Solved: lost password to UCS-FI-6454 (IMM)

robad · ‎03-13-2024

Hi,

We lost the 'admin' password for our pair of UCS-FI-6454

Is there a way to reset it somehow please ?

[and is there a way meanwhile to access their CLI via InterSight ?]

Thanks in advance !

Riaan van Niekerk · ‎03-17-2024

(I found a newer password recovery link that is specific to FI-6454 in UMM and includes the recovery variable that needs to be set for FI-6400 series, e.g. I was able to shorten my original reply significantly)

I unfortunately can’t guarantee that it will work since I have not tested it. It is based on past experience with FIs and performing many FI recoveries. The FI in IMM is running the same UCS firmware as in UMM (e.g. built on the same code base) so many of the low-level rescue commands and procedures should still work.

Looking at the steps for configuring the 2nd FI in an IMM domain
https://www.cisco.com/c/en/us/td/docs/unified_computing/Intersight/b_Intersight_Managed_Mode_Configuration_Guide/b_intersight_managed_mode_guide_chapter_00.html#id_114317 the 2nd FI picks up all settings via the cluster interconnect, (it asks for the peer FI admin password, then applies all the same settings as the FI that was set up first, only asking for the 2nd FI IP)

According to the Cisco Intersight Managed Mode Fabric Interconnect Admin Guide (PDF, I could not find an HTML version)
https://www.cisco.com/c/en/us/td/docs/unified_computing/Intersight/IMM-FI-Admin-Guide/b_imm_fi_admin_guide.pdf
page 23 states "To change the administrator password on the Fabric Interconnect, use the change-password command" in the Device Console CLI. It does not state that this sets the password on the domain (e.g. both FIs) when you run the command only on one of the FIs, e.g. you would have to change the password on both separately if you wanted to change it.

By that logic (if you have to change it on each FI separately), you should be able to use the standalone FI-6400 admin password recovery procedure.

You are correct, there probably should be an updated document that covers FIs in UMM (or the standalone FI-6400 page I linked to in my reply above, is expanded to state that it is applicable to FIs in IMM) . Until we have that (I could not find such a document), this post and it replies will “point the way”.

To get confirmation, you can wait for someone from Cisco to approve or provide corrections/instructions to the above. I would recommend you contact Cisco TAC, to get something official, and if you need the procedure/confirmation urgently.

View solution in original post

Riaan van Niekerk · ‎03-16-2024

(Updated, I found a newer link that is specific to FI-6454 in UMM and includes the recovery variable that needs to be set for FI-6400 series)

This procedure is for admin password recovery on a standalone FI-6454 in UCSM MM

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Admin-Management/4-1/b_Cisco_UCS_Admin_Mgmt_Guide_4-1/m_password_management.html#task_ikf_rx5_42b

From my understanding of the IMM architecture, in IMM the FIs no longer form a cluster where management HA is provided and managed via the UCSM and therefore don’t have a concept of primary and secondary. I suspect you can use the “Standalone” password recovery mechanism.

You should be able to do this for one FI at a time, without downtime.

robad · ‎03-17-2024

Hi, and thanks for your reply !

But, can you be sure that it should work ?

I just want to make sure it's something that if officially supported by Cisco. It's strange there isn't a new doc for it

Someone from Cisco can approve it please ?

(When I'll have approvement , I'll sign the answer as correct )

Riaan van Niekerk · ‎03-17-2024

(I found a newer password recovery link that is specific to FI-6454 in UMM and includes the recovery variable that needs to be set for FI-6400 series, e.g. I was able to shorten my original reply significantly)

I unfortunately can’t guarantee that it will work since I have not tested it. It is based on past experience with FIs and performing many FI recoveries. The FI in IMM is running the same UCS firmware as in UMM (e.g. built on the same code base) so many of the low-level rescue commands and procedures should still work.

Looking at the steps for configuring the 2nd FI in an IMM domain
https://www.cisco.com/c/en/us/td/docs/unified_computing/Intersight/b_Intersight_Managed_Mode_Configuration_Guide/b_intersight_managed_mode_guide_chapter_00.html#id_114317 the 2nd FI picks up all settings via the cluster interconnect, (it asks for the peer FI admin password, then applies all the same settings as the FI that was set up first, only asking for the 2nd FI IP)

According to the Cisco Intersight Managed Mode Fabric Interconnect Admin Guide (PDF, I could not find an HTML version)
https://www.cisco.com/c/en/us/td/docs/unified_computing/Intersight/IMM-FI-Admin-Guide/b_imm_fi_admin_guide.pdf
page 23 states "To change the administrator password on the Fabric Interconnect, use the change-password command" in the Device Console CLI. It does not state that this sets the password on the domain (e.g. both FIs) when you run the command only on one of the FIs, e.g. you would have to change the password on both separately if you wanted to change it.

By that logic (if you have to change it on each FI separately), you should be able to use the standalone FI-6400 admin password recovery procedure.

You are correct, there probably should be an updated document that covers FIs in UMM (or the standalone FI-6400 page I linked to in my reply above, is expanded to state that it is applicable to FIs in IMM) . Until we have that (I could not find such a document), this post and it replies will “point the way”.

To get confirmation, you can wait for someone from Cisco to approve or provide corrections/instructions to the above. I would recommend you contact Cisco TAC, to get something official, and if you need the procedure/confirmation urgently.

robad · ‎03-26-2024

riaan, thanks a lot for the detailed edited answer

At the end, I prefer to call TAC in order to do it with their engineer

I'll try to update if they used this solution or not, but anyway, it seems that it'll be that

Thanks

Ron Baduach · ‎04-01-2024

Hi, If anyone need it, here is the official steps given by TAC Engineer @joaocorr (Credit to Joao ) :

Connect to the console port. Plug the RJ-45 end of the serial management cable into the console port on the fabric interconnect, and connect the DB-9 male end into the serial port on a laptop or other computer.
Power cycle the Fabric Interconnect:
Power off the Fabric Interconnect.
Power on the Fabric Interconnect.
Press the key combination in the console as it boots: Ctrl + C.
At the loader prompt, find the system image used with command dir.

5. loader > dir 6. 7. bootflash:: 8. 9. lost+found10. ucs-manager-k9.4.2.3e.bin11. .rpmstore12. ucs_chassis_imgs13. installables14. ucs-6400-k9-system.9.3.5.I42.3d.bin <---- nuova-sim-mgmt-nsg.0.1.0.001.bin

Run the command cmdline recoverymode=1 to enable recovery mode.

loader > cmdline recoverymode=1

Boot the system image on the Fabric Interconnect.

loader > boot ucs-6400-k9-system.9.3.5.I42.3d.bin

Then, enter to the config terminal mode.

18.switch(boot)# config terminal 19.Enter configuration commands, one per line. End with CNTL/Z.switch(boot)(config)#

Reset the admin password.

switch(boot)(config)# admin-password <your_password>

Load the system image.

switch(boot)(config)# exit switch(boot)# load ucs-6400-k9-system.9.3.5.I42.3d.bin

If it is a cluster configuration. Repeat steps to get to the loader prompt.

Connect to the console port.
Power cycle the Fabric Interconnect:
Power off the Fabric Interconnect.
Power on the Fabric Interconnect.
Press the key combination in the console as it boots: Ctrl + C.
At the loader prompt for the subordinate Fabric Interconnect, boot the image to bring it up.

loader > boot ucs-6400-k9-system.9.3.5.I42.3d.bin