Firewall failing to boot due to TPM Lockout - too many consecutive ungraceful shutdowns

20641

Created On 05/07/24 20:17 PM - Last Modified 07/14/25 19:52 PM

Console

PA-3400 Series

PA-400 Series

PA-5400 Series

PA-1410 Firewall

PA-1420 Firewall

Hardware

10.2

10.1

11.1

11.0

Next-Generation Firewall

Strata

Strata Cloud Manager

Symptom

The PAN-OS device fails to boot and may show output such as the below on the Serial/Console CLI:

TPM_PT_LOCKOUT_COUNTER = 0x20
TPM_PT_MAX_AUTH_FAIL = 0x20
TPM_PT_LOCKOUT_INTERVAL = 0x1C20 (2 h 0 min) Please hold ESC key to continue to boot.

Please press and hold the ESC key to continue to boot.
[2023-04-12 09:19:50.018] Otherwise, stop booting...
[2023-04-12 09:19:50.018] [WARNING] The TPM Lockout counter reached to full!!!
[2023-04-12 09:19:50.018] Stop booting for waiting TPM LOCKOUT reduce counter, it would take two hours...

Note: TPM_PT_LOCKOUT_COUNTER = 0x20 (this is the number '32' represented in hexadecimal)

Environment

PA-400, PA-1400, PA-3400, PA-5400
TPM Lockout
Boot Failure

Cause

When a Strata device experiences an ungraceful shutdown (unplug, power outage, etc.), the TPM_PT_LOCKOUT_COUNTER increments by 1.

Once this counter reaches 32 (0x20), the device will fail to boot until the counter decreases below 32. This counter decrements every 2 hours the device remains powered on and running without an ungraceful shutdown occurring.

Users must let as many 2-hour periods as needed pass for this counter get below 32, and then perform a graceful reboot. The device will then successfully boot into PAN-OS.

This lockout is done to protect the firewall hardware from damage in the rare event of a reboot loop, unstable power, or repeated/consecutive power outage situation.

Resolution

An RMA is not required
To recover the device from this TPM Lockout state, leave the device powered on, up and running uninterrupted for at least 2 hours, regardless of the status on the serial/console CLI. Note: For every 2 hours that elapses, the TPM_PT_LOCKOUT_COUNTER will decrease by 1.
Wait as many hours as is needed to let this counter reduce to 31 or lower (do not attempt to interact with, unplug, reboot, or hard shutdown the device during this waiting time).
Once enough hours have passed for the counter to reach 31 or lower, boot the firewall into Maintenance Mode and gracefully reboot the device by selecting "Reboot":

Maintenance Mode screenshot during firewall boot process

The device will reboot and should successfully boot into PAN-OS as long as the TPM Counter is 31 or below.

Additional Information

Note: There is a known issue affecting certain PAN-OS versions which may sometimes prevent this counter from decrementing reliably on certain platforms. This issue is resolved in the following versions: 10.1.14, 10.2.11, 11.0.7, 11.1.3, 11.2.0 and later.

If you experience the above issue, please upgrade the device to one of the versions above or later as soon as possible.

Note: Starting with PAN-OS 11.1.0, the following command has been added so that the TPM_PT_LOCKOUT_COUNTER can be viewed without performing a system reboot to check the boot sequence output.

admin@PA-440> debug system tpm tpm-lockout-counter-value
TPM_PT_LOCKOUT_COUNTER: 0x00000001