- Problem:1 Module keeps reloading at random times
- Problem: 2 Unable to launch CIMC KVM console
- Problem 3: Application Blocked by Security Settings
- Problem 4: CIMC stuck in recovery-shell prompt
- Problem 5: Unable to load KVM console; Certificate has been revoked.
- Problem 6: Unable to register Firepower sensor
- Problem 7: No data in the
- Firepower Management Center (this is for IDS)
- Problem 8: No data in the Firepower Management Center (this is for IPS mode)
Problem:1 Module keeps reloading at random times
Newly installed module keeps reloading at random times. sysogs on the ISR show the following:
*Jun 12 13:14:38.740 IST: %IOMD-3-MODULE_MESSAGE:iomd: UCS-E140DP-M1/K9[1/0] NGIO control packet loss detected: Router notinitiating module recovery. Control plane an
*Jun 12 13:14:38.753 IST: %LINK-3-UPDOWN: Interface BDI10, changed state to down
*Jun 12 13:14:38.753 IST: %LINK-3-UPDOWN: Interface BDI20, changed state to down
*Jun 12 13:14:39.754 IST: %LINEPROTO-5-UPDOWN: Line protocol on Interface BDI10, changed state to down
*Jun 12 13:14:39.754 IST: %LINEPROTO-5-UPDOWN: Line protocol on Interface BDI20, changed state to down
*Jun 12 13:14:40.740 IST: %LINK-5-CHANGED: Interface ucse1/0/0, changed state to administratively down
*Jun 12 13:14:40.742 IST: %LINK-5-CHANGED: Interface ucse1/0/1, changed state to administratively down
*Jun 12 13:14:41.741 IST: %LINEPROTO-5-UPDOWN: Line protocol on Interface ucse1/0/0, changed state to down
*Jun 12 13:14:41.741 IST: %LINEPROTO-5-UPDOWN: Line protocol on Interface ucse1/0/1, changed state to down
*Jun 12 13:14:43.744 IST: %SPA_OIR-3-RECOVERY_RELOAD: subslot 1/0: Attempting recovery by reloading SPA
*Jun 12 13:14:43.744 IST: %SPA_OIR-6-OFFLINECARD: SPA (UCS-E140DP-M1/K9) offline in subslot 1/0
*Jun 12 13:14:51.991 IST: %SPA_OIR-6-ONLINECARD: SPA (UCS-E140DP-M1/K9) online in subslot 1/0
IMC ACK: Access ports received: GE0
IMC ACK: UCSE access port operation successful.
IMC ACK: IMC ip address: 172.16.1.70, mask: 255.255.255.0, gw: 172.16.1.40
*Jun 12 13:14:53.942 IST: %LINK-3-UPDOWN: Interface ucse1/0/0, changed state to up
*Jun 12 13:14:53.942 IST: %LINK-3-UPDOWN: Interface ucse1/0/1, changed state to up
*Jun 12 13:14:53.952 IST: %LINK-3-UPDOWN: Interface BDI10, changed state to up
*Jun 12 13:14:53.954 IST: %LINK-3-UPDOWN: Interface BDI20, changed state to up
*Jun 12 13:14:54.942 IST: %LINEPROTO-5-UPDOWN: Line protocol on Interface ucse1/0/0, changed state to up
*Jun 12 13:14:54.942 IST: %LINEPROTO-5-UPDOWN: Line protocol on Interface ucse1/0/1, changed state to up
*Jun 12 13:14:54.953 IST: %LINEPROTO-5-UPDOWN: Line protocol on Interface BDI10, changed state to up
*Jun 12 13:14:54.953 IST: %LINEPROTO-5-UPDOWN: Line protocol on Interface BDI20, changed state to upSolution:
If the ISR is running XE 3.14 or above please use CIMC 2.2.1. This may be due to an internal defect CSCun65995 where IOS XE may report NGIO control packet loss.
CIMC 2.2.1 or above has the “fix” to this problem.
CIMC 2.x release notes can be found here: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/release/notes/2_0_release_notes.html#pgfId-59658
Problem: 2 Unable to launch CIMC KVM console
Unable to launch CIMC KVM console on a MAC using any browser (FireFox or Chrome).
To re-register JNLP files with Java Web Start.app follow this apple link: http://support.apple.com/kb/ts2828
The .jnlp file name shows up as "viewer.jnlp(64.102.85.220@0@1402793051007)", when it should actually be "viewer(64.102.85.220@0@1402793051007).jnlp".
Once you save the file with the correct name show in finder. Right click the file and choose open with and choose Java Web Sart.app as shown below.
OR
Solution:
To permanently associate Java Web Start.app for .jnlp files do the following.
In the above picture click "other" and browse to /System/Library/CoreServices and choose Java Web Start.app and make sure to click "Always Open With".
Problem 3: Application Blocked by Security Settings
If you get "Application Blocked by Security Settings" message then, reduce the security level on the browser which is really not recommended.
Solution:
Refer this java link for mac: https://www.java.com/en/download/help/mac_controlpanel.xml
Instead of reducing the security I added the site to the exception list as you can see below.
On the mac click on the System Preferences and find the java icon.
