cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21528
Views
10
Helpful
18
Replies

UCS upgrade fails - Invalid signature detected.

dal
Level 3
Level 3

Hi.

We have just bought ourselves a Secure Network Server 3595, and I wanted to upgrade BIOS, KVM etc before putting into production.

But when I try to boot the server via Virtual Media, I get this error:

Invalid signature detected. Check Secure Boot Policy in Setup

I tried 2 different ISO files, same error on both of them.

What am I doing wrong? :)

Thank you.

1 Accepted Solution

Accepted Solutions

Kirk J
Cisco Employee
Cisco Employee

If Secureboot was enabled (or shipped that way), then there will be a special ISE HUU required.

There should be some ISE appliance documentation updates on the way that covers that scenario.

I'll post additional info when available.

Thanks,

Kirk..

View solution in original post

18 Replies 18

Wes Austin
Cisco Employee
Cisco Employee

Hello,

What version of CIMC did the box ship with?

Typically the SNS appliance will come pre-configured and setup with the correct CIMC/BIOS settings. The only thing you would need to do is install ISE. It may already be pre-installed on the server. You should not have to make any changes to anything in the CIMC as far as firmware.

HTH,

Wes

Hi, and thank you for your answer.

The logon screen says: Version: 2.0(9c)

Maybe I don't have to make changes now, but there WILL come a time to upgrade.

And then I need this resolved. And now is a good time as any.

That version is one of the latest releases. I understand that you want to be able to change the firmware, but I do not believe that the SNS appliance is upgraded and downgraded the same as a typical UCS C series server. The SNS will only run ISE and the upgrades and downgrades would be done to the appliance software vs the firmware on the actual server hardware.

You are getting the error message you are getting because the SNS appliance probably has some security setting in place to not allow you to change the firmware with the standard ISO, to avoid situations like this. Are you attempting to use the C-Series HUU ISO? Are you making sure you are using the correct ISO for the platform? (C220 vs C240)?

-Wes

I found an option in CIMC now, under Server -> BIOS.
There is an option called "UEFI Secure boot" that can be ticked off.
But when I try to save, I get this error: Error: In ISE mode BIOS secure boot can not be disabled.

Does that mean that no hardware firmware can be upgraded once ISE is installed? If so, that is just plain ridiculous.

I'm pretty sure I got the correct C-Series HUU ISO.
Current BIOS verson says C220M4.2.0.9a.0.120120151839, and I have tried the following ISO's: ucs-c220m4-huu-2.0.9l.iso and ucs-c220m4-huu-2.0.10e.iso

Thanks

- Øystein

Kirk J
Cisco Employee
Cisco Employee

I believe the ISE appliances, while built on C220M4 chassis, may have a specialized firmware.

Also,once the secure boot is enabled, it cannot be disabled (by design).

I'll reach out to the ISE team and see if there are specific 'HUUs' that are meant for the ISE appliances.

Thanks,

Kirk...

Hello.

Did you reach out to the ISE team?

I'm eager to upgrade this appliance before putting it into production.

Thanks.

- Øystein

Kirk J
Cisco Employee
Cisco Employee

Greetings.

I did reach out, although do not have an answer yet.

I filed an internal documentation bug/enhancement requesting the appliance hardware guides address the hardware firmware process.

I will update when I get answer on the secureboot/HUU question.

Thanks,

Kirk...

There is mention of this in the "Cisco SNS 3500 Series Appliance Hardware Installation Guide" (https://www.cisco.com/c/en/us/td/docs/security/ise/sns3500hig/b_ise_SNS3500HIG/b_ise_SNS3500HardwareInstallationGuide22_chapter_010.html).

Of the HUU procedure, it says:

This procedure is applicable only if you are currently on an SNS-3500 series appliance that does not support the Secure Boot feature (Cisco SNS-3515-ACS-K9 and Cisco SNS-3595-ACS-K9).

If my understanding of that is correct, you only need to attempt HUU if you have one of those -ACS-K9 products, not the -ISE-K9 models.

Kirk J
Cisco Employee
Cisco Employee

If Secureboot was enabled (or shipped that way), then there will be a special ISE HUU required.

There should be some ISE appliance documentation updates on the way that covers that scenario.

I'll post additional info when available.

Thanks,

Kirk..

Any news here yet?

I have 3x SNS-3495-K9, bought years ago, where I can and must update the firmware in order to use the latest release of Cisco ISE Software. Also on the SNS-3595-K9, bought May 2017.
Then I have 2 brand new SNS-3595-K9, bought Nov 2017, where I can not update the firmware because of the secure boot option.
When there will be an update for the latest firmware relase of the C220M4 Server running an ISE?

Ciao,

is the situation the same?

I tried to upgrade a SNS-3515 (UCS C220M4)  using ucs-c220m4-huu-3.0.4i.iso and the problem is the same; Invalid signature detected during the boot with ISO mapped.

 

Thanks

Hi ipagliani

 

have you been able to solve this problem, we face the same too right now. What Cisco ISE version do you have installed on the SNS 3515?

 

Thanks and best regards

Dominic

Ciao Dominic,

the SNS-3515 shipped with 3.0(3s2) installed.

Thanks

Dear how you solve it 

Can I WhatsApp me 009613011564

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: