Solved: Re: ISE CIMC software strategy - Page 2

Johannes Luther · ‎10-22-2018

Hi board,

I'm wondering how others handle the CIMC in the Cisco ISE.

In the ISE downloads, there is one BIOS and CIMC software (3.0.3a). However, there are lot's of CIMC vulnerabilities, which needs to be closed. The hardware installation guide does not state that the 3.0.3a is the only supported BIOS.

In fact the guide states:

The following procedure is for upgrading the BIOS and Cisco IMC to version 3.0(3a). However, this procedure is generic and is applicable for newer firmware releases that are posted on Cisco.com.

Does this statement apply to the firmware posted in the "Identity Services Engine" download section or is it also supported to use a newer firmware in the downloads section of the corresponding UCS server model?

I know that other firmwares also work - the question is whether this is supported as well.

How you do handle the software of the CIMC?

My question also applies to other UCS based appliances like the WLC5520 etc. :)

Johannes Luther · ‎10-28-2018

Hi Arne,

yeah - it's a little bit hidden:

https://software.cisco.com/download/home/283801620/type/283802505/release/SNS-35X5%20Firmware

walwar · ‎10-29-2018

Our customer bought to SNS3515 couple of weeks ago and I WAS so tempted to upgrade the CIMC and thank god I didn't, other wise I'd be pulling my hairs one by one.

These came update with the latest 3.0.3S2, at first I was not sure if I need to update them or not since I couldn't find any newer version but I let it be and now I am happy that I didn't touch it. :D

Valuable lesson learnt from this thread!

Johannes Luther · ‎10-31-2018

Funny - just as we're talking about it, a new CIMC SW version is published for the ISE :)

https://software.cisco.com/download/home/283801620/type/283802505/release/SNS%2035x5

I'm wondering why they released an update

hslai · ‎10-31-2018

CIMC 3.0(4j) and BIOS 3.0.4(b) are to address CSCvj90778 / CSCvm14331 while the other set is due to upgrade path. The associated upgrade guide is still being updated and will be posted once it ready.

TommasoOlmastroni1347 · ‎11-14-2018

@hslai wrote:

CIMC 3.0(4j) and BIOS 3.0.4(b) are to address CSCvj90778 / CSCvm14331 while the other set is due to upgrade path. The associated upgrade guide is still being updated and will be posted once it ready.

So, what I’m supposed to do with CIMC 3.0.3(S2)?

I’m on delivery, I hardly prefer to update now in my lab then when it will be on prod.

thanks

Quello che non ho è quel che non mi manca.

Arne Bier · ‎11-14-2018

there's an "upgrade guide" posted on the ISE CIMC downloads page. It's a bunch of screenshots.

If you apply this to a brand new ISE 2.4 shipped from factory (3.0.3a) will this cause the server to be powered down to apply the CIMC, thus impacting the ISE application?

hslai · ‎11-14-2018

On the safe side, I would suggest to take a maintenance window and stop ISE services, before performing the upgrade. Besides, the guide says,

You have to perform "Power Off" Sequence to Activate BIOS.

TommasoOlmastroni1347 · ‎11-22-2018

I've successfully upgraded CIMC and BIOS firmware on my two ISE nodes, I'm very thankful to TAC engineer who helped me out.

I've two SNS-3515-k9 with ISE 2.4 nodes, with CIMC version 3.0.3(S2) installed.

In order to upgrade to 3.0.4j CIMC, I had to downgrade my version to 2.0.9c because 3.0.3(S2) doesn't support uploading file > 40 MB.

Firstly I've upgraded my secondary node:

step 1) Gracefully shutdown ISE node

In ISE CLI just launch:
application stop ise
halt

step 2) from 3.0.3(S2) to 2.0.9c

Upload first BMC then BIOS firmware and after doing that activate new BMC firmware. Note CIMC will be unreachable for a few minutes.

Important: my version (3.0.3(S2)) was affected by this bug CSCvd26329: after the downgrade password was reset to default. (admin - password)

step 3) from 2.0.9c to 3.0.3f

Same as step 2 but I had to active BIOS firmware as well. First, activate BMC, after that shutdown host from CIMC menu, then activate new BIOS. You might have to refresh your internet browser before you can power on host again.

