.56 .57-.58 .59
.60 .61-.62 .63
.64 .65-.66 .67
.68 .69-.70 .71
.72 .73-.74 .75
.76 .77-.78 .79
.80 .81-.82 .83
.84 .85-.86 .87
.88 .89-.90 .91
.92 .93-.94 .95
.96 .97-.98 .99
.100 .101-.102 .103
.104 .105-.106 .107
.108 .109-.110 .111
.112 .113-.114 .115
.116 .117-.118 .119
.120 .121-.122 .123
.124 .125-.126 .127
.128 .129-.130 .131
.132 .133-.134 .135
.136 .137-.138 .139
.140 .141-.142 .143
.144 .145-.146 .147
.148 .149-.150 .151
.152 .153-.154 .155
.156 .157-.158 .159
.160 .161-.162 .163
.164 .165-.166 .167
.168 .169-.170 .171
.172 .173-.174 .175
.176 .177-.178 .179
.180 .181-.182 .183
.184 .185-.186 .187
.188 .189-.190 .191
.192 .193-.194 .195
.196 .197-.198 .199
.200 .201-.202 .203
.204 .205-.206 .207
.208 .209-.210 .211
.212 .213-.214 .215
.216 .217-.218 .219
.220 .221-.222 .223
.224 .225-.226 .227
.228 .229-.230 .231
.232 .233-.234 .235
.236 .237-.238 .239
.240 .241-.242 .243
.244 .245-.246 .247
.248 .249-.250 .251
.252 .253-.254 .255

/26 — 4 Subnets — 62 Hosts/Subnet

Network # IP Range Broadcast
.0 .1-.62 .63
.64 .65-.126 .127
.128 .129-.190 .191
.192 .193-.254 .255

/27 — 8 Subnets — 30 Hosts/Subnet

Network # IP Range Broadcast
.0 .1-.30 .31
.32 .33-.62 .63
.64 .65-.94 .95
.96 .97-.126 .127
.128 .129-.158 .159
.160 .161-.190 .191
.192 .193-.222 .223
.224 .225-.254 .255

/28 — 16 Subnets — 14 Hosts/Subnet

Network # IP Range Broadcast
.0 .1-.14 .15
.16 .17-.30 .31
.32 .33-.46 .47
.48 .49-.62 .63
.64 .65-.78 .79
.80 .81-.94 .95
.96 .97-.110 .111
.112 .113-.126 .127
.128 .129-.142 .143
.144 .145-.158 .159
.160 .161-.174 .175
.176 .177-.190 .191
.192 .193-.206 .207
.208 .209-.222 .223
.224 .225-.238 .239
.240 .241-.254 .255

/29 — 32 Subnets — 6 Hosts/Subnet

Network # IP Range Broadcast
.0 .1-.6 .7
.8 .9-.14 .15
.16 .17-.22 .23
.24 .25-.30 .31
.32 .33-.38 .39
.40 .41-.46 .47
.48 .49-.54 .55
.56 .57-.62 .63
.64 .65-.70 .71
.72 .73-.78 .79
.80 .81-.86 .87
.88 .89-.94 .95
.96 .97-.102 .103
.104 .105-.110 .111
.112 .113-.118 .119
.120 .121-.126 .127
.128 .129-.134 .135
.136 .137-.142 .143
.144 .145-.150 .151
.152 .153-.158 .159
.160 .161-.166 .167
.168 .169-.174 .175
.176 .177-.182 .183
.184 .185-.190 .191
.192 .193-.198 .199
.200 .201-.206 .207
.208 .209-.214 .215
.216 .217-.222 .223
.224 .225-.230 .231
.232 .233-.238 .239
.240 .241-.246 .247
.248 .249-.254 .255


IPv6 Subnet Cheat Sheet

IPv6 is a complete and different animal as far as subnetting goes. Please note the yellow rows as
each has special common use or notes. If there is nothing in the “Amount of a /64” column that means
it is to miniscule or to massive to justify calculation. Not much is the same with IPv6 compared to IPv4.
Route aggregation and purpose drive subnetting is something which every enterprise IPv6 deployment will make
use of, or it will fail miserably.


