After upgrading to 22.1.3 on a FIPS enabled controller, some services such as Network Name Resolution may fail to start.

The controller may not be able to resolve pool servers and the controller events may show DNS_QUERY_ERROR.

You may see that the DNS service on the controller has failed to start.

For example, running the command systemctl status systemd-resolved.service you will see the status as "Failed"

# systemctl status systemd-resolved.service

● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Fri 2024-08-16 20:17:06 UTC; 17min ago

If you check the /var/log/syslog file, you will see error similar to below regarding the shared library: libcrypto.so.1.0.0

systemd-resolved[2557]: /lib/systemd/systemd-resolved: error while loading shared libraries: libcrypto.so.1.0.0: cannot enable executable stack as shared object requires: Operation not permitted

This is caused by an issue with the libcrypto package when FIPS mode is enabled.
The issue stems from a request to make part of a stack executable on the shared library.

The fix for this is to run execstack command.

SSH to each controller node and enter sudo -i for elevated privileges.
Then run:
execstack -c /opt/avi/fips/lib/libcrypto.so.1.0.0

This will allow the services to start properly.