After enabling FIPS mode on a ICX 6450-24, I am unable to login through the console following reload. Console history review showed that the user account was deleted from the config after issuing the fips enable command in global config. There was no mention of this possibility in the FIPS mode configuration guide.I have been unable to reset or recover from this. Any guidance would be greatly appreciated...
Thanks NETWizz. Unfortunately, with FIPS mode enabled, half of the boot monitor commands are not available (anything to do with flash read/write, TFTP, passwords, etc.). You can work with environment variables, boot pri/sec images, ping...) Below is the list of the available commands in the FIPS restricted boot monitor taken from the switch I'm having issues with:
ICX64XX-boot>> ? ? - alias for 'help' boot - boot default, i.e., run 'bootcmd' boot_primary - primary boot; boot from primary partition boot_secondary - secondary boot; boot from secondary partition cp - memory copy help - print online help i2cprobe - Get special i2c device id pci - list and access PCI Configuration Space ping - send ICMP ECHO_REQUEST to network host printenv- print environment variables reset - Perform RESET of the CPU saveenv - save environment variables to persistent storage setenv - set environment variables version - print monitor version ICX64XX-boot>>
We have done a fairly extensive search and have seen posts about recovering from this without a RMA, but no details.
You will need to open a support case for the procedure according to the documentation.
It indicates, "After enabling FIPS mode on your device, you cannot disable it without losing the device configuration. To disable FIPS mode, it is
recommended that you contact Brocade Technical Support and perform the procedure under qualified guidance."
That is correct, product security, and only TAC can assist you further. Don't mess with FIPS if you are not a FIPS customer, and if you have FIPS software, you should have an Admin (or team). Did your company work with a System Engineer to get FIPS hardware/firmware?