PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

Reply
L1 Bithead

PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

We are experiencing an upgrade error/failure when we try to upgrade PA3020 from 8.0.11-h1 to 8.1.9-h4.

 

When our customer tried to upgrade from 8.0.11-h1 to 8.1.9-h4; their PA3020 went to Maintenance Mode after installing and rebooting .

The Maintenance Mode simply stated that there is a "FIPS failure".

 

The upgrade steps that we followed are:

a) Download 8.1.0 (base) , without installing

b) Download and Install 8.1.9-h4 

 

 

After we did step b above the PA3020 rebooted and went straight to maintenance mode with error "FIPS failure"

Luckily, we were able to revert back again to 8.0.11-h1. But , we still need to upgrade to 8.1.x, becuase 8.0.x is already EOL.

We have already contacted palo alto TAC and are now waiting for their reply.

 

While we are waiting for pan tac reply, has anybody ever experienced a FIPS failure upgrade error like ours? if so, How did you guys resolve the FIPS failure error?

any feedback would be great, thanks

glenn

egghead systems

 
 
L7 Applicator

Re: PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

@Egghead_Systems,

What was your actual upgrade path. If you followed recommendation you should have installed the latest maintenance release prior to installing 8.1.0 and attempting to boot into your targeted maintenance release. 

Also just to point out, 8.1.10 is the preferred release at the moment.

L7 Applicator

Re: PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

Hi @Egghead_Systems 

When upgrading firewalls - specially the older hardware from paloalto like the 3000 series - you should follow the official recommendation for this. For you this means:

  1. Download and install the latest maintenance release (8.0.20)
  2. Download and install the base image 8.1.0
  3. Download and install the target release. In your case 8.1.9-h4

This way you shouldn't have any problems and to be eveen more sure try a reboot prior to even installing the latest maintenance release as 8.0.11 sounds like your firewall is already running with this quite a while.

L1 Bithead

Re: PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

@vsys_remo @BPry  guys we tried your suggestion for the upgrade path.

we downloaded and installed 8.0.20 and rebooted. successfully upgrade to 8.0.20

downloaded and installed 8.1.0 and rebooted. successfullyupgraded to 8.1.0

downloaded and installed 8.1.10 and rebooted ---> failed to upgrade to 8.1.10 and went to maintenance mode.

we were able to revert back to 8.1.0 and we are now back online with 8.1.0

 

we have already submitted the tech support file to TAC and waiting for their advice.

 

in the meantime, do you guys have any idea or experience with this kind of scenario? we are stuck in 8.1.0

L4 Transporter

Re: PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

Let us know what tech finds out?

L7 Applicator

Re: PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

Strange situarion. I don't have experience with this szenario, but what I would try in this case is a factory reset of the firewall, re-import the config and then give it another try

L4 Transporter

Re: PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

I like this idea.

L3 Networker

Re: PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

Not sure where you actually see step 2 as the official recommendation.  Palo's upgrade articles specifically say to just download a feature release, and then download & install your target release.  So for instance from 8.0.11 to 8.1.9 would be:

 

- Download and install latest 8.0 (8.0.20)

- Download 8.1

- Download & install 8.1.9

 

 

" In most cases, the recommended path when moving from one feature release to the next is to download the base image for the next feature release version and then download and install your target maintenance release version. "

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/upgrade-to-pan-os-90/upgrade-the-fi...

 

 

 

 

L7 Applicator

Re: PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

@OGMaverick,

On older series hardware (200, 500, 3000) the official recommendation was modified so that you download and install the base image with the release of 8.1 specifically due to a number of issues that was being caused on these older platforms due to disk limitations. When you simply download the base image and directly install the target maintenance image the firewall needs to explode both images and build a functional install image from both images.

Newer platforms the increase in size of PAN-OS was properly accounted for and they can handle needing to build that new image. I would still personally recommend installing the base image before installing the maintenance image even on there platforms as you generally have less of an issue with the firewall not properly updating system files and running into update issues. 

L1 Bithead

Re: PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

@MP18 the solution of TAC was to do an RMA. We received a replacement unit of PA3020 with OS of version 7.1.x.

 

we had to upgrade all the way to 8.1.11

 

glenn

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!