Bug ID 940733: Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt

Last Modified: Sep 29, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP All, Install/Upgrade(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 17.0.0, 17.0.0.1

Opened: Aug 28, 2020
Severity: 2-Critical
Related AskF5 Article:
K29290121

Symptoms

The system fails during the boot-up process, reports a libcrypto validation error, and the system halts. The console will show this error: Power-up self-test failures: OpenSSL: Integrity test failed for libcrypto.so This occurs after one of the following: -- Upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version -- Running big3d_install from a BIG-IP GTM configuration to a BIG-IP LTM On a FIPS-licensed BIG-IP LTM configuration, when checking the big3d version you may see something similar to this: /shared/bin/big3d -V fips.c:204:f5_get_library_path: failed to dlopen libcrypto.so.1.0.2za ./big3d version big3d Version 17.0.0.0.0.22 for linux

Impact

System boots to a halted state or big3d may continuously restart.

Conditions

-- FIPS-licensed BIG-IP system. -- Upgrade. -- Boot into a volume running an earlier version of the software. Another way to encounter the issue is: -- FIPS-licensed BIG-IP LTM. -- BIG-IP DNS (GTM) device running a higher software version than the LTM. -- Run big3d_install from a BIG-IP GTM-configuration pointing to FIPS-licensed BIG-IP LTM configuration.

Workaround

Before booting to the volume with the earlier version, delete /shared/bin/big3d. Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS-certified. If the target software volume has already experienced this issue (the system boots to a halted state), addition to deleting /shared/bin/big3d, follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233 . For additional information, see K29290121: Rollback after upgrade or big3d_install may cause FIPS to halt system on boot :: https://support.f5.com/csp/article/K29290121.

Fix Information

None

Behavior Change