cancel
Showing results for 
Search instead for 
Did you mean: 

ICX 6450 Can't Login after enabling FIPS mode

michael_schmitt
New Contributor
After enabling FIPS mode on a ICX 6450-24, I am unable to login through the console following reload.  Console history review showed that the user account was deleted from the config after issuing the fips enable command in global config.  There was no mention of this possibility in the FIPS mode configuration guide.I have been unable to reset or recover from this.  Any guidance would be greatly appreciated...
8 REPLIES 8

netwizz
Contributor III
You can interrupt the boot on the vast majority of ICX devices by pressing b to enter the bootrom.

Once there, you can most likely issue the "no password" command

Then you can follow up with "boot"

Then when it boots you can "enable"

While these commands may not be exact there should be some contextual help by typing the ? mark to show what is available exactly on that platform.


Good Luck

michael_schmitt
New Contributor
Thanks NETWizz.  Unfortunately, with FIPS mode enabled, half of the boot monitor commands are not available (anything to do with flash read/write, TFTP, passwords, etc.). You can work with environment variables, boot pri/sec images, ping...) Below is the list of the available commands in the FIPS restricted boot monitor taken from the switch I'm having issues with:

ICX64XX-boot>> ?
?       - alias for 'help'
boot    - boot default, i.e., run 'bootcmd'
boot_primary   - primary boot; boot from primary partition
boot_secondary   - secondary boot; boot from secondary partition
cp      - memory copy
help    - print online help
i2cprobe - Get special i2c device id
pci     - list and access PCI Configuration Space
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset   - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv  - set environment variables
version - print monitor version
ICX64XX-boot>>

We have done a fairly extensive search and have seen posts about recovering from this without a RMA, but no details.

netwizz
Contributor III
You will need to open a support case for the procedure according to the documentation.

It indicates, "After enabling FIPS mode on your device, you cannot disable it without losing the device configuration. To disable FIPS mode, it is recommended that you contact Brocade Technical Support and perform the procedure under qualified guidance."



michael_brado
Esteemed Contributor II
That is correct, product security, and only TAC can assist you further.
Don't mess with FIPS if you are not a FIPS customer, and if you have FIPS software, you should have an Admin (or team).
Did your company work with a System Engineer to get FIPS hardware/firmware?