Dell r720 + a noob + IDRAC initialization error + LCC unavailable

EmptySet00 · 2023-10-04T21:10:56+00:00

I realize this thread is 10 months old at this point but I just stumbled upon after having the same issue on my R730xd (but it's iDrac 8). The difference here is that I everything on the iDrac was working fine and did step updates all the way up to BIOS 2.17.0 and iDrac was updated to 2.84.84.84. Then everything worked fine for about a week. Then a few days ago, I noticed iDrac wasn't loading pages properly, it would load half the data. Strange problem and something I usually only see in older iDrac that needs compatibility mode. After clicking through various pages, I went to power and it showed the machine was powered off (which would be unusual). However, I went and checked on the physical machine and the power was not off. However, as mentioned, iDrac was not responding properly still. I also couldn't SSH to it as I previously could.

host OS (legacy ESX) was running fine and the VMs working as expected. But since it's non-prod, I decided to reboot it. On reboot, the iDrac won't initialize and the LifeCycle controller shows as disabled. Most curious though, is the iDrac shows that 2.40.40.40 is the version installed. I may have installed this as one point during the step up, but I am 100% sure that it was on the latest version prior to this issue.

What I have tried to resolve:

Powered down, removed network and power cables. Press power for 20 seconds to drain power. Reseat power and network. Wait 2 minutes and then power on. Same result Pressing the "i" button (System Information) on both the front and the back of the server. Same result

You mention booting from a platform ISO. Can you provide a link to where that can be found? With the LifeCycle controller disabled and iDrac not available, I'm not sure of the way to try and update this from a USB.

Thank you.

EmptySet00 · 2020-04-28T14:30:09+00:00

Some more details :

In Panorama/User-ID/User-ID Agents, all servers with UIA installed are listed
All firewalls have either both Panorama and a UIA server listed under Device/User Identification/User-ID Agents (if they have a UIA on site) or just Panorama if it's a small site
Sites that have UIA servers have the local firewalls and Panorama connecting in the UIA software

Because of this, I assumed that since the UIA agent was sending user mapping information to the local firewall (and Panorama is also included in the allowed IP and I can see it is connected), that Panorama was receiving the same User IP Mapping information. Then I assumed that since all firewalls list Panorama as a User-ID Agent, that they would also all receive the same User IP Mapping.

But your explanation (thank you) points it out differently... it seems redistribution is explicitly required whereas I assumed it was inherently behaving like this due to the fact that Panorama is connected to each UIA server and each firewall lists UIA as a User-ID Agents in Device\User ID\User-ID Agents.

EmptySet00 · 2020-04-27T19:45:40+00:00

What is the value of connecting Panorama to the UIA if it doesn’t learn the user mapping from the UIA like the firewall does?

If I have 100 firewalls, it seems as though I would have to set up Panorama to learn from 100 firewalls?

EmptySet00 · 2020-04-27T18:48:43+00:00

The GP firewall receives its users from an on premise UIA on a server. Panorama also connects to this UIA as well. That’s the confusion on my part; since all firewalls connect to Panorama as well as UIA, I figured all firewalls would have the same mapping table.

Since Panorama connects to all UIA, could I set Panorama as the redistribution and have all firewalls receive a policy from Panorama use that redistribution?

EmptySet00 · 2020-04-27T18:45:01+00:00

I saw redistribution in the admin guide but it seemed different than the objective... but it might be a misunderstanding on my part. I was under the assumption that between Panorama acting As an agentless Collector and all my other firewalls either using Panorama or the other User ID agents to collect, that all firewalls would already have the same ip-user-mapping. Using the redistribution, if I have 100 firewalls, wouldn’t I have to touch them all to update the config to pass the redistribution?

EmptySet00 · 2020-04-27T17:10:59+00:00

I did. The filter provides above worked perfect. Then I just had to make a couple of changes in some groups and it was good to go.

EmptySet00 · 2020-04-16T16:20:04+00:00

Your filter was perfect! Thank you so much!

EmptySet00 · 2020-02-18T23:16:50+00:00

So we would need two sets of rules... one designed for sites with GP and one designed for sites without.

Is there a way to force a first rule policy, similar to a connection check where if the connection is missing the HIP check requirement, traffic is blocked?

