Troubleshooting

This section lists several issues that are frequently encountered when the TPM is used. If the issue you encounter cannot be found in this list, we recommend that you refer to the Stormshield knowledge base.

Lost TPM administration password

Situation: The TPM password is required to perform operations, but the password was lost.

Cause: The password was not kept or saved in a secure location.

Solution: You will not be able to reset the TPM password, and Stormshield is not in a position to recover it.

As a last resort, if you cannot remember it, you can reinitialize the TPM by following the instructions in the Stormshield knowledge base article I've lost my TPM password, how can I reset it? (authentication required).

IMPORTANT
By resetting the TPM, you will not be able to recover the private keys that it protects. You will need to import the certificates in question again, and protect their private key.

Accessing the SNS firewall web administration interface and backup certificate

Situation: It is still possible to access the web administration interface on an SNS firewall in version 4.8.7 or higher, which has a TPM-protected private key from the certificate presented by the web administration interface, even though the TPM status indicates that it has to be resealed.

Cause: The technical characteristics of the system have been modified. As such, the TPM can no longer be accessed because the hash values of the trusted PCRs have changed, preventing the decryption of the protected private key from the certificate presented by the web administration interface.

However, a backup certificate can be used to maintain the access to the web administration interface:

• On higher versions of 4.8.7 and 4.8.x, this is the default certificate in the factory configuration, which corresponds to the SNS firewall's serial number,
• On versions 5 in factory configuration, the certificate is self-generated for this access.

Solution: Although to the web administration interface can still be accessed through the backup certificate, all private keys protected by the TPM can no longer be decrypted. To fix this issue, first check that the changes to the technical specifications are legitimate, then seal the TPM by following the procedure Sealing the TPM.

Some features no longer function

After updating the SNS firewall software

Situation: After the software on an SNS firewall or SNS firewall cluster is updated to version 4.3 LTSB or higher, features that use certificates with a protected private key no longer function.

Cause: The system's technical characteristics have been modified following the update of the SNS firewall. As such, the TPM can no longer be accessed because the hash values of the trusted PCRs have changed, preventing the decryption of protected private keys. The TPM status indicates that it has to be resealed.

Solution: Seal the TPM by following the Sealing the TPM procedure.

After inserting a storage medium and restarting the SNS firewall

Situation: After inserting a storage medium and restarting the SNS firewall, features that use certificates with a protected private key no longer function.

Cause: The system's technical characteristics were modified when the SNS firewall started, as a new storage medium was detected. As such, the TPM can no longer be accessed because the hash values of the trusted PCRs have changed, preventing the decryption of protected private keys. The TPM status indicates that it has to be resealed.

Solution: If the storage medium has a legitimate reason for being used, seal the TPM by following the Sealing the TPM procedure.

After the passive firewall switches to active (high availability)

Situation: After a passive firewall switches to active, features that use certificates with a protected private key no longer function.

• Cause 1: The mechanism that derives the symmetric key was not enabled on the SNS firewall cluster. You can check its status by running this CLI command:

  SYSTEM TPM STATUS tpmpassword=<password>

  Solution: Enable the symmetric key derivation mechanism on the cluster and renew the symmetric key by running the following CLI commands:

  SYSTEM TPM RENEW tpmpassword=<password> derivekey=on

  HA TPMSYNC tpmpassword=<password>

  • Replace <password> with the TPM password,
  • As the firewall is part of a high availability cluster, enter derivekey=on.

• Cause 2: Both SNS firewalls in the cluster were recently updated to SNS version 4.3 LTSB or higher. After the switch, the TPM can no longer be accessed because the hash values of the trusted PCRs have changed, preventing the decryption of protected private keys. The TPM status indicates that it has to be resealed.

  Solution: Seal the TPM by following the Sealing the TPM procedure.