IBM Support

QRadar: How to determine the status of LAN Over USB on SystemX® and ThinkSystem™ appliances

Troubleshooting


Problem

Appliance firmware updates require that administrators have Ethernet Over USB enabled before a firmware update can be applied. When Ethernet Over USB is not enabled, any firmware update the administrator attempts to apply using the Bootable Media Creator or ToolsCenter utility will fail to update the UEFI.  Ethernet/LAN Over USB is required for remote firmware updates with an ISO file and local USB update packages that use an IMG file.  The Ethernet over USB setting must be enabled before you update firmware. After the firmware update is complete, the administrator can disable Ethernet Over USB functionality.

Environment

QRadar firmware updates are validated against QRadar appliances. This article outlines how to view and enable the Ethernet Over USB setting for M3, M4, M5, and M5 appliances. The user interface parameters might differ between appliance types; however, in this article we refer to these settings as Ethernet Over USB in the user interface and IMM.LanOverUsb from the command line.

Resolving The Problem

Quick links

  1. M6 appliances: How to verify LAN Over USB is enabled
  2. M4 and M5 appliances: How to verify LAN Over USB is enabled
  3. M3 appliances: How to verify LAN Over USB is enabled
  4. Use the command line interface (CLI) and the Advanced Settings Utility (ASU) to enable LAN Over USB

M6 appliances: How to verify LAN Over USB is enabled

 

Procedure

  1. Using any web browser, type the IP address of the XCC interface for the ThinkSystem™ appliance. For example, https://192.168.70.125
  2. Log in to the XCC interface.
  3. From the navigation menu, select BMC Configuration > Network.
  4. Scroll down to Ethernet Over USB.
  5. Select the switch to enable Ethernet Over USB
  6. If updates are failing with Ethernet Over USB enabled, verify the default BMC & OS IP address are set.
    • BMC IP address: 169.254.95.118
    • OS IP address: 169.254.95.120
    • Network mask: 255.255.0.0
  7. Ensure Enable external Ethernet via USB port forwarding is checked, and ports 3389 and 5900 are set.
    image 4655
Results
You are now ready to complete the firmware installation for your appliance. After the firmware update is complete, administrators can disable Ethernet/LAN Over USB if they consider this feature a security risk. To see a full list of appliance firmware versions, see http://ibm.biz/qradarfirmware.


 

M4 and M5 appliances: How to verify LAN Over USB is enabled

Procedure

  1. Using any web browser, type the IP address of the IMM2 interface for the SystemX® appliance. For example, https://192.168.70.125.
  2. Log in to the IMM interface.
  3. From the navigation menu, select IMM Management > Network.
  4. Click the USB tab.
  5. Verify the Enable Ethernet over USB check box is selected.
  6. If updates are failing with Ethernet Over USB enabled, ensure the Configure IP Settings box is checked and the default IMM Ethernet & OS Ethernet IP addresses are set.
    • IMM IP address: 169.254.95.118
    • OS IP address: 169.254.95.120
    • Network mask: 255.255.0.0
  7. Ensure Enable external Ethernet via USB port forwarding is checked, and ports 3389 and 5900 are set.
    image 4656
  8. Click Apply.
Results
You are now ready to complete the firmware installation for your appliance. After the firmware update is complete, administrators can disable Ethernet/LAN Over USB if they consider this feature a security risk. To see a full list of appliance firmware versions, see http://ibm.biz/qradarfirmware.

M3 appliances: How to verify LAN Over USB is enabled

Procedure
For the M3 appliances, the Ethernet Over USB setting is listed at 'Allow commands on USB interface' in the IMM user interface. Administrators must enable "Allow commands on USB interface" to ensure firmware updates do not fail.

  1. Using any web browser, type the IP address of the IMM interface for the System x appliance. For example, https://192.168.70.125
  2. Log in to the IMM interface.
  3. From the navigation menu, select IMM Control > System Settings.
  4. In Miscellaneous, verify the Allow commands on USB interface drop-down is set to Enabled.
  5. Click Save.

