Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6775
Views
10
Helpful
18
Replies

NGFWv-AWS - EBS volume encryption issue

varunes10
Level 1
Level 1

‎01-27-2020 09:29 AM

I am running multiple NGFWv in our AWS environment from the marketplace. When trying to setup the EC2 instance for the firewall image and if I selected to encrypt the ebs volume with default aws/ebs key then the appliance does not respond on boot up. I also do not see any system logs for the EC2 during boot up. I do see system logs while terminating the instance. We have a policy to have all ebs volumes encrypted else will be flagged non compliant. Does the NGFWv support encryption of the ebs volume in AWS? Any insight into this will be helpful. Thank you.

 

System logs on shutting the instance down.

IO memory blocks requested from bigphys 32bit: 87680

INIT: version 2.88 booting

Starting udev

Configuring network interfaces... done.

Populating dev cache

TODO: Remove /tmp/disable_dpdk to enable dpdk on ngfwv

Found virtual boot drive /dev/xvda1

Found virtual disk0 drive /dev/xvda2

fsck.fat 3.0.28 (2015-05-16)

Starting check/repair pass.

FATs differ but appear to be intact. Using first FAT.

Cluster 258046 out of range (207673272 > 2092549). Setting to EOF.

Cluster 258047 out of range (223535692 > 2092549). Setting to EOF.

Cluster 258048 out of range (10059955 > 2092549). Setting to EOF.

Cluster 258049 out of range (133079543 > 2092549). Setting to EOF.

Cluster 258050 out of range (65038938 > 2092549). Setting to EOF.

Cluster 258051 out of range (219439810 > 2092549). Setting to EOF.

Cluster 258052 out of range (46504770 > 2092549). Setting to EOF.

Cluster 258053 out of range (10103903 > 2092549). Setting to EOF.

Cluster 258054 out of range (250869187 > 2092549). Setting to EOF.

Cluster 258055 out of range (131507214 > 2092549). Setting to EOF.

Cluster 258056 out of range (79941071 > 2092549). Setting to EOF.

Cluster 258057 out of range (6384958 > 2092549). Setting to EOF.

Cluster 258058 out of range (259674023 > 2092549). Setting to EOF.

Cluster 258059 out of range (51362568 > 2092549). Setting to EOF.

Cluster 258060 out of range (262079956 > 2092549). Setting to EOF.

Cluster 258061 out of range (256313087 > 2092549). Setting to EOF.

Cluster 258062 out of range (34401673 > 2092549). Setting to EOF.

Cluster 258063 out of range (257800812 > 2092549). Setting to EOF.`

2 people had this problem
Labels:
0 Helpful
18 Replies 18

jimholla
Cisco Employee
Cisco Employee

‎01-27-2020 10:54 AM

We are working with AWS on this issue. They have identified that their decryption algorithms are returning random data for uninitialized storage blocks. More to come on this.

0 Helpful

varunes10
Level 1
Level 1
In response to jimholla

‎01-27-2020 11:21 AM

Thank you for the response @jimholla. Please let me know when AWS finds a resolution for this issue so I can retry deploying the image with ebs encryption.
0 Helpful

varunes10
Level 1
Level 1
In response to jimholla

‎02-24-2020 01:35 PM

@jimholla - Hi, is there any update on this issue with AWS? Has this been resolved on their end?

0 Helpful

jimholla
Cisco Employee
Cisco Employee
In response to varunes10

‎02-24-2020 05:03 PM

Sorry to say, but there has been no progress.  AWS has identified the issue and they were working on a fix. I'll check on the status to see if we can push this forward.

0 Helpful

varunes10
Level 1
Level 1
In response to jimholla

‎04-16-2020 08:54 AM

Hi @jimholla,

 

Has there been any update from AWS on this issue? Please let me know. Thank you.

0 Helpful

jimholla
Cisco Employee
Cisco Employee
In response to varunes10

‎04-16-2020 09:59 AM

Yes. We have tested a fix for this issue and it works! Now we need to republish our AMIs in AWS. Unfortunately that will take a couple of weeks.
0 Helpful

varunes10
Level 1
Level 1
In response to jimholla

‎04-16-2020 10:01 AM

Awesome. Thank you for the update @jimholla 

0 Helpful

pangrazi
Level 1
Level 1
In response to varunes10

‎05-19-2020 03:40 PM

I am still having the same issue even with the latest 6.6.0-90 ami published today.  Is there any update on this?

0 Helpful

jimholla
Cisco Employee
Cisco Employee
In response to pangrazi

‎05-20-2020 05:17 AM

We have a fix for this issue but we need tom complete testing and then republish the AMIs. It will probably take a few more weeks before you can use encrypted storage.

pangrazi
Level 1
Level 1
In response to jimholla

‎05-20-2020 05:35 AM

How do you build a system without encrypted storage?

0 Helpful

michaelkane2
Level 1
Level 1
In response to jimholla

‎06-28-2020 09:16 AM

Hey there @jimholla, been a few weeks since your last message, but I still see 6.6.0-90 as the latest version for Cisco Firepower NGFW Virtual (NGFWv) - BYOL and Cisco Firepower NGFW Virtual (NGFWv) in the AWS Marketplace. Can you please give us an update as to when the fix might be released, approximately?

 

Thanks!

0 Helpful

jimholla
Cisco Employee
Cisco Employee
In response to michaelkane2

‎06-30-2020 12:00 PM

Howdy,
We've started the process of republishing AMIs to the marketplace that resolve the encrypted storage issue. The first one available is 6.4.0-113. More will be coming soon.
Jim

StephenFyffe5557
Level 1
Level 1
In response to jimholla

‎08-26-2020 09:34 AM - edited ‎08-26-2020 09:37 AM

Has this problem been corrected?   It seem I am running into the same issue:

 

Screenshot from 2020-08-26 12-30-35.pngScreenshot from 2020-08-26 12-36-26.png

0 Helpful

pangrazi
Level 1
Level 1
In response to StephenFyffe5557

‎08-26-2020 10:14 AM

Not that I have seen.

I had to disable encryption to get it to load.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card