Re: Nexus FIPS Mode Command Not Working

jmh0211 · ‎06-02-2022

Hello Fellow Network Engineers!

This is probably an easy question, but I have not worked with Nexus switches all that much, so a little unfamiliar with some of the configuration. I am trying the run the " fips mode enable" command in global configuration, but it does not recognize it, or even the word "fips" on the switch. Is there a feature that needs to be enabled or a license I may need to make it recognize and run the command? I have a Nexus 31128P Cisco switch with NXOS 7. I am not running RADIUS, telnet, or SNMP, which are prereqs to disable according to the Cisco Configuration Guide. Thanks!

MHM Cisco World · ‎06-02-2022

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/security/93x/b-cisco-nexus-3000-nx-os-security-configuration-guide-93x/m-configuring-fips.html

BlueHerron03 · ‎06-02-2022

I think part of your response got cut off. I only see the link to the config guide. Or were you trying to point out something in the guide I may not have tried yet?

MHM Cisco World · ‎06-02-2022

sorry when attach this guide meaning that follow step in guide,
but let me give you some point from guide to check
Ensure that you are in the default VDC

no feature ssh
no ssh key rsa

Christopher Hart · ‎06-03-2022

Hello!

The FIPS feature was added in the 9.3(x) NX-OS software train, so you will need to upgrade the software of your Nexus 31128P switch from your current NX-OS 7.x release to the 9.3(x) NX-OS software train (preferably NX-OS 9.3(9), which is the current recommended software release).

For assistance with upgrading, I recommend reviewing the "Upgrading the Cisco NX-OS Software" section of the "Upgrading or Downgrading the Cisco Nexus 9000 Series NX-OS Software" chapter of the "Cisco Nexus 9000 Series NX-OS Software Upgrade and Downgrade Guide, Release 9.3(x)" document. Note that I'm linking you to Nexus 9000 documentation, even though this is clearly a Nexus 31128P switch - this is on purpose! The Nexus 31128P specifically can be upgraded like a normal Nexus 9000 series switch. The Nexus 31128P does not need to use a compact image like other Nexus 3000/3100 switches, so the Nexus 3000 upgrade documentation would mislead you into upgrading the switch incorrectly. Use the aforementioned Nexus 9000 documentation for a successful upgrade.

I hope this helps - thank you!

-Christopher

BlueHerron03 · ‎06-03-2022

Thanks for the reply Christopher. That would normally make sense, but the guide in the post says it is supported beginning in NX-OS 5.1. Do you know why it says that?

Christopher Hart · ‎06-03-2022

Good question, and good catch! This is most likely an error stemming from Cisco using the Nexus 7000 FIPS configuration guide as a "template" for the Nexus 3000/9000. Neither the Nexus 3000s nor the 9000s existed when NX-OS 5.1 was released, but the Nexus 7000 did and has supported the FIPS feature for a long time.

I will take the action item to file a documentation bug to have this corrected across all FIPS configuration guides across all platforms. I will update this thread once it is filed, which should be in the next few hours or so.

Thank you!

-Christopher

Christopher Hart · ‎06-03-2022

Hello!

I filed documentation bug CSCwc05739 to correct this error in the documentation. Note that since this defect was just filed, details will not become public-facing for a few business days. The documentation itself should be corrected within the next few weeks.

Thank you!

-Christopher

MHM Cisco World · ‎06-03-2022

Thanks You