Recovery Mode - WSM 12.6.x fireware installation fails

NormanNorman
edited January 2021 in Firebox - Upgrade, Downgrade, Backup

Hello,
I am able to install different fireware versions in recovery mode up to wsm 12.5.3

with wsm 12.6.2U2 & 12.6.3 the wizzard runs into timeout.

this happens with all fireboxes i have testet ( x330,M300,M400)

mfg
norman

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Norman

    Recovery mode boots the firewall into a different partition, and re-flashes the main partition of the firewall. This is intended to allow a firewall to be recovered if something happens to the main partition somehow.

    If you're running into an issue installing, it's likely that there isn't enough space on the main partition, or something else needs to happen. Upgrading via the normal procedure in policy manager (File -> Upgrade) or in WebUI (System -> Upgrade OS) should correct whatever is wrong, or provide a useable error.

    I would suggest against repeated re-flashing of the firewalls via recovery mode as that will cause unnecessary write cycles on the flash module of the firewall. It also generally takes longer, and requires taking the firewall down for an extended period of time.

    -James Carson
    WatchGuard Customer Support

  • NormanNorman
    edited January 2021

    @James
    let me say it different
    recovery mode is broken in WSM 12.6.x
    i have tried different windwos OS and different Fireboxes
    after downgrade to WSM 12.5.3 or lower, recovery mode works fine.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Norman
    Where specifically is recovery mode getting stuck when you attempt to use it?

    -James Carson
    WatchGuard Customer Support

  • NormanNorman
    edited January 2021

    Hi @James_Carson
    the wizard asks for temporary IP >>> IP of the Firebox is changed ( verified by ping ) , but it looks like nothing is transferred.
    after some time , there is a timeout message.

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited January 2021

    Hi Norman,

    It sounds like you're using DHCP for this -- I'd suggest the following:
    -Have your computer plugged directly into eth1 of the firewall. with no switch between you and it.

    -Set your IP statically to 10.0.1.2 with a subnet mask of 255.255.255.0 and a default gateway of 10.0.1.1.

    -Run the quick setup wizard, and when the wizard asks, give the firewall a static IP address.

    The above keep IPs from moving or changing while the device reboots (as windows will often try to assign an APIPA address because the firewall takes longer to reboot than it's willing to wait.

    I ran through and tested the quick setup wizard with the latest version of WSM both 12.6.3 and the 12.6.4 beta.) I was able to run recovery mode successfully on both versions with a T80, and XTM545, and an XTM26-W.

    Alternatively to the above, completing the setup process and running the normal quick setup wizard from the WebUI (https://10.0.1.1:8080) should also work. Once the firewall is set up, you can upgrade it from System -> Upgrade OS as normal.

    Again, I want to stress that recovery mode is in place to recover a firewall that has corrupted its main partition somehow (most often via power failure during a upgrade operation.) Upgrading normally via File -> Upgrade OS, or System -> Upgrade OS is the best way to complete system upgrades.

    If you continue to have issues with the Quick Setup Wizard, I'd suggest opening a support case and including the log file that is at

    C:\Users\ - user name - \appdata\roaming\watchguard\qswiz.txt
    on your PC.

    -James Carson
    WatchGuard Customer Support

  • NormanNorman
    edited January 2021

    hi @James_Carson

    i followed your advice on cabeling and IP, but the wizard says
    "the temporary IP can not be the same as the default trusted IP adress of the device"
    so i had to use 10.0.1.10

    here is what happens in the log:

    01/18/21 12:51:34[Thread-15] Setting temporary IP to 10.0.1.10
    01/18/21 12:51:34[Thread-15] Begin setting temporary IP
    01/18/21 12:51:34[Thread-16] Begin to wait a new message
    01/18/21 12:51:35[Thread-16] One new message was received
    01/18/21 12:51:35[Thread-15] Setting temp ip 10.0.1.10 for xxxxxxxx
    01/18/21 12:51:35[Thread-16] Begin to wait a new message
    01/18/21 12:51:35[Thread-15] Finish setting temporary IP
    01/18/21 12:51:45[Thread-15] RsServer.setCertificate(): com.watchguard.util.comm.cmm.RSServer@ef7cf: null(Sid=); null
    01/18/21 12:51:45[Thread-15] RsServer.setIpAddress(): 10.0.1.10
    01/18/21 12:51:45[Thread-15] RSServer:RSServer:isServerConnectableXmlRpc(), trying url: https://10.0.1.10:4117/
    01/18/21 12:51:45[..Thread (xmlrpc)] RSServer:code=0; message=org.apache.xmlrpc.XmlRpcException: Failed to read servers response: Certificates do not conform to algorithm constraints
    01/18/21 12:51:45[..Thread (xmlrpc)] RSServer:Exception: org.apache.xmlrpc.XmlRpcException: Failed to read servers response: Certificates do not conform to algorithm constraints
    01/18/21 12:51:45[..Thread (xmlrpc)] SSL initialized...
    01/18/21 12:51:45[..Thread (xmlrpc)] RSServer:code=0; message=org.apache.xmlrpc.XmlRpcException: Failed to read servers response: Certificates do not conform to algorithm constraints
    01/18/21 12:51:45[..Thread (xmlrpc)] RSServer:Exception: org.apache.xmlrpc.XmlRpcException: Failed to read servers response: Certificates do not conform to algorithm constraints
    01/18/21 12:51:45[Thread-15] Unable to contact device after setting temp ip (attempt 1 of 3)
    01/18/21 12:51:45[Thread-15] Begin setting temporary IP
    01/18/21 12:51:45[Thread-18] Begin to wait a new message
    01/18/21 12:51:46[Thread-16] One new message was received
    01/18/21 12:51:46[Thread-18] One new message was received
    01/18/21 12:51:46[Thread-15] Setting temp ip 10.0.1.10 for xxxxxxxxxxxxxx
    01/18/21 12:51:46[Thread-16] Begin to wait a new message
    01/18/21 12:51:46[Thread-18] Begin to wait a new message
    01/18/21 12:51:46[Thread-15] Finish setting temporary IP
    01/18/21 12:52:11[Thread-15] RsServer.setCertificate(): com.watchguard.util.comm.cmm.RSServer@8e67e5: null(Sid=); null
    01/18/21 12:52:11[Thread-15] RsServer.setIpAddress(): 10.0.1.10
    01/18/21 12:52:11[Thread-15] RSServer:RSServer:isServerConnectableXmlRpc(), trying url: https://10.0.1.10:4117/
    01/18/21 12:52:11[..Thread (xmlrpc)] RSServer:code=0; message=org.apache.xmlrpc.XmlRpcException: Failed to read servers response: Certificates do not conform to algorithm constraints
    01/18/21 12:52:11[..Thread (xmlrpc)] RSServer:Exception: org.apache.xmlrpc.XmlRpcException: Failed to read servers response: Certificates do not conform to algorithm constraints
    01/18/21 12:52:11[..Thread (xmlrpc)] SSL initialized...
    01/18/21 12:52:11[..Thread (xmlrpc)] RSServer:code=0; message=org.apache.xmlrpc.XmlRpcException: Failed to read servers response: Certificates do not conform to algorithm constraints
    01/18/21 12:52:11[..Thread (xmlrpc)] RSServer:Exception: org.apache.xmlrpc.XmlRpcException: Failed to read servers response: Certificates do not conform to algorithm constraints
    01/18/21 12:52:11[Thread-15] Unable to contact device after setting temp ip (attempt 2 of 3)
    01/18/21 12:52:11[Thread-15] Begin setting temporary IP
    01/18/21 12:52:11[Thread-20] Begin to wait a new message
    01/18/21 12:52:12[Thread-16] One new message was received
    01/18/21 12:52:12[Thread-18] One new message was received
    01/18/21 12:52:12[Thread-20] One new message was received
    01/18/21 12:52:12[Thread-15] Setting temp ip 10.0.1.10 for xxxxxxxxxxx
    01/18/21 12:52:12[Thread-16] Begin to wait a new message
    01/18/21 12:52:12[Thread-18] Begin to wait a new message
    01/18/21 12:52:12[Thread-15] Finish setting temporary IP
    01/18/21 12:52:12[Thread-20] Begin to wait a new message
    01/18/21 12:52:34[Thread-16] Waiting socket closed!
    01/18/21 12:52:45[Thread-18] Waiting socket closed!
    01/18/21 12:52:52[Thread-15] RsServer.setCertificate(): com.watchguard.util.comm.cmm.RSServer@19b91f9: null(Sid=); null
    01/18/21 12:52:52[Thread-15] RsServer.setIpAddress(): 10.0.1.10
    01/18/21 12:52:52[Thread-15] RSServer:RSServer:isServerConnectableXmlRpc(), trying url: https://10.0.1.10:4117/
    01/18/21 12:52:52[..Thread (xmlrpc)] RSServer:code=0; message=org.apache.xmlrpc.XmlRpcException: Failed to read servers response: Certificates do not conform to algorithm constraints
    01/18/21 12:52:52[..Thread (xmlrpc)] RSServer:Exception: org.apache.xmlrpc.XmlRpcException: Failed to read servers response: Certificates do not conform to algorithm constraints
    01/18/21 12:52:52[..Thread (xmlrpc)] SSL initialized...
    01/18/21 12:52:52[..Thread (xmlrpc)] RSServer:code=0; message=org.apache.xmlrpc.XmlRpcException: Failed to read servers response: Certificates do not conform to algorithm constraints
    01/18/21 12:52:52[..Thread (xmlrpc)] RSServer:Exception: org.apache.xmlrpc.XmlRpcException: Failed to read servers response: Certificates do not conform to algorithm constraints
    01/18/21 12:52:52[Thread-15] Unable to contact device after setting temp ip (attempt 3 of 3)
    01/18/21 12:52:52[Thread-15] RsServer.setCertificate(): com.watchguard.util.comm.cmm.RSServer@15c4333: 10.0.1.1(Sid=); null
    01/18/21 12:52:52[Thread-15] RsServer.setCertificate(): com.watchguard.util.comm.cmm.RSServer@15c4333: 10.0.1.1(Sid=); null
    01/18/21 12:52:52[Thread-15] RsServer.setIpAddress(): 10.0.1.10
    01/18/21 12:52:52[Thread-15] Logging into appliance
    com.watchguard.vpm.config.ApplianceManagerException: A connection could not be established to the Firebox 10.0.1.10.
    Failed to read servers response: Certificates do not conform to algorithm constraints
    at com.watchguard.vpm.config.VPMApplianceManager.logInApplianceOp(Unknown Source)
    at com.watchguard.vpm.config.VPMApplianceManager.logInApplianceOp(Unknown Source)
    at com.watchguard.qswiz.panels.DeployPanel.upgradeConfigureFireboxXtm(Unknown Source)
    at com.watchguard.qswiz.panels.DeployPanel$1.run(Unknown Source)
    at java.base/java.lang.Thread.run(Thread.java:834)
    Caused by: INTERNAL_ERROR: Failed to read servers response: Certificates do not conform to algorithm constraints
    at com.watchguard.util.comm.cmm.Messanger.processMessageXmlRpc(Unknown Source)
    at com.watchguard.util.comm.cmm.Messanger.(Unknown Source)
    at com.watchguard.util.comm.cmm.Messanger.processMessage(Unknown Source)
    at com.watchguard.util.comm.cmm.CommCmm.challengeResponseLogin(Unknown Source)
    at com.watchguard.util.comm.cmm.CommCmm.xmlRpcLogin(Unknown Source)
    at com.watchguard.util.comm.cmm.CommCmm.login(Unknown Source)
    at com.watchguard.vpm.comm.CommUtil.loginAppliance(Unknown Source)
    ... 5 more

  • NormanNorman
    edited January 2021

    Certificates do not conform to algorithm constraints

    editing the java.security file fixed the problem
    "C:\Program Files (x86)\Common Files\WatchGuard\java\jre11.0.4\conf\security\java.security"

    jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 1024, \
    EC keySize < 224, DES40_CBC, RC4_40

    jdk.certpath.disabledAlgorithms=MD2, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Norman

    For older firewalls (which appear to be what you're working with) recovery mode will boot into the OS the device shipped with, which includes whatever certs were used at the time of manufacture. WSM has been changed over the years to require better certs as the ability for devices to handle them has improved, and requirements have strengthened.

    Since recovery mode is intended to get a failed device running, I'd suggest using one of the older versions of WSM to get your older device up, and then log in normally with a later version to run the upgrade.

    Thank you,

    -James Carson
    WatchGuard Customer Support

Sign In to comment.