Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 13.1.1, 220.127.116.11
Opened: Aug 07, 2018
After FIPS 140-2 license is installed on FIPS-certified hardware devices, and the device rebooted, the system halts upon performing FIPS integrity check.
The device is halted and cannot be used.
 Some system applications, monitored by FIPS 140-2, get routinely changed.  The device was containing a FIPS 140-2 enabled license installed.  The device operator installs a FIPS 140-2 enabled license  The device is rebooted
Workaround:  The device needs to have serial console access (Telnet).  From the Telnet console, enter the GRUB menu and boot into a different partition not having a FIPS 140-2 enabled license.  Examine the contents of file /config/fipserr which will show the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.  Restore those files to their original ones and reboot. If system still halts, repeat from Step  above, until this no longer happens.
Here are the steps, in summary form.  Connect a terminal to the BIG-IP serial console port  From the Telnet console, enter the GRUB menu.  Before the countdown expires, use the Up Arrow and Down Arrow keys to stop the countdown, and select the appropriate boot image.  Press the key 'E' to start the edit options. A new GRUB menu displays.  Use the Up Arrow and Down Arrow keys to navigate to the line that contains the keyword "module".  Add a space, followed by NO_FIPS_INTEGRITY=1. DO NOT press ENTER.  Press the Ctrl-X sequence or the F10 key to restart the system using the modified options. The machine will boot into the partition containing FIPS 140-2-enabled license.  Examine the content of file /config/f5_public/fipserr to ascertain the cause of the FIPS module startup error.  Fix the problem reported in the aforementioned error file.  Run the test tool /usr/libexec/sys-eicheck.py to ensure that no fatal error is reported, such as: Integrity Check Result: [ FAIL ] If fatal error persists, DO NOT REBOOT (otherwise the system will go into the halt state, and the steps starting from Step  will need to be repeated). Instead, fix the problematic files reported. Re-run the test tool until no error is seen.