Please note powering on the host by CIMC command will power on ISE node as well, so open a KVM console to check when ISE will be on (CLI: show application status ise) and then shutdown again.

step 4) from 3.0.3f to 3.0.4j

same as step 3.

Follow this steps to upgrade primary node CIMC as well.
Hope this could help someone.

Quello che non ho è quel che non mi manca.

Arne Bier · ‎11-22-2018

Sounds like a disaster to me. Is this downgrade an official step or did you run into a unique scenario? How can a newer version of CIMC not support a filesize that an older version of CIMC could? How can you trust that these guys do anything right?

I am sticking with the motto of "don't fix what ain't broke" - and nobody is attacking my CIMC so I don't care about CVE scare mongering. Many years from now, when ISE 3.0 comes along and won't be supported on SNS-35xx, these boxes will be scrapped/replaced with the same BIOS/CIMC and nobody will care.

TommasoOlmastroni1347 · ‎11-22-2018

@Arne Bier wrote:

Sounds like a disaster to me. Is this downgrade an official step or did you run into a unique scenario? How can a newer version of CIMC not support a filesize that an older version of CIMC could? How can you trust that these guys do anything right?

The downgrade is an official step for unlucky releases as 3.0.3(S2) and 3.0.3a. I suppose that these versions are not really so functional.

@Arne Bier wrote:
I am sticking with the motto of "don't fix what ain't broke" - and nobody is attacking my CIMC so I don't care about CVE scare mongering. Many years from now, when ISE 3.0 comes along and won't be supported on SNS-35xx, these boxes will be scrapped/replaced with the same BIOS/CIMC and nobody will care.

I understand your point but I don’t want to discover my customer’s point of view when this appliance will be on production.

Quello che non ho è quel che non mi manca.

Eric Shade · ‎01-07-2019

Hi,

The Cisco SNS 3500 Series Appliance Hardware Installation Guide has been updated. It now says why you should only use the CIMC software that is listed with the ISE downloads. It also mentions to check the download directory for other readme and upgrade files.

https://www.cisco.com/c/en/us/td/docs/security/ise/sns3500hig/b_ise_SNS3500HIG/b_ise_SNS3500HardwareInstallationGuide22_chapter_010.html#id_11060

Currently, on the downloads page, under All Releases > Firmware > SNS35X5, there are downloads for the ISE-compliant CIMC and upgrade instructions.

ajc · ‎01-07-2019

Hi Eric,

We were told by Cisco BU not to change our current CIMC Bios version even though there are some security concerns on that one. The reason behind that was it could affect ISE operation even though we are talking about not related apps. Do you have a formal information from cisco other than the upgrade CIMC Link?

thanks

Jason Kunst · ‎01-08-2019

Please explain what is not clear here and in the guide? Only CMIC versions tested are supported with ISE. These are in the appropriate download link. All versions are not tested and validated. Its up to the ISE team to determine when they will take a new version.

The Cisco SNS 3500 Series Appliance Hardware Installation Guide has been updated. It now says why you should only use the CIMC software that is listed with the ISE downloads. It also mentions to check the download directory for other readme and upgrade files.

https://www.cisco.com/c/en/us/td/docs/security/ise/sns3500hig/b_ise_SNS3500HIG/b_ise_SNS3500HardwareInstallationGuide22_chapter_010.html#id_11060

You must use the versions of CIMC firmware from the ISE downloads, which are qualified versions for use with the SNS appliances. Versions of CIMC for UCS are not compatible. Newer versions of CIMC are developed for SNS appliances after they are developed for UCS.

ajc · ‎01-08-2019

Thanks for your note. Now I clarified some doubts about this CIMC/BIOS upgrade for 3515/3595 Appliances which is our case. So my 1st question would be:

1.-Are the 2 links below meant for the same purpose?

Eric Shade · ‎01-08-2019

The link with more files (the first one), is the correct one. We are aware of this issue (I am in the tech writing group), and working on fixing it.