cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5121
Views
10
Helpful
16
Replies
Highlighted
dal Participant
Participant

UCS upgrade fails - Invalid signature detected.

Hi.

We have just bought ourselves a Secure Network Server 3595, and I wanted to upgrade BIOS, KVM etc before putting into production.

But when I try to boot the server via Virtual Media, I get this error:

Invalid signature detected. Check Secure Boot Policy in Setup

I tried 2 different ISO files, same error on both of them.

What am I doing wrong? :)

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

If Secureboot was enabled (or

If Secureboot was enabled (or shipped that way), then there will be a special ISE HUU required.

There should be some ISE appliance documentation updates on the way that covers that scenario.

I'll post additional info when available.

Thanks,

Kirk..

View solution in original post

16 REPLIES 16
Highlighted
Cisco Employee

Hello,

Hello,

What version of CIMC did the box ship with?

Typically the SNS appliance will come pre-configured and setup with the correct CIMC/BIOS settings. The only thing you would need to do is install ISE. It may already be pre-installed on the server. You should not have to make any changes to anything in the CIMC as far as firmware.

HTH,

Wes

dal Participant
Participant

Hi, and thank you for your

Hi, and thank you for your answer.

The logon screen says: Version: 2.0(9c)

Maybe I don't have to make changes now, but there WILL come a time to upgrade.

And then I need this resolved. And now is a good time as any.

Highlighted
Cisco Employee

That version is one of the

That version is one of the latest releases. I understand that you want to be able to change the firmware, but I do not believe that the SNS appliance is upgraded and downgraded the same as a typical UCS C series server. The SNS will only run ISE and the upgrades and downgrades would be done to the appliance software vs the firmware on the actual server hardware.

You are getting the error message you are getting because the SNS appliance probably has some security setting in place to not allow you to change the firmware with the standard ISO, to avoid situations like this. Are you attempting to use the C-Series HUU ISO? Are you making sure you are using the correct ISO for the platform? (C220 vs C240)?

-Wes

Highlighted
dal Participant
Participant

I found an option in CIMC now

I found an option in CIMC now, under Server -> BIOS.
There is an option called "UEFI Secure boot" that can be ticked off.
But when I try to save, I get this error: Error: In ISE mode BIOS secure boot can not be disabled.

Does that mean that no hardware firmware can be upgraded once ISE is installed? If so, that is just plain ridiculous.

I'm pretty sure I got the correct C-Series HUU ISO.
Current BIOS verson says C220M4.2.0.9a.0.120120151839, and I have tried the following ISO's: ucs-c220m4-huu-2.0.9l.iso and ucs-c220m4-huu-2.0.10e.iso

Thanks

- Øystein

Highlighted
Cisco Employee

I believe the ISE appliances,

I believe the ISE appliances, while built on C220M4 chassis, may have a specialized firmware.

Also,once the secure boot is enabled, it cannot be disabled (by design).

I'll reach out to the ISE team and see if there are specific 'HUUs' that are meant for the ISE appliances.

Thanks,

Kirk...

Highlighted
dal Participant
Participant

Hello.

Hello.

Did you reach out to the ISE team?

I'm eager to upgrade this appliance before putting it into production.

Thanks.

- Øystein

Highlighted
Cisco Employee

Greetings.

Greetings.

I did reach out, although do not have an answer yet.

I filed an internal documentation bug/enhancement requesting the appliance hardware guides address the hardware firmware process.

I will update when I get answer on the secureboot/HUU question.

Thanks,

Kirk...

Highlighted
Enthusiast

There is mention of this in

There is mention of this in the "Cisco SNS 3500 Series Appliance Hardware Installation Guide" (https://www.cisco.com/c/en/us/td/docs/security/ise/sns3500hig/b_ise_SNS3500HIG/b_ise_SNS3500HardwareInstallationGuide22_chapter_010.html).

Of the HUU procedure, it says:

This procedure is applicable only if you are currently on an SNS-3500 series appliance that does not support the Secure Boot feature (Cisco SNS-3515-ACS-K9 and Cisco SNS-3595-ACS-K9).

If my understanding of that is correct, you only need to attempt HUU if you have one of those -ACS-K9 products, not the -ISE-K9 models.

Highlighted
Cisco Employee

If Secureboot was enabled (or

If Secureboot was enabled (or shipped that way), then there will be a special ISE HUU required.

There should be some ISE appliance documentation updates on the way that covers that scenario.

I'll post additional info when available.

Thanks,

Kirk..

View solution in original post

Highlighted
Beginner

Re: If Secureboot was enabled (or

Any news here yet?

I have 3x SNS-3495-K9, bought years ago, where I can and must update the firmware in order to use the latest release of Cisco ISE Software. Also on the SNS-3595-K9, bought May 2017.
Then I have 2 brand new SNS-3595-K9, bought Nov 2017, where I can not update the firmware because of the secure boot option.
When there will be an update for the latest firmware relase of the C220M4 Server running an ISE?

Highlighted
Beginner

Re: If Secureboot was enabled (or

Ciao,

is the situation the same?

I tried to upgrade a SNS-3515 (UCS C220M4)  using ucs-c220m4-huu-3.0.4i.iso and the problem is the same; Invalid signature detected during the boot with ISO mapped.

 

Thanks

Highlighted
Enthusiast

Re: If Secureboot was enabled (or

Hi ipagliani

 

have you been able to solve this problem, we face the same too right now. What Cisco ISE version do you have installed on the SNS 3515?

 

Thanks and best regards

Dominic

Highlighted
Beginner

Re: If Secureboot was enabled (or

Ciao Dominic,

the SNS-3515 shipped with 3.0(3s2) installed.

Thanks

Highlighted
Beginner

Re: UCS upgrade fails - Invalid signature detected.

You can get around this issue by extracting the CIMC and BIOS firmware files from the HUU ISO, then update the firmware and BIOS using the CIMC interface and upload the files via the browser client.

 

To extract the firmware you use the getfw binary that is stored in the /GETFW directory of the ISO. In that same directory there is a readme that explains the procedure to extract the firmware files.

I have successfully performed these steps using ucs-c220m4-huu-3.0.4a.iso

CreatePlease to create content