Subnet Addresses Amount of a /64
/128 1
/127 2
/126 4
/125 8
/124 16
/123 32
/122 64
/121 128
/120 256
/119 512
/118 1,024
/117 2,048
/116 4,096
/115 8,192
/114 16,384
/113 32,768
/112 65,536
/111 131,072
/110 262,144
/109 524,288
/108 1,048,576
/107 2,097,152
/106 4,194,304
/105 8,388,608
/104 16,777,216 This is equivalent to an IPv4 Internet or IPv4 /8
/103 33,554,432
/102 67,108,864
/101 134,217,728
/100 268,435,456
/99 536,870,912
/98 1,073,741,824
/97 2,147,483,648
/96 4,294,967,296
/95 8,589,934,592
/94 17,179,869,184
/93 34,359,738,368
/92 68,719,476,736
/91 137,438,953,472
/90 274,877,906,944
/89 549,755,813,888
/88 1,099,511,627,776
/87 2,199,023,255,552 1/8,388,608
/86 4,398,046,511,104 1/4,194,304
/85 8,796,093,022,208 1/2,097,152
/84 17,592,186,044,416 1/1,048,576
/83 35,184,372,088,832 1/524,288
/82 70,368,744,177,664 1/262,144
/81 140,737,488,355,328 1/131,072
/80 281,474,976,710,656 1/65,536
/79 562,949,953,421,312 1/32,768
/78 1,125,899,906,842,620 1/16,384
/77 2,251,799,813,685,240 1/8,192
/76 4,503,599,627,370,490 1/4,096
/75 9,007,199,254,740,990 1/2,048
/74 18,014,398,509,481,900 1/1,024
/73 36,028,797,018,963,900 1/512
/72 72,057,594,037,927,900 1/256
/71 144,115,188,075,855,000 1/128
/70 288,230,376,151,711,000 1/64
/69 576,460,752,303,423,000 1/32
/68 1,152,921,504,606,840,000 1/16
/67 2,305,843,009,213,690,000 1/8
/66 4,611,686,018,427,380,000 1/4
/65 9,223,372,036,854,770,000 1/2
/64 18,446,744,073,709,500,000 This is the standard end user allocation
/63 36,893,488,147,419,100,000 2
/62 73,786,976,294,838,200,000 4
/61 147,573,952,589,676,000,000 8
/60 295,147,905,179,352,000,000 16
/59 590,295,810,358,705,000,000 32
/58 1,180,591,620,717,410,000,000 64
/57 2,361,183,241,434,820,000,000 128
/56 4,722,366,482,869,640,000,000 256
/55 9,444,732,965,739,290,000,000 512
/54 18,889,465,931,478,500,000,000 1,024
/53 37,778,931,862,957,100,000,000 2,048
/52 75,557,863,725,914,300,000,000 4,096
/51 151,115,727,451,828,000,000,000 8,192
/50 302,231,454,903,657,000,000,000 16,384
/49 604,462,909,807,314,000,000,000 32,768
/48 1,208,925,819,614,620,000,000,000 65,536 This is the standard business allocation
/47 2,417,851,639,229,250,000,000,000 131,072
/46 4,835,703,278,458,510,000,000,000 262,144
/45 9,671,406,556,917,030,000,000,000 524,288
/44 19,342,813,113,834,000,000,000,000 1,048,576
/43 38,685,626,227,668,100,000,000,000 2,097,152
/42 77,371,252,455,336,200,000,000,000 4,194,304
/41 154,742,504,910,672,000,000,000,000 8,388,608
/40 309,485,009,821,345,000,000,000,000 16,777,216
/39 618,970,019,642,690,000,000,000,000 33,554,432
/38 1,237,940,039,285,380,000,000,000,000 67,108,864
/37 2,475,880,078,570,760,000,000,000,000 134,217,728
/36 4,951,760,157,141,520,000,000,000,000 268,435,456
/35 9,903,520,314,283,040,000,000,000,000 536,870,912
/34 19,807,040,628,566,000,000,000,000,000 1,073,741,824
/33 39,614,081,257,132,100,000,000,000,000 2,147,483,648
/32 79,228,162,514,264,300,000,000,000,000 4,294,967,296 This is the standard ISP Allocation
/31 158,456,325,028,528,000,000,000,000,000 8,589,934,592
/30 316,912,650,057,057,000,000,000,000,000 17,179,869,184
/29 633,825,300,114,114,000,000,000,000,000 34,359,738,368
/28 1,267,650,600,228,220,000,000,000,000,000 68,719,476,736
/27 2,535,301,200,456,450,000,000,000,000,000
/26 5,070,602,400,912,910,000,000,000,000,000
/25 10,141,204,801,825,800,000,000,000,000,000
/24 20,282,409,603,651,600,000,000,000,000,000
/23 40,564,819,207,303,300,000,000,000,000,000
/22 81,129,638,414,606,600,000,000,000,000,000
/21 162,259,276,829,213,000,000,000,000,000,000
/20 324,518,553,658,426,000,000,000,000,000,000
/19 649,037,107,316,853,000,000,000,000,000,000
/18 1,298,074,214,633,700,000,000,000,000,000,000
/17 2,596,148,429,267,410,000,000,000,000,000,000
/16 5,192,296,858,534,820,000,000,000,000,000,000
/15 10,384,593,717,069,600,000,000,000,000,000,000
/14 20,769,187,434,139,300,000,000,000,000,000,000
/13 41,538,374,868,278,600,000,000,000,000,000,000
/12 83,076,749,736,557,200,000,000,000,000,000,000
/11 166,153,499,473,114,000,000,000,000,000,000,000
/10 332,306,998,946,228,000,000,000,000,000,000,000
/9 664,613,997,892,457,000,000,000,000,000,000,000
/8 1,329,227,995,784,910,000,000,000,000,000,000,000


SRX300 usb serial console driver

Please check if the USB console driver available on the below link works for you.

http://www.juniper.net/support/downloads/?p=srx550#sw

Please follow the below link to set this up.

