PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA3020 upgrade failure from 8.0.11-h1 to 8.1.9-h4 - FIPS failure error

L1 Bithead

We are experiencing an upgrade error/failure when we try to upgrade PA3020 from 8.0.11-h1 to 8.1.9-h4.

 

When our customer tried to upgrade from 8.0.11-h1 to 8.1.9-h4; their PA3020 went to Maintenance Mode after installing and rebooting .

The Maintenance Mode simply stated that there is a "FIPS failure".

 

The upgrade steps that we followed are:

a) Download 8.1.0 (base) , without installing

b) Download and Install 8.1.9-h4 

 

 

After we did step b above the PA3020 rebooted and went straight to maintenance mode with error "FIPS failure"

Luckily, we were able to revert back again to 8.0.11-h1. But , we still need to upgrade to 8.1.x, becuase 8.0.x is already EOL.

We have already contacted palo alto TAC and are now waiting for their reply.

 

While we are waiting for pan tac reply, has anybody ever experienced a FIPS failure upgrade error like ours? if so, How did you guys resolve the FIPS failure error?

any feedback would be great, thanks

glenn

egghead systems

 
 
10 REPLIES 10

Cyber Elite
Cyber Elite

@Egghead_Systems,

What was your actual upgrade path. If you followed recommendation you should have installed the latest maintenance release prior to installing 8.1.0 and attempting to boot into your targeted maintenance release. 

Also just to point out, 8.1.10 is the preferred release at the moment.

L7 Applicator

Hi @Egghead_Systems 

When upgrading firewalls - specially the older hardware from paloalto like the 3000 series - you should follow the official recommendation for this. For you this means:

  1. Download and install the latest maintenance release (8.0.20)
  2. Download and install the base image 8.1.0
  3. Download and install the target release. In your case 8.1.9-h4

This way you shouldn't have any problems and to be eveen more sure try a reboot prior to even installing the latest maintenance release as 8.0.11 sounds like your firewall is already running with this quite a while.

@Remo @BPry  guys we tried your suggestion for the upgrade path.

we downloaded and installed 8.0.20 and rebooted. successfully upgrade to 8.0.20

downloaded and installed 8.1.0 and rebooted. successfullyupgraded to 8.1.0

downloaded and installed 8.1.10 and rebooted ---> failed to upgrade to 8.1.10 and went to maintenance mode.

we were able to revert back to 8.1.0 and we are now back online with 8.1.0

 

we have already submitted the tech support file to TAC and waiting for their advice.

 

in the meantime, do you guys have any idea or experience with this kind of scenario? we are stuck in 8.1.0

Let us know what tech finds out?

MP

Help the community: Like helpful comments and mark solutions.

Strange situarion. I don't have experience with this szenario, but what I would try in this case is a factory reset of the firewall, re-import the config and then give it another try 😛

I like this idea.

MP

Help the community: Like helpful comments and mark solutions.

Not sure where you actually see step 2 as the official recommendation.  Palo's upgrade articles specifically say to just download a feature release, and then download & install your target release.  So for instance from 8.0.11 to 8.1.9 would be:

 

- Download and install latest 8.0 (8.0.20)

- Download 8.1

- Download & install 8.1.9

 

 

" In most cases, the recommended path when moving from one feature release to the next is to download the base image for the next feature release version and then download and install your target maintenance release version. "

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/upgrade-to-pan-os-90/upgrade-the-fi...

 

 

 

 

@OGMaverick,

On older series hardware (200, 500, 3000) the official recommendation was modified so that you download and install the base image with the release of 8.1 specifically due to a number of issues that was being caused on these older platforms due to disk limitations. When you simply download the base image and directly install the target maintenance image the firewall needs to explode both images and build a functional install image from both images.

Newer platforms the increase in size of PAN-OS was properly accounted for and they can handle needing to build that new image. I would still personally recommend installing the base image before installing the maintenance image even on there platforms as you generally have less of an issue with the firewall not properly updating system files and running into update issues. 

@MP18 the solution of TAC was to do an RMA. We received a replacement unit of PA3020 with OS of version 7.1.x.

 

we had to upgrade all the way to 8.1.11

 

glenn

Many Thanks for replying to the post.

Much Appreciated !

MP

Help the community: Like helpful comments and mark solutions.
  • 6618 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!