Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding FIPS Error States and System Panic

 

A router or switch running Junos OS in FIPS mode has certain operational restrictions such as the ability to load only integrity-checked software files and use only FIPS-approved cryptographic algorithms. To ensure correct operation, the router or switch performs a series of FIPS self-tests.

The router or switch performs additional tests as needed—for example, to ensure that randomly generated numbers are truly random and to verify manually entered keys (passwords).

If it fails a test, the router or switch enters a FIPS error state known as system panic.

When a low-level cryptographic function cannot complete for lack of memory or another resource, a memory allocation error occurs. This error does not result in system panic.

FIPS errors that occur early in the boot cycle can prevent the system from successfully starting up. For this reason, keep alternate boot media up to date.

For details, see:

FIPS System Panic

If a router or switch fails a FIPS self-test, the router or switch enters a FIPS error state known as system panic. The panic condition halts all cryptographic processing and stops all data output from the router or switch. To clear the FIPS error, the router or switch reboots, runs the FIPS self-tests, and if it passes all the tests, returns to normal operation.

If the router or switch fails a self-test during a reboot from panic mode, the system stops booting and attempts to reboot. If the reboot is unsuccessful, the router or switch attempts again to reboot, this time from available boot media.

During a system panic, only status messages are displayed on the console. For example, a FIPS error is logged as shown in the following example:

The reboot after panic displays the following error message on the console:

The following error states create a system panic:

Note

These errors have only an extremely small chance of occurring.

  • The router or switch failed a known answer test (KAT).

  • The random number is not random.

  • Signature generation failed.

  • Signature verification failed.

  • Certificate verification failed.

  • Encryption or decryption failed.

  • An environment error occurred.

  • An error occurred in a pair-wise conditional test.

Memory Allocation Error

A FIPS memory allocation error occurs when a low-level cryptographic function cannot finish processing for lack of memory or of another resource. This error causes the affected process to be terminated, but does not result in system panic.

FIPS memory failures are logged as follows:

Terminating the process clears the error so that the process can be run again.

Error Recovery from Alternate Boot Media

A Juniper Networks router or switch running Junos OS in FIPS mode performs KAT self-tests at startup. If the router or switch fails a KAT, the boot process stops and the router or switch attempts to reboot. If the reboot is unsuccessful, the router or switch attempts again to reboot, this time from available boot media.

If the alternate media are not functional, the router or switch might not be able to start up at all. In that case, the Crypto Officer must insert the removable boot media so that the system can boot normally and install Junos OS.

For this reason, be sure to keep the alternate media on the router or switch in a functional state by running the request system snapshot recovery command after enabling FIPS mode.