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/task/operational/services-gat

For SRX 340 you can use this driver srx_usbdriver-2

For Mac OS X download the driver if needed, from https://www.silabs.com/products/development-tools/software/usb-to-uart-bridge-vcp-drivers

 


Error: “We couldn’t create a new partition or locate an existing one

Symptom:

You try to install Windows 8 (CP), and encountered the following error:

We couldn’t create a new partition or locate an existing one.  For more information, see the Setup log files.”

 

Resolution:

Try to following methods:

1)Check if you have an SD Card in the system. If you do, you remove it and run setup again.

2) Once the setup fails to find the partition, just close the setup window (the top-right-hand side red X does the job).

From that point, you should be brought back at the initial setup screen.Choose “Repair” then go to the advanced tools and start the command line.

Start DISKPART.

Type LIST DISK and identify your SSD disk number (from 0 to n disks).

Type SELECT DISK <n> where <n> is your SSD disk number.

Type CLEAN

Type CREATE PARTITION PRIMARY

Type ACTIVE

Type FORMAT FS=NTFS QUICK

Type ASSIGN

Type EXIT twice (one to get out of DiskPart, the other to exit the command line tool)


CPU usage is too high with Yosemite and an external monitor, kernel_task spikes to 600%+

After reading number of blog and days of internet search, the solution worked for me. The kernel will keep looping some very simple tasks, e.g. getting the date, therefore ‘consuming’ (with the highest priority) the majority of the CPU in a bid to cool the system down.

The solution mentions on other blog about removing ACPI_SMC_PlatformPlugin.kext, under /System/Library exist many kernel extensions, and the relevant one is the IOPlatformPluginFamily.kext.  There suggestion was to disable the plist for your model of computer that was located in that kext’s Contents/PlugIns/ACPI_SMC_PlatformPlugin.kext (a sub kext!).  First, My MacBook Pro didn’t have a relevant plist, and second, disabling that entire kext (simply by renaming it to something else so Mac OS X wouldn’t find and load it) did not help, this should work for earlier Macs, not for newer Mac.

I have tried many things, but this works.

  1. Disable kext by renaming it
    cd /System/Library/Extensions/IOPlatformPluginFamily.kext/Contents/Plugins
    sudo mv X86PlatformShim.kext X86PlatformShim.kext.disabled
    
  2. Clear kext cache (not sure if this is needed)
    touch /System/Library/Extensions/
    
  3. Restart

You may get Operation not permitted error. Apple has enabled a new default security oriented featured called System Integrity Protection.

Turning Off Rootless System Integrity Protection in OS X El Capitan 10.11 +

Again, the vast majority of Mac users should not disable rootless. Disabling rootless is aimed exclusively at advanced Mac users. Do so at your own risk, this is not specifically recommended.

  1. Reboot the Mac and hold down Command + R keys simultaneously after you hear the startup chime, this will boot OS X into Recovery Mode
  2. When the “OS X Utilities” screen appears, pull down the ‘Utilities’ menu at the top of the screen instead, and choose “Terminal”
  3. Type the following command into the terminal then hit return:

csrutil disable; reboot

  1. You’ll see a message saying that System Integrity Protection has been disabled and the Mac needs to restart for changes to take effect, and the Mac will then reboot itself automatically, just let it boot up as normal

You can also issue the command by itself without the automatic reboot like so:

csrutil disable


The trust relationship between this workstation and the primary domain failed

If you know the local admin password you can login to server then user netdom.exe to reset the password if you don’t have local admin password then unplug the network login using cached credential then plug the network and use netdom.exe to reset the machine password.


netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

<server> = a domain controller in the joined domain

<user> = DOMAIN\User format with rights to change the computer password

An error occurs in Microsoft Dynamics CRM using Claims Based Authentication

In ADFS Management Console update the Federation metadata URLs and do an IIS reset on CRM server. Next, restart the ADFS service.

If above steps do not resolve the issue please follow below steps:-

1. On the Microsoft Dynamics CRM server, go to Deployment Manager and disable the Claims Based Authentication

2. On the Microsoft Dynamics CRM server, click the Start menu, select Run and type iisreset to complete an IIS reset

3. Re-configure Claims-Based Authentication from Deployment Manager keeping all the settings same

4. Re-configure IFD through the Microsoft Dynamics CRM Deployment Manager

5. On the Microsoft Dynamics CRM server, click the Start menu, select Run and type iisreset to complete an IIS reset

6. In ADFS Management Console on the ADFS server, update the corresponding Federation Metadata URLs

a. Go to the ADFS Server and open the ADFS management Console

b. Click Relying Party Trusts to display the internal and external relying party trusts

c. Right-click each and select Update Federation Metadata

d. Go to the Microsoft Dynamics CRM server, click the Start menu, select Run and type iisreset to complete an IIS reset

e. Next, browse to Service on the ADFS server and restart the ADFS service

This also resolved few other issue below.

High CPU Usage on Microsoft CRM 2015 and Microsoft CRM 2015 Email Router Server

When renewing Expired AD FS 2.0 Token Signing Certificates, Depending on your AD FS configuration you may have automatic certificate rollover enabled.  This can be checked via Get-ADFSProperties

To configure automatic rollover:

Set-ADFSProperties -AutoCertificateRollover $true

reboot the server.