Problem 4: CIMC stuck in recovery-shell prompt
CIMC stuck in recovery-shell prompt
CISCO-IMC login: admin
Password:
login[998]: root login on 'ttyS0'
recovery-shell# scope cimc
ERROR: unrecognized command "scope"
Note: this command line parser is very primitive and won't parse the
arrow key, backspace, etc. Please type the exact command.
Commands:
dedicated-interface <ip> <netmask> <gatewayip>
dedicated-interface
sd-card [show | partition | format [p3 | p4]]
fs-check [p3 | p4]
ping <remote-ip>
update <remote-tftp-server-ip> <cimc-image-on-tftp-server>
reboot
exit
recovery-shell#
Solution:
Please refer this link to recover from corrupted file system or faulty SD card:
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/gs/guide/b_2_0_Getting_Started_Guide/b_2_0_Getting_Started_Guide_chapter_01011.html#task_185DECBCD06F46AE98C5FF2D9159B315
Problem 5: Unable to load KVM console; Certificate has been revoked.
Unable to load KVM console; Certificate has been revoked.
Solution:
This could be due to CSCui25708 which is a duplicate of CSCui27976 and CSCui25708 and has been fixed in CIMC version 2.2, which is posted on cisco.com. Upgrading CIMC will resolve this issue.
Problem 6: Unable to register Firepower sensor
FireSIGHT VM says active peer already exists when trying to add the sensor VM.
Source Fire VM says pending registration.
I just tried to register the device on the DC and I got this 12029 error.
Solution:
Changed the sensor VM's IP address and add it again to the FireSIGHT manager.
Problem 7: No data in the
Firepower Management Center (this is for IDS)
Step:1
Do you have all the licenses that you need?
Sec and appxk9 in case of ISR 4K and Seck9 license in case of ISR G2
ISR#show license feature
If you need to enable license use the following command
ISR-4451(config)#license boot level appxk9
ISR-4451(config)#license boot level securityk9and make sure to “write mem” and reload after so it takes effect
Step:2
1. Does the following output show that packets are being replicated?
sh platform hardware qfp active feature utd stat
Make sure there are no "inspector down" message or "no Packet divert interface"
2. Make sure the UCSE interfaces are up and are sending packets up to the SF VM
Make sure the status of the backplane shows "not in service"
ISR4K#sh platform
Chassis type: ISR4451-X/K9
Slot Type State Insert time (ago)
--------- ------------------- --------------------- -----------------
0 ISR4451-X/K9 ok 01:01:00
0/0 ISR4451-X-4x1GE ok 01:00:17
1 ISR4451-X/K9 ok 01:01:00
1/0 UCS-E140S-M2/K9 ok 01:00:17
2 ISR4451-X/K9 ok 01:01:00
R0 ISR4451-X/K9 ok, active 01:01:00
F0 ISR4451-X/K9 ok, active 01:01:00
P0 PWR-4450-AC ok never
P1 Unknown ps, fail never
P2 ACS-4450-FANASSY ok never
Slot CPLD Version Firmware Version
--------- ------------------- ---------------------------------------
0 13061029 15.3(3r)S1
1 13061029 15.3(3r)S1
2 13061029 15.3(3r)S1
R0 13061029 15.3(3r)S1
F0 13061029 15.3(3r)S1
3. Do you have all the licenses that you need?
Sec and appxk9 in case of ISR 4K and Sec license in case of ISR G2
ISR#show license
If you need to enable license use the following command
ISR#boot licsense level appxk9
and make sure to reload after so it takes effect
4. In case of ISR 4K does the BDI interface show proper status do the ucse interfaces show up up? "sh int ucse1/0/0"
show ip interface
show bridge-domain 10
make sure you see All FF mac-address for flooding
ISR4K#sh bridge-domain 10
Bridge-domain 10 (2 ports in all)
State: UP Mac learning: Enabled
Aging-Timer: 300 second(s)
BDI10 (up)
ucse1/0/0 service instance 10
AED MAC address Policy Tag Age Pseudoport
1 FFFF.FFFF.FFFF flood static 0 OLIST_PTR:0x31137400
- B838.61A2.9B13 to_bdi static 0 BDI10
If you do not show all FF mac address, remove the bdi 1 interface and create bdi 5 or bdi 10 and use that under the utd
section for packet re-direction
Problem 8: No data in the Firepower Management Center (this is for IPS mode)
Step:1
Do you have all the licenses that you need? If you are using BDI interfaces you will need AppX license on the ISR 4K.
Sec-k9 and appx in case of ISR 4K and just Sec-k9 license in case of ISR G2
ISR#show license feature
If you need to enable eval license use the following command
ISR-4451(config)#license boot level appxk9
ISR-4451(config)#license boot level securityk9and make sure to “write mem” and reload after so it takes effect
Step:2
Make sure you see select Promiscuous mode for the sensing interfaces. If this is not set you will see packets arriving from one side of the sensor to the other side.
Step:3
Check to make sure there are no critical NTP out-of-sync Issues. Firepower sensor sends events to the Firepower Management Center via tcp port 8305 securely. For this to happen both the sensor and FMC should be in sync.