Results
You are now ready to complete the firmware installation for your appliance. After the firmware update is complete, administrators can disable Ethernet/LAN Over USB if they consider this feature a security risk. To see a full list of appliance firmware versions, see http://ibm.biz/qradarfirmware.


 

Use the command line interface (CLI) with the Advanced Settings Utility (ASU)

To use the command line interface from Linux to verify and set the LAN Over USB settings, you must use the ASU64 or OneCLI application installed on your QRadar appliance.
  • ASU64 is installed in QRadar 7.3.x and 7.4.x. The install directory is /opt/lenovo/toolscenter/asu/. The ASU64 works with M3, M4, and M5 IMM settings.
  • OneCLI is installed in QRadar 7.4.0 Fix Pack 1 and above. The install directory is /opt/lenovo/lnvgy-utl-lxce-onecli/. OneCLI is required for communicating to the M6 XCC, however also works with the older M4 & M5 IMM settings.
Use the following steps to verify and update the LAN Over USB settings.
  1. Using SSH, log in to the QRadar System x or ThinkSystem appliance.
  2. Navigate to the install directory based on your preferred application:
    • Advanced Settings Utility (ASU64): cd /opt/lenovo/toolscenter/asu
    • OneCLI application: cd /opt/lenovo/lnvgy-utl-lxce-onecli
  3. To review the IMM configuration, type one of the following commands:
    • Advanced Settings Utility (ASU64): ./asu64 show IMM --kcs | grep -i LanOverUsb
    • OneCLI application:  ./onecli config show IMM | grep -i LanOverUsb
  4. The default settings are displayed:
      IMM.LanOverUsb=Enabled  IMM.LanOverUsbIMMIP=169.254.95.118  IMM.LanOverUsbIMMNetmask=255.255.0.0  IMM.LanOverUsbHostIP=169.254.95.120
  5. The Lenovo appliances must have LAN Over USB enabled before the appliance firmware update starts or several software updates will fail to install during the upgrade.
    • If IMM.LanOverUsb=Enabled, you are ready to install the firmware update.
    • If IMM.LanOverUsb=Disabled, you must use the asu utility to enable IMM before installing a firmware update.
  6. To enable LanOerUsb and configure IP addresses, use the commands based on your update utility:
    Advanced Settings Utility (ASU64):
      ./asu64 set IMM.LanOverUsb Enabled --kcs  ./asu64 set IMM.LanOverUsbIMMIP "169.254.95.118" --kcs  ./asu64 set IMM.LanOverUsbIMMNetmask "255.255.0.0" --kcs  ./asu64 set IMM.LanOverUsbHostIP "169.254.95.120" --kcs
    OneCLI application:
      ./onecli config set IMM.LanOverUsb Enabled  ./onecli config set IMM.LanOverUsbIMMIP "169.254.95.118"  ./onecli config set IMM.LanOverUsbIMMNetmask "255.255.0.0"  ./onecli config set IMM.LanOverUsbHostIP "169.254.95.120"
  7. To list the LAN Over USB status, type one of the following commands:
    • Advanced Settings Utility (ASU64): ./asu64 show IMM --kcs | grep -i LanOverUsb
    • OneCLI application:  ./onecli config show IMM | grep -i LanOverUsb

      Results
      The output from the command line ought to list IMM.LanOverUsb=Enabled and display the default IP addresses and net mask. You are now ready to complete the firmware installation for your appliance. After the firmware update is complete, administrators can disable Ethernet/LAN Over USB if they consider this feature a security risk. To see a full list of appliance firmware versions, see http://ibm.biz/qradarfirmware.
Note: ThinkSystem™ and SystemX® are trademarks of Lenovo®. For more information, see the Lenovo website (https://www.lenovo.com).
 

Related Information

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000Cbd1AAC","label":"QRadar->Hardware->IMM \/DRAC"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.0;7.3.1;7.3.2;7.3.3;7.4.0","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 July 2020

UID

swg21982944