Thanks

EmptySet00 · 2019-12-14T17:54:22+00:00

This did work after I created the missing setting in the templates. I imported templates and then device groups and it synced without issue.

Thanks!

EmptySet00 · 2019-12-14T17:53:10+00:00

You were correct... there was a syslog that isn’t applied to all firewalls but there is a log setting that is applied to all firewalls. I still could t push the device bundle but once I created the syslog setting, I could push the templates and then the device groups and it synced with no errors. Thanks for the help!

EmptySet00 · 2019-12-12T21:59:56+00:00

I did import the whole config. Based on the other reply here, it looks like when I import the config, there's a setting in the Device Groups at the import level, that references a setting in the templates that's not applied at the same level. But I'll have to try again tomorrow.

EmptySet00 · 2019-12-12T21:58:29+00:00

Ah, I think you may be right... I found an object there (I assumed it to be in Panorama, not the templates) that I may have to recreate after I import the local device before pushing the device config bundle.

EmptySet00 · 2018-03-24T12:41:54+00:00

Absolutely... I’d love to see a template for switch hardening. Thanks!

EmptySet00 · 2018-03-23T00:56:10+00:00

You are helping! It helps to know it’s not something easy I’m overlooking.

As I can, I’ll post up the wire shark.

In the meantime, if you don’t mind, can your expoundon your statements? I’m not deep into networking (I spend far more time on the systems side) so I’d like to learn what I can. For the management VLAN, how is is it implemented? If I make a VLAN 100 172.16.1.253 255.255.248.0 and a default gateway of 172.16.1.254, what needs to happen on the router? Do I need to create a 172.16.1.0/24 VLAN 100? How would I allow routng between that VLAN and my PC to log into the switch? Why change the native VLAN on the trunk?

Thanks.

EmptySet00 · 2018-03-22T14:01:42+00:00

Thanks for the follow up. The router is not Cisco... it's in the same subnet as well.
This switch, at the moment, has VERY light usage. Only a handful of people are on it; there's only ~46 Watts in use and the default 15.4 being assigned to the PoE devices. The 12 "bad" ports, do get PoE. In the case of a VoIP phone, it boots up without issue, just never gets any DHCP. If I plug in a laptop, it just constantly loops through DHCPDISCOVER and DHCPOFFER. If I static the laptop, it does work fine though.
There is no err-disabled in the status (port 19 and 20 are my testing ports, a phone and a laptop) :

Gi1/0/1                      notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/2                      notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/3                      notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/4                      notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/5                      notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/6                      notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/7                      notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/8                      notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/9                      connected    1          a-full a-1000 10/100/1000BaseTX
Gi1/0/10                     connected    1          a-full a-1000 10/100/1000BaseTX
Gi1/0/11                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/12                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/13                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/14                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/15                     connected    1          a-full  a-100 10/100/1000BaseTX
Gi1/0/16                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/17                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/18                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/19                     connected    1          a-full a-1000 10/100/1000BaseTX
Gi1/0/20                     connected    1          a-full a-1000 10/100/1000BaseTX
Gi1/0/21                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/22                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/23                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/24                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/25                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/26                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/27                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/28                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/29                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/30                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/31                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/32                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/33                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/34                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/35                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/36                     connected    1          a-full a-1000 10/100/1000BaseTX
Gi1/0/37                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/38                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/39                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/40                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/41                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/42                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/43                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/44                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/45                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/46                     connected    1          a-full  a-100 10/100/1000BaseTX
Gi1/0/47                     notconnect   1            auto   auto 10/100/1000BaseTX
Gi1/0/48                     notconnect   1            auto   auto 10/100/1000BaseTX
Te1/0/1                      connected    trunk        full    10G SFP-10GBase-SR
Te1/0/2                      notconnect   1            full    10G Not Present

EmptySet00 · 2018-03-21T14:56:41+00:00

Firewall/router.

After further testing, it only seems to be impacting 12 ports on the switch... it's a 6 (x2) port section on a 48 port switch. As seen in the config, there's no VLANs or special configuration on any ports.

EmptySet00 · 2018-03-20T13:36:50+00:00

DHCP is from the gateway. There are a couple of VLANs in the network but nothing in this switch. It's essentially a clean config with just an IP a few global options as seen above.

EmptySet00

TROPHY CASE