Server Products
Data Center Products including boards, integrated systems, Intel® Xeon® Processors, RAID Storage, and Intel® Xeon® Processors
4833 Discussions

Changing KCS policy to "restricted" locked me out of IPMI - S1200SPLR

Spatz
Beginner
1,197 Views

I set the KCS policy to "deny all" on my S1200SPLR IPMI. But now I can't access the IPMI via my browser anymore, and I can't find a different way to change the setting or reset the IPMI to factory defaults.

I tried using the BIOS-RESET jumper, I tried to use ipmitool remote on a different system and on the OS installed in the system. I tried "ipmitool raw 0x30 0xB4 0x03"  to change the policy and "ipmitool raw 0x3c 0x4a" for a full factory reset of the BMC, but neither worked locally or remotely, and even downgrading the BMC version from 1.19 to 1.16 did not help.

Haw can I regain control over my system again?

0 Kudos
3 Replies
Victor_G_Intel
Employee
1,144 Views

Hello Spatz,


Thank you for posting on the Intel® communities.


When you mentioned that you tried to set the KCS policy control back to allow all with the IPMI command raw 0x30 0xB4 0x03, does it mean that you followed this command and it didn’t work?


Regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
Spatz
Beginner
1,129 Views

When I used ipmitool on a different system to run the command from the article you posted, I get an "request data length invalid" error. I can use ipmitool to check the power status,  so there is a connection.

In the meantime I also managed to completely lock myself out of the BMC, without an IP assigned to the BMC, and the installed Debian could not detect the BMC. I think it was because I set the BIOS back to default 

But I got the system up and running again, and for future reference, here's how:

1. You need the service manual at hand, physical access to the system and a USB drive with the latest BMC version (v1.19) and v1.14 on it. You can get both files from Intel. You can copy both version folders in different folders onto the USB drive and access them from the EFI shell.

!!! CHECK THE MAINBOARD MANUAL FOR EXACT EXPLANATIONS OF EACH STEP - HAZARDS TO YOU AND YOUR PC LIE AHEAD!!!

2. Set the BMC_FRC_UPDT jumper.

3.  Downgrade the BMC (only the BMC) to v1.14

4. Return the BMC_FRC_UPDT jumper to its original position.

5.  Go into the BIOS and change the necessary BIOS settings (IPMI detect, ethernet connections, BMC users, etc.)

6. Log into the BMC Web GUI.

7. Reset the BMC to factory settings in the GUI.

8. Check the BIOS, again, just in case something was reset there.

9. Flash BMC v1.19 (only the BMC). This changes the KCS policy to "deny all" again, but you can at least

10. Log into the BMC Web GUI.

11. Set the ports for HTTP (80) and HTTPS (443)

12. Access the BMC Web GUI via https.

13. You can now change the KCS policy back to "allow all" again.

14. Never touch the KCS policy again! (at least if you, like me, are just winging it)

Maybe, if you have changed the KCS policy but the BMC still has an IP address, you can try connecting via HTTPS. Maybe that was the initial error (I only tried HTTP), before I dug my hole deeper.

0 Kudos
Victor_G_Intel
Employee
1,125 Views

Hello Spatz,


Thank you for posting on the Intel® communities.


We are glad to know that you've found a solution. Since the thread is now solved, we will proceed to close it.


If you need any additional information, please submit a new question as this thread will no longer be monitored.


Best regards,


Victor G. 

Intel Technical Support Technician


0 Kudos
Reply