My customers are facing critical issue when he upgrades firmware.
One customer is using VM-100, when he upgrades from 8.1.0 to 8.1.10 and reboot the device, he sees this issue.
Another customer is using PA-500, when he upgrades from 8.1.0 to 8.1.9-h4 and reboot the device, he sees this issue.
Both customers upgrades from 7.1.x and 8.0.x, and all steps until upgrading to 8.1.0 are fine.
Even the reason points 'FIPS', they are not using FIPS mode.
Anyone knows the cause?
Note: We can not proceed factory reset after we see the issue. It fails.
Solved! Go to Solution.
I would open a TAC case so that they can log the issue and get the full upgrade path to see if they could potentially recreate the issue. If this was just on the PA-500 I would be leaning more towards hardware failure, but with it being on a VM-100 alongside a PA-500 it's possible that a bug is present in the upgrade path that was followed.
HI @emr_1, we are also experiencing a similar error. When our customer tried to upgrade from 8.0.11-h1 to 8.1.9-h4; their PA3020 went to Maintenance Mode after installing and rebooting .
The Maintenance Mode simply stated that there is a "FIPS failure".
The upgrade steps that we followed are:
a) Download 8.1.0 (base) , without installing
b) Download and Install 8.1.9-h4
After we did step b above the PA3020 rebooted and went straight to maintenance mode with error "FIPS failure"
Luckily, we were able to revert back again to 8.0.11-h1. But , we still need to upgrade to 8.1.x, becuase 8.0.x is already EOL.
We have already contacted palo alto TAC and are now waiting for their reply.
While we are waiting for pan tac reply, would you mind sharing what happened with your situation? How did you guys resolve the FIPS error?
any feedback would be great, thanks
Hi @Egghead_Systems ,
First of all, the reason you and I went to maintence mode is because of new feature that installed from 8.1.1, called "
As TAC told me, PAN-OS detected some files were broken, such it stoped normal start up operation and went to maintence mode.
After you see entering maintence mode, you can find log from fips.log on the menu and see which specific file was failed.
The log below is my sample:
10/14/19 15:31:09 fips ERROR: failed integrity check on /etc/pan-manifest/mgmt-panos(//var/appweb/sslvpndocs/global-protect/getsoftwarepage.esp: FAILED)
10/14/19 15:31:09 fips ERROR: FIPS-CC integrity on fs:Management plane failed verification on 1 files.
10/14/19 15:31:09 fips ERROR: * * * * * FIPS Self-Tests failed * * * * *
10/14/19 15:31:41 fips ERROR: * * * * * FIPS Self-Tests (**panic**) trying os command * * * * *
From above situation, we can take two ways:
1) try to proceed factory reset and see broken files are replaced by original files (don't forget to take your config backup before you proceed)
2)open the ticket, and request RMA
On my case, we did RMA... I could not escape from maintence mode and found no way.
@emr_1 Thanks for your reply. When you got your RMA, what was the PANOS that came with it? was it 8.1.0 already?
Also, was your palo alto a pa500?
@Egghead_Systems Yes, replacement was 8.1.0. And also, my cases were PA-500 and VM-100. On both cases, the cause and result of issue were same, but broken file was different. Hope it helps you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!