Last Modified: Nov 22, 2021
See more info
Known Affected Versions:
13.1.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 13.1.1, 14.0.0, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 14.0.1, 22.214.171.124, 14.1.0, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 14.1.2, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 14.1.3, 188.8.131.52, 15.0.0, 15.0.1, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 15.1.0, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 16.0.0, 18.104.22.168, 16.0.1, 22.214.171.124, 126.96.36.199
16.1.0, 188.8.131.52, 14.1.4, 184.108.40.206
Opened: Aug 07, 2018
Related AskF5 Article: K25205233
After FIPS 140-2 license is installed on BIG-IP FIPS-certified hardware devices, the system halts while booting upon performing the FIPS integrity check. Console shows messages similar to: Starting System Logger Daemon... [ OK ] Started System Logger Daemon. [ 14.943495] System halted.
The device halts and cannot be used.
-- The BIG-IP device has a license that includes the FIPS 140-2 option (FIPS full-box license). -- System element monitored by FIPS 140-2 integrity check has changed. -- The device is rebooted.
Workaround:  Connect a terminal to the BIG-IP serial console port.  From the console, enter the GRUB menu and boot into a partition that does not have a FIPS 140-2-enabled license, or into TMOS Maintenance.  Mount config from the inactive partition (see K51222154: Mounting the filesystem of an inactive partition :: https://support.f5.com/csp/article/K51222154) that was halted, and examine the contents of /config/f5_public/fipserr, which shows the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.  Restore those files to their original ones.  Truncate the inactive partition's /config/f5_public/fipserr, e.g., by running: cat /dev/null > /mnt/test/f5_public/fipserr  Reboot. If the system still halts, repeat from Step  above, until this no longer happens.
If your device is running a version where ID 739507 is fixed:  Connect a terminal to the BIG-IP serial console port  From the serial console, enter the GRUB menu.  Before the countdown expires, use the Up Arrow and Down Arrow keys to stop the countdown, and select the appropriate boot image.  Press the key 'E' to start the edit options. A new GRUB menu displays.  Use the Up Arrow and Down Arrow keys to navigate to the line that starts with 'linux', or the first line that starts with 'module'.  Add a space, followed by NO_FIPS_INTEGRITY=1 (do not press ENTER).  Press the Ctrl-X sequence or the F10 key to restart the system using the modified options. The machine boots into the partition containing FIPS 140-2-enabled license.  Examine the content of file /config/f5_public/fipserr to ascertain the cause of the FIPS module startup error.  Fix the problem reported in the aforementioned error file.  Run the test tool /usr/libexec/sys-eicheck.py to ensure that no fatal error is reported, such as: Integrity Check Result: [ FAIL ] If fatal errors persist, do not reboot (otherwise the system foes into the halt state, and the steps starting from Step  will need to be repeated). Instead, fix the problematic files reported. Rerun the test tool until no error is seen. Note: You can find information on the sys-eicheck (FIPS) utility in the AskF5 Non-Diagnostic Article K00029945: Using the sys-eicheck (FIPS) utility :: https://support.f5.com/csp/article/K00029945.  Truncate the file /config/f5_public/fipserr: cat /dev/null > /config/f5_public/fipserr