Cisco Software Advisory Notice for CSCwo74485

Available Languages

Download Options

  • PDF     (349.0 KB)
    View with Adobe Reader on a variety of devices
Updated:September 29, 2025

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Software Advisory Notice: Defect CSCwo74485

Impacted releases

Cisco APIC Releases: 5.3.x/6.0.9d/6.1(3g) and below.

Cisco UCS CIMC Releases: 4.3.5 and above.

Release(s) with the fix for the issue

Cisco APIC Release 6.0.9e/ 6.1.4h and above. Upgrade the APIC software first, then proceed with the CIMC upgrade.

Impacted devices

APIC-SERVER-M4 and APIC-SERVER-L4.

Problem description

If the APIC-Server-M4/L4 running 5.3.x/ 6.0.9d/ 6.1.3g (or below) is updated to CIMC version 4.3.5 and above, this will render the APIC unbootable.

Details

APIC controller will fail to boot when CIMC is upgraded to 4.3.5 and above versions. This is because of a certificate update that is done by the CIMC server firmware update. On APIC-SERVER-M4 and L4, the secure boot policies check the contents of firmware's certificates to get access to secrets in the TPM. The upgrade to 4.3.5 (and above) changes those contents, and temporarily renders the APIC unbootable.

Workaround/solution

The workaround includes updating the apic-m4-l4-update-secureboot-policy.1.0.6.iso file. This workaround will ensure that the TPM EA policies are correctly updated on the APIC. After the workaround is applied, it is safe to upgrade the CIMC version to 4.3.6. Apply the workaround sequentially on each APIC. Ensure that the APIC cluster is fully-fit before execution on each APIC.

Note: This procedure requires a reload of the APIC server. If reload is not an option, please contact Cisco TAC for further assistance.

Link to the ISO file

Reboot with custom iso file:

1.     Move the apic-m4-l4-update-secureboot-policy.1.0.6.iso to a http server.

2.     Map the apic-m4-l4-update-secureboot-policy.1.0.6.iso via CIMC using vmedia map type www.

a.     Navigate to Compute, select Remote Management and sub-section Virtual Media.

b.     Click Add new mapping, select Mount type as WWW(HTTP/HTTPS)

c.     Add the path, remote file name and click Save.

d.     At this point the mapping status should be in Mapped state and status should be OK.

3.     Power cycle the host.

4.     Monitor console via KVM.

5.     Select F6 during the host boot up.

6.     Enter the CIMC boot menu password.

7.     Select Cisco CIMC-Mapped vDVD1.22”

8.     Following boot messages are dislayed at the “Press any key to continue” prompt, press ENTER.

# You will see boot messages, then:

Press any key to continue...

 

# Press Enter key

[ENTER]

 

# Wait for completion message:

APIC Installer – Done

9.     Un-map the Virtual Media.

10. At this point the APIC is ready to be booted.

11. Power cycle the host again.

 

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products