IBM Support

QRadar: How to determine the status of LAN Over USB on SystemX® and ThinkSystem™ appliances

Troubleshooting


Problem

Firmware updates for QRadar hardware appliances on Lenovo System x® and ThinkSystem™ hardware fails if LAN Over USB (also called Ethernet Over USB) is disabled.

Symptom

The failure typically occurs after the UpdateXpress ISO boots to the firmware update UI when the tool is attempting to compare the updates available in the ISO to the firmware installed in the QRadar hardware appliance. See the following example error message:
Firmware Update Failure: Connection Failed

Cause

Appliance firmware updates require that administrators have LAN Over USB (also called Ethernet Over USB) enabled before a firmware update can be applied. When LAN Over USB is not enabled, any firmware update the administrator attempts to apply using the Bootable Media Creator or ToolsCenter utility fails to update.  LAN Over USB is required for remote firmware updates with an ISO file and local USB update packages that use an IMG file.  The LAN over USB setting must be enabled before you update firmware. After the firmware update is complete, the administrator can disable LAN Over USB functionality.

Environment

QRadar firmware updates are validated against QRadar appliances. This article outlines how to view and enable the LAN Over USB setting for M3, M4, M5, and M6 hardware appliances. The user interface parameters might differ between appliance types; however, in this article we refer to these settings as Ethernet Over USB in the user interface and IMM.LanOverUsb from the command line.

Resolving The Problem

Quick links

  1. M6 appliances: How to verify LAN Over USB is enabled
  2. M4 and M5 appliances: How to verify LAN Over USB is enabled
  3. M3 appliances: How to verify LAN Over USB is enabled
  4. Use the command line interface (CLI) and the Advanced Settings Utility (ASU) to enable LAN Over USB

M6 appliances: How to verify LAN Over USB is enabled

 

Procedure

  1. Using any web browser, type the IP address of the XCC interface for the ThinkSystem™ appliance.
  2. Log in to the XCC interface.
  3. From the navigation menu, select BMC Configuration > Network.
  4. Scroll down to Ethernet Over USB.
  5. Select the switch to enable Ethernet Over USB
  6. If updates are failing with Ethernet Over USB enabled, verify the default BMC & OS IP address are set.
    • BMC IP address: 169.254.95.118
    • OS IP address: 169.254.95.120
    • Network mask: 255.255.0.0
  7. Ensure Enable external Ethernet via USB port forwarding is checked, and ports 3389 and 5900 are set.
    image 4655
  • NOTE: As an additional note for M6 hardware appliances; users are able to disable service ports in the XCC user interface. CIM Over HTTPS must be enabled for firmware updates to be successful. While still in the BMC Configuration > Network settings, scroll down the Service Enablement and Port Assignment section to confirm CIM Over HTTPS is enabled.
    CIM Over USB must be enabled.
    *CIM Over HTTPS is used by the server management software to access the IMM. This port number (5989) should not be changed.

    Results
    You are now ready to complete the firmware installation for your appliance. After the firmware update is complete, administrators can disable Ethernet/LAN Over USB if they consider this feature a security risk. To see a full list of appliance firmware versions, see QRadar: Firmware list for xSeries appliances.

 

M4 and M5 appliances: How to verify LAN Over USB is enabled

Procedure

  1. Using any web browser, type the IP address of the IMM2 interface for the System x® appliance.
  2. Log in to the IMM interface.
  3. From the navigation menu, select IMM Management > Network.
    IMM Web UI -> IMM Management --> Select Network
  4. Click the USB tab.
    IMM Web UI -> IMM Management --> Network Page
  5. Verify the Enable Ethernet over USB check box is selected.
  6. If updates are failing with Ethernet Over USB enabled, ensure the Configure IP Settings box is checked and the default IMM Ethernet & OS Ethernet IP addresses are set.
    • IMM IP address: 169.254.95.118
    • OS IP address: 169.254.95.120
    • Network mask: 255.255.0.0
  7. Ensure Enable external Ethernet via USB port forwarding is checked, and ports 3389 and 5900 are set.
    IMM Ethernet Over USB settings
  8. Click Apply.

    Results
    You are now ready to complete the firmware installation for your appliance. After the firmware update is complete, administrators can disable Ethernet/LAN Over USB if they consider this feature a security risk. To see a full list of appliance firmware versions, see QRadar: Firmware list for xSeries appliances.

M3 appliances: How to verify LAN Over USB is enabled

Procedure
For the M3 appliances, the Ethernet Over USB setting is listed at "Allow commands on USB interface" in the IMM user interface. Administrators must enable "Allow commands on USB interface" to ensure firmware updates do not fail.

  1. Using any web browser, type the IP address of the IMM interface for the System x appliance.
  2. Log in to the IMM interface.
  3. From the navigation menu, select IMM Control > System Settings.
  4. In Miscellaneous, verify the Allow commands on USB interface drop-down is set to Enabled.
  5. Click Save.

    Results
    You are now ready to complete the firmware installation for your appliance. After the firmware update is complete, administrators can disable Ethernet/LAN Over USB if they consider this feature a security risk. To see a full list of appliance firmware versions, see QRadar: Firmware list for xSeries appliances.


 

Use the command line interface (CLI) with the Advanced Settings Utility (ASU)

To use the command line interface from Linux to verify and set the LAN Over USB settings, you must use the ASU64 or OneCLI application installed on your QRadar appliance.
  • ASU64 is installed in QRadar 7.3.x and 7.4.x. The installation directory is /opt/lenovo/toolscenter/asu/. The ASU64 works with M3, M4, and M5 IMM settings.
  • OneCLI is installed in QRadar 7.4.0 Fix Pack 1 and above. The installation directory is /opt/lenovo/lnvgy-utl-lxce-onecli/. OneCLI is required for communicating to the M6 XCC, however also works with the older M4 & M5 IMM settings.
Use the following steps to verify and update the LAN Over USB settings:
  1. Using SSH, log in to the QRadar System x or ThinkSystem appliance.
  2. Navigate to the installation directory based on your preferred application:
    • For Advanced Settings Utility (ASU64), enter: 
      cd /opt/lenovo/toolscenter/asu
    • For OneCLI application, enter: 
      cd /opt/lenovo/lnvgy-utl-lxce-onecli
  3. To review the IMM configuration, type one of the following commands:
    • For Advanced Settings Utility (ASU64), enter: 
      ./asu64 show IMM --kcs | grep -i LanOverUsb
    • For OneCLI application, enter:  
      ./onecli config show IMM | grep -i LanOverUsb
  4. The default settings are displayed. Example: 
      IMM.LanOverUsb=Enabled
IMM.LanOverUsbIMMIP=169.254.95.118
IMM.LanOverUsbIMMNetmask=255.255.0.0
IMM.LanOverUsbHostIP=169.254.95.120
  5. The Lenovo appliances must have LAN Over USB enabled before the appliance firmware update starts or several software updates fails to install during the upgrade.
    • If IMM.LanOverUsb=Enabled, you are ready to install the firmware update.
    • If IMM.LanOverUsb=Disabled, you must use the ASU utility to enable IMM before installing a firmware update.
  6. To enable LanOverUsb and configure IP addresses, use the commands based on your update utility:
    For Advanced Settings Utility (ASU64), enter: 
      ./asu64 set IMM.LanOverUsb Enabled --kcs  
./asu64 set IMM.LanOverUsbIMMIP "169.254.95.118" --kcs  
./asu64 set IMM.LanOverUsbIMMNetmask "255.255.0.0" --kcs  
./asu64 set IMM.LanOverUsbHostIP "169.254.95.120" --kcs
    For OneCLI application, enter: 
      ./onecli config set IMM.LanOverUsb Enabled
./onecli config set IMM.LanOverUsbIMMIP "169.254.95.118"
./onecli config set IMM.LanOverUsbIMMNetmask "255.255.0.0"
./onecli config set IMM.LanOverUsbHostIP "169.254.95.120"
  7. To list the LAN Over USB status, type one of the following commands:
    • For Advanced Settings Utility (ASU64), enter: 
      ./asu64 show IMM --kcs | grep -i LanOverUsb
    • For OneCLI application, enter:  
      ./onecli config show IMM | grep -i LanOverUsb

      Results
      The output from the command line ought to list IMM.LanOverUsb=Enabled and display the default IP addresses and net mask. You are now ready to complete the firmware installation for your appliance. After the firmware update is complete, administrators can disable Ethernet/LAN Over USB if they consider this feature a security risk. To see a full list of appliance firmware versions, see QRadar: Firmware list for xSeries appliances.
Note: ThinkSystem™ and System x® are trademarks of Lenovo®. For more information, see the Lenovo website.
 

Related Information

IMM2 User Guide (PDF)

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtcAAA","label":"Hardware"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.0;7.3.1;7.3.2;7.3.3;7.4.0;7.5.0"}]

Document Information

Modified date:
10 March 2023

UID

swg21982944

Page Feedback