We have just bought ourselves a Secure Network Server 3595, and I wanted to upgrade BIOS, KVM etc before putting into production.
But when I try to boot the server via Virtual Media, I get this error:
Invalid signature detected. Check Secure Boot Policy in Setup
I tried 2 different ISO files, same error on both of them.
What am I doing wrong? :)
Solved! Go to Solution.
What version of CIMC did the box ship with?
Typically the SNS appliance will come pre-configured and setup with the correct CIMC/BIOS settings. The only thing you would need to do is install ISE. It may already be pre-installed on the server. You should not have to make any changes to anything in the CIMC as far as firmware.
Hi, and thank you for your answer.
The logon screen says: Version: 2.0(9c)
Maybe I don't have to make changes now, but there WILL come a time to upgrade.
And then I need this resolved. And now is a good time as any.
That version is one of the latest releases. I understand that you want to be able to change the firmware, but I do not believe that the SNS appliance is upgraded and downgraded the same as a typical UCS C series server. The SNS will only run ISE and the upgrades and downgrades would be done to the appliance software vs the firmware on the actual server hardware.
You are getting the error message you are getting because the SNS appliance probably has some security setting in place to not allow you to change the firmware with the standard ISO, to avoid situations like this. Are you attempting to use the C-Series HUU ISO? Are you making sure you are using the correct ISO for the platform? (C220 vs C240)?
I found an option in CIMC now, under Server -> BIOS.
There is an option called "UEFI Secure boot" that can be ticked off.
But when I try to save, I get this error: Error: In ISE mode BIOS secure boot can not be disabled.
Does that mean that no hardware firmware can be upgraded once ISE is installed? If so, that is just plain ridiculous.
I'm pretty sure I got the correct C-Series HUU ISO.
Current BIOS verson says C220M184.108.40.206a.0.120120151839, and I have tried the following ISO's: ucs-c220m4-huu-2.0.9l.iso and ucs-c220m4-huu-2.0.10e.iso
I believe the ISE appliances, while built on C220M4 chassis, may have a specialized firmware.
Also,once the secure boot is enabled, it cannot be disabled (by design).
I'll reach out to the ISE team and see if there are specific 'HUUs' that are meant for the ISE appliances.
I did reach out, although do not have an answer yet.
I filed an internal documentation bug/enhancement requesting the appliance hardware guides address the hardware firmware process.
I will update when I get answer on the secureboot/HUU question.
There is mention of this in the "Cisco SNS 3500 Series Appliance Hardware Installation Guide" (https://www.cisco.com/c/en/us/td/docs/security/ise/sns3500hig/b_ise_SNS3500HIG/b_ise_SNS3500HardwareInstallationGuide22_chapter_010.html).
Of the HUU procedure, it says:
This procedure is applicable only if you are currently on an SNS-3500 series appliance that does not support the Secure Boot feature (Cisco SNS-3515-ACS-K9 and Cisco SNS-3595-ACS-K9).
If my understanding of that is correct, you only need to attempt HUU if you have one of those -ACS-K9 products, not the -ISE-K9 models.
Any news here yet?
I have 3x SNS-3495-K9, bought years ago, where I can and must update the firmware in order to use the latest release of Cisco ISE Software. Also on the SNS-3595-K9, bought May 2017.
Then I have 2 brand new SNS-3595-K9, bought Nov 2017, where I can not update the firmware because of the secure boot option.
When there will be an update for the latest firmware relase of the C220M4 Server running an ISE?
is the situation the same?
I tried to upgrade a SNS-3515 (UCS C220M4) using ucs-c220m4-huu-3.0.4i.iso and the problem is the same; Invalid signature detected during the boot with ISO mapped.
have you been able to solve this problem, we face the same too right now. What Cisco ISE version do you have installed on the SNS 3515?
Thanks and best regards
You can get around this issue by extracting the CIMC and BIOS firmware files from the HUU ISO, then update the firmware and BIOS using the CIMC interface and upload the files via the browser client.
To extract the firmware you use the getfw binary that is stored in the /GETFW directory of the ISO. In that same directory there is a readme that explains the procedure to extract the firmware files.
I have successfully performed these steps using ucs-c220m4-huu-3.0.4a.iso