Error: Unable to establish IPMI v2 / RMCP+ session

aircraft picture aircraft · Aug 21, 2018 · Viewed 38.8k times · Source

I installed the ipmitool 1.8.18 in the CentOS7.2 Dedicated Server, I can use it for check self own ipmi data:

# ipmitool -I open power status
Chassis Power is on

but I want to check other ipmi address' status, I will get this error:

# ipmitool -H 172.16.22.237  -U root -P mypassword  -I lanplus chassis status -v
Get Auth Capabilities error
Error issuing Get Channel Authentication Capabilities request
Error: Unable to establish IPMI v2 / RMCP+ session

in the being controlled Server I use ipmitool checked the lan:

[root@localhost ~]# ipmitool -I open lan print 1
Set in Progress         : Set Complete
Auth Type Support       : NONE MD2 MD5 PASSWORD 
Auth Type Enable        : Callback : MD2 MD5 PASSWORD 
                        : User     : MD2 MD5 PASSWORD 
                        : Operator : MD2 MD5 PASSWORD 
                        : Admin    : MD2 MD5 PASSWORD 
                        : OEM      : MD2 MD5 PASSWORD 
IP Address Source       : Static Address
IP Address              : 172.16.22.237
Subnet Mask             : 255.255.255.0
MAC Address             : 00:25:90:a9:42:4a
SNMP Community String   : public
IP Header               : TTL=0x00 Flags=0x00 Precedence=0x00 TOS=0x00
BMC ARP Control         : ARP Responses Enabled, Gratuitous ARP Disabled
Default Gateway IP      : 0.0.0.0
Default Gateway MAC     : 00:00:00:00:00:00
Backup Gateway IP       : 0.0.0.0
Backup Gateway MAC      : 00:00:00:00:00:00
802.1q VLAN ID          : Disabled
802.1q VLAN Priority    : 0
RMCP+ Cipher Suites     : 1,2,3,6,7,8,11,12
Cipher Suite Priv Max   : aaaaXXaaaXXaaXX
                        :     X=Cipher Suite Unused
                        :     c=CALLBACK
                        :     u=USER
                        :     o=OPERATOR
                        :     a=ADMIN
                        :     O=OEM
Bad Password Threshold  : Not Available

EDIT-01

I use nmap get bellow information:

# nmap -p 623 -sU -P0 172.16.22.237 

Starting Nmap 6.40 ( http://nmap.org ) at 2018-08-22 08:01 CST
Nmap scan report for 172.16.22.237
Host is up.
PORT    STATE         SERVICE
623/udp open|filtered asf-rmcp

Nmap done: 1 IP address (1 host up) scanned in 2.11 seconds

Answer

Pierre13fr picture Pierre13fr · Oct 10, 2020

(SOLVED for a Dell machine) I had exactly the same issue on a Dell Poweredge R430 machine after having changed the system motherboard : although my credentials were restored in the new IDRAC board from the chassis flash backup, and despite the fact my credentials still allowed me to enter the IDRAC Web Interface, I was not able anymore to interact with the IDRAC board through IPMIv2/lanplus/SOL interface, facing the same problem of "Error: Unable to establish IPMI v2 / RMCP+ session".

For me the solution was, as suggested by Rupeshrams herein https://stackoverflow.com/a/55615668/13646401, to "reset ipmi default password to the same old one" ("same" because I had system tools all hardcoded with old credentials) with the IDRAC Web Interface as this : In your browser, enter the (static) ip address of the IDRAC : this should open an https web site. Then :

Menu Overview/ IDRAC SETTINGS/ User Authentication /Click on the userID of your admin account / Next / check "change your password" checkbox and enter the same (or new) password / Apply

Why : I understood that passwords were hashed/encrypted in my previous motherboard with a key specific to that old motherboard. By Changing the motherboard, and restoring a user database hashed by a from-now-on unknown key, my credentials became invalid, at least for using ipmitool and IPMIv2 interface. What was confusing