08-15-2016 09:15 AM - edited 03-01-2019 12:51 PM
Hi.
We have just bought ourselves a Secure Network Server 3595, and I wanted to upgrade BIOS, KVM etc before putting into production.
But when I try to boot the server via Virtual Media, I get this error:
Invalid signature detected. Check Secure Boot Policy in Setup
I tried 2 different ISO files, same error on both of them.
What am I doing wrong? :)
Thank you.
Solved! Go to Solution.
08-24-2016 08:56 AM
If Secureboot was enabled (or shipped that way), then there will be a special ISE HUU required.
There should be some ISE appliance documentation updates on the way that covers that scenario.
I'll post additional info when available.
Thanks,
Kirk..
08-15-2016 09:26 AM
Hello,
What version of CIMC did the box ship with?
Typically the SNS appliance will come pre-configured and setup with the correct CIMC/BIOS settings. The only thing you would need to do is install ISE. It may already be pre-installed on the server. You should not have to make any changes to anything in the CIMC as far as firmware.
HTH,
Wes
08-15-2016 09:35 AM
Hi, and thank you for your answer.
The logon screen says: Version: 2.0(9c)
Maybe I don't have to make changes now, but there WILL come a time to upgrade.
And then I need this resolved. And now is a good time as any.
08-15-2016 09:47 AM
That version is one of the latest releases. I understand that you want to be able to change the firmware, but I do not believe that the SNS appliance is upgraded and downgraded the same as a typical UCS C series server. The SNS will only run ISE and the upgrades and downgrades would be done to the appliance software vs the firmware on the actual server hardware.
You are getting the error message you are getting because the SNS appliance probably has some security setting in place to not allow you to change the firmware with the standard ISO, to avoid situations like this. Are you attempting to use the C-Series HUU ISO? Are you making sure you are using the correct ISO for the platform? (C220 vs C240)?
-Wes
08-15-2016 10:14 AM
I found an option in CIMC now, under Server -> BIOS.
There is an option called "UEFI Secure boot" that can be ticked off.
But when I try to save, I get this error: Error: In ISE mode BIOS secure boot can not be disabled.
Does that mean that no hardware firmware can be upgraded once ISE is installed? If so, that is just plain ridiculous.
I'm pretty sure I got the correct C-Series HUU ISO.
Current BIOS verson says C220M4.2.0.9a.0.120120151839, and I have tried the following ISO's: ucs-c220m4-huu-2.0.9l.iso and ucs-c220m4-huu-2.0.10e.iso
Thanks
- Øystein
08-15-2016 12:37 PM
I believe the ISE appliances, while built on C220M4 chassis, may have a specialized firmware.
Also,once the secure boot is enabled, it cannot be disabled (by design).
I'll reach out to the ISE team and see if there are specific 'HUUs' that are meant for the ISE appliances.
Thanks,
Kirk...
08-18-2016 11:44 AM
Hello.
Did you reach out to the ISE team?
I'm eager to upgrade this appliance before putting it into production.
Thanks.
- Øystein
08-21-2016 06:19 AM
Greetings.
I did reach out, although do not have an answer yet.
I filed an internal documentation bug/enhancement requesting the appliance hardware guides address the hardware firmware process.
I will update when I get answer on the secureboot/HUU question.
Thanks,
Kirk...
06-12-2017 05:08 AM
There is mention of this in the "Cisco SNS 3500 Series Appliance Hardware Installation Guide" (https://www.cisco.com/c/en/us/td/docs/security/ise/sns3500hig/b_ise_SNS3500HIG/b_ise_SNS3500HardwareInstallationGuide22_chapter_010.html).
Of the HUU procedure, it says:
This procedure is applicable only if you are currently on an SNS-3500 series appliance that does not support the Secure Boot feature (Cisco SNS-3515-ACS-K9 and Cisco SNS-3595-ACS-K9).
If my understanding of that is correct, you only need to attempt HUU if you have one of those -ACS-K9 products, not the -ISE-K9 models.
08-24-2016 08:56 AM
If Secureboot was enabled (or shipped that way), then there will be a special ISE HUU required.
There should be some ISE appliance documentation updates on the way that covers that scenario.
I'll post additional info when available.
Thanks,
Kirk..
11-14-2017 07:18 AM
Any news here yet?
I have 3x SNS-3495-K9, bought years ago, where I can and must update the firmware in order to use the latest release of Cisco ISE Software. Also on the SNS-3595-K9, bought May 2017.
Then I have 2 brand new SNS-3595-K9, bought Nov 2017, where I can not update the firmware because of the secure boot option.
When there will be an update for the latest firmware relase of the C220M4 Server running an ISE?
08-03-2018 07:09 AM
Ciao,
is the situation the same?
I tried to upgrade a SNS-3515 (UCS C220M4) using ucs-c220m4-huu-3.0.4i.iso and the problem is the same; Invalid signature detected during the boot with ISO mapped.
Thanks
08-06-2018 06:38 AM
Hi ipagliani
have you been able to solve this problem, we face the same too right now. What Cisco ISE version do you have installed on the SNS 3515?
Thanks and best regards
Dominic
08-06-2018 07:39 AM
Ciao Dominic,
the SNS-3515 shipped with 3.0(3s2) installed.
Thanks
01-17-2021 07:46 AM
Dear how you solve it
Can I WhatsApp me 009613011564
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide