So last night I made a huge mistake. After updating the latest firmware (that went fine), I happened upon the Firewall section, and noted that the setting was ipv4 only, and not ipv6. So I switched it to both, and hit save. Too late I realized that this actually activated the firewall, that it wasn’t already set, and with no allow rules I now cannot access it remotely. I can’t even ping it (I used to do Shared LAN but for this I figured it would be best to connect the 1G line to my switch directly, and it has an IP address, but I still can’t even ping it).
So I figured I had to access it locally to turn the firewall off. I tried hooking up a monitor to the VGA port (I do have a GPU as well). Initially I thought I couldn’t get anything to output to the monitor, but then when I went into the BIOS, it appeared on both my GPU and VGA monitors. If I then went into the OS, no output to the VGA monitor - UNLESS I disconnected the GPU video, then I would get my (Linux) desktop appear on the VGA monitor.
I would think that the BMC should have some local UI that I should be able to modify just by hooking up to the VGA, but it seems like the VGA port is preferring to output the non-BMC video. I am hoping there is some BIOS setting I can change that will change that? I don’t see a way to factory reset the BMC, so that’s the only hope I have, because otherwise I am afraid it may be bricked. But if there is such a BIOS setting, I haven’t found it yet.
I called Asus Support, was put on hold and then hung up on after 15 minutes. Any help would be GREATLY appreciated.
I had a similar problem where I changed the admin password and forgot it. What you can do is a firmware upgrade force using a bootable dos environment (I think I used freedos or some UEFI boot I found). Then you run the script in the firmware package download and specify the wipe method.
Thanks for the response. I already tried doing another firmware update (thankfully last night I did turn off all “preserving” of previous configs, so if I could flash it, it should disable the firewall). Used the “FWUpdate-Linux.sh” script packaged with the firmware. But, unfortunately, it requires specifying an IP to the BMC, which of course the firewall blocks. Using “-local” parameter doesn’t work, since it seems “local” in this context would mean already being ssh’d or whatever into the BMC. If I could get into the BMC, I’d be fine.
Is there really no way to get the VGA port to present me a local-to-the-BMC UI with which I could turn off the firewall? Is a remote browser GUI the only way to modify the BMC?
You can try the ipmitool command listed in this FAQ. It references a different BMC version from what we have (ASMB11-iKVM vs ASMB9-iKVM) but it might be worth a try.
(edit) Also, did you try connecting over the USB ethernet? The address is https://169.254.0.17/ You will need to configure the network interface manually if you haven’t already. Just pick any address on the same subnet such as 169.254.0.1/24 netmask 255.255.255.0
I had actually permanently disabled that USB ethernet device using blacklist.conf, because all it did was throw up constant “Network failed to connect” errors and I had to disable it trying to connect every time I booted. Thankfully I took good notes, reversed it, got access to it and changing it to 169.254.0.18 did in fact make the “-local” parameter of the firmware update script successful.
(And thank God it went quickly… just a few seconds after the update was done, the USB ethernet started throwing disconnected errors again. If someone else reads this and tries the same method, and your USB ethernet is flaky on connection, do the whole thing FAST.)
I had a similar issue, which in my case was caused by the USB network interface changing names every time the BMC restarted. I added a configuration /usr/lib/systemd/network/72-ipmi.link with the contents:
[Match]
OriginalName=usb0
[Link]
NamePolicy=keep
I vaguely remember the fix didn’t work right away, but eventually my system started naming the interface usb0 instead of naming it based on the (random) MAC address. So then my manual IP address configuration was finally able to stick.
Very cool, thanks, I’ll give it a try. Now, question. Aside from the extreme edge case I just applied - what’s the point of it, if I’m generally running wired? I didn’t even know it was a feature when I bought this system, and never had any idea what it was supposed to be for.
For the record, the way to disable it permanently is to edit /etc/modprobe.d/blacklist.conf and add (this is on Linux Mint/Ubuntu):
blacklist e1000e
blacklist cdc_ether
Till I find a use for it, I think I’ll leave it disabled, just to eliminate an attack vector.
Oddly, blacklisting those also seems to fix an annoying issue where the resolution on my wallpaper would randomly change. I know this was related to the OS recognizing the VGA port as a second display, which would screw with my primary display resolution. I actually thought doing blacklist ast was what fixed that (hah, oh man, I just realized, maybe disabling that was interfering with my being able to see a native BMC UI on the VGA port), but when I undid the above 2 just now, that issue came back on the next boot. Maybe it only happened again because I actually had the VGA port plugged in at the time.
EDIT: Argh, the secondary display being recognized by the OS and distorting my resolution is now fully back even after I disconnected everything and as far as I know reverted everything back to what it used to be. Even disabled the serial port in the BIOS. Sigh.
Maybe it’s because my BMC is using a shared network port instead of the dedicated management port (not enough ethernet drops in the office), but I can’t connect to the BMC from a browser running on the local machine. So the only way I can access it locally is over the USB interface.
I never found a good solution to the VGA adapter messing up my desktop, so I just flipped the VGA_SW motherboard switch to the OFF position.
So both of those problems I had solved for months. Problem is, I’m not sure exactly how anymore, as at least in one case what I thought fixed it was apparently not the case.
Regarding remote BMC control, I have also always been on a shared port, for the same reason. I had problems connecting via the browser initially, but then at one point I tried it and it just worked. I’m not sure what it is I did that made it suddenly start working, but if I had to guess, it’s that I started using the second 10GB NIC instead of the first one. As an additional weirdness, during this whole ordeal today I did hook up the dedicated 1GB BMC line, but when I tried to access that IP via browser, it didn’t work. I thought the flash attempt had failed and firewall was still up. But then as a hail mary I tried the same IP that I previously got with doing the shared port - and it still worked! Not sure what’s going on there. But I can state definitively that it can work with shared port, cause I’ve been doing it that way for a while. Give using the second NIC a shot. And try every IP you get for every MAC address in the BIOS Server Mgmt screen. It’s not always the one you think it should be. And don’t forget to try explicitly adding the “/#login” at the end of the IP address.
On the display thing, I thought it was either adding blacklist ast to the blacklist.conf, or adding “nomodeset” to the GRUB_CMDLINE_LINUX_DEFAULT line in /etc/default/grub, or both. It was about that time that suddenly the issue went away, and I mean totally, it didn’t even register the second display anymore. But after my trials today, that problem came back with a vengeance, and I have no good idea why (though I did upgrade to kernel 6.8 from 6.5 yesterday, about the only thing I can think of that’s still different after I tried to revert everything else following my tinkering. Well, that, and the fact that I did update the BMC version too). I really didn’t want to have to reinvent that wheel, so thanks for the tip about the VGA_SW switch. I flipped it. It’s still registering a second display, but now it defaults to the same native resolution as my primary display, so it’s not causing the horrible resolution switching every time I employ my KVM anymore. Good enough. Thanks.
So, on the display resolution thing - turns out it was likely the kernel upgrade to 6.8 that brought it back. I now have a second display detected on a 7950x box that doesn’t have BMC or anything else remotely resembling a second display. Seems to be limited to kernel 6.8 + NVidia GPU. My understanding is the Ubuntu devs are aware of this and are working on a fix. There is a workaround available: