ICX 6450 Can't Login after enabling FIPS mode

  • 1
  • Question
  • Updated 3 days ago
  • Answered
  • (Edited)
After enabling FIPS mode on a ICX 6450-24, I am unable to login through the console following reload.  Console history review showed that the user account was deleted from the config after issuing the fips enable command in global config.  There was no mention of this possibility in the FIPS mode configuration guide.I have been unable to reset or recover from this.  Any guidance would be greatly appreciated...
Photo of Michael Schmitt

Michael Schmitt

  • 2 Posts
  • 0 Reply Likes

Posted 5 months ago

  • 1
Photo of NETWizz

NETWizz

  • 181 Posts
  • 57 Reply Likes
You can interrupt the boot on the vast majority of ICX devices by pressing b to enter the bootrom.

Once there, you can most likely issue the "no password" command

Then you can follow up with "boot"

Then when it boots you can "enable"

While these commands may not be exact there should be some contextual help by typing the ? mark to show what is available exactly on that platform.


Good Luck
Photo of Michael Schmitt

Michael Schmitt

  • 2 Posts
  • 0 Reply Likes
Thanks NETWizz.  Unfortunately, with FIPS mode enabled, half of the boot monitor commands are not available (anything to do with flash read/write, TFTP, passwords, etc.). You can work with environment variables, boot pri/sec images, ping...) Below is the list of the available commands in the FIPS restricted boot monitor taken from the switch I'm having issues with:

ICX64XX-boot>> ?
?       - alias for 'help'
boot    - boot default, i.e., run 'bootcmd'
boot_primary   - primary boot; boot from primary partition
boot_secondary   - secondary boot; boot from secondary partition
cp      - memory copy
help    - print online help
i2cprobe - Get special i2c device id
pci     - list and access PCI Configuration Space
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset   - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv  - set environment variables
version - print monitor version
ICX64XX-boot>>

We have done a fairly extensive search and have seen posts about recovering from this without a RMA, but no details.
Photo of NETWizz

NETWizz

  • 181 Posts
  • 57 Reply Likes
You will need to open a support case for the procedure according to the documentation.

It indicates, "After enabling FIPS mode on your device, you cannot disable it without losing the device configuration. To disable FIPS mode, it is recommended that you contact Brocade Technical Support and perform the procedure under qualified guidance."



Photo of Michael Brado

Michael Brado, Official Rep

  • 3037 Posts
  • 430 Reply Likes
That is correct, product security, and only TAC can assist you further.
Don't mess with FIPS if you are not a FIPS customer, and if you have FIPS software, you should have an Admin (or team).
Did your company work with a System Engineer to get FIPS hardware/firmware?
(Edited)
Photo of Jon Sands

Jon Sands

  • 3 Posts
  • 0 Reply Likes
I know this is 5 months old, but if you still need it (eg you don't have a support account), I can remove FIPS for you
Photo of Michael Brado

Michael Brado, Official Rep

  • 3054 Posts
  • 438 Reply Likes
Ruckus does not advise any customer to try and change/convert any FIPS hardware to run on any but FIPS software. 


We do not advise anyone to contact Jon Sands on his offer.
(Edited)
Photo of Jon Sands

Jon Sands

  • 3 Posts
  • 0 Reply Likes
it's not "FIPS hardware", it's your regular hardware with a FIPS flag set in the config. You guys have your own supported command in the bootloader to wipe FIPS mode and any related configs, just run "factory set-default" in the bootloader. If this is supposed to be some huge secret, maybe don't publicly publish the sources that include said commands?

You've added even more ways, looking at your init script that starts under linux, however I will keep those secret as they are not published like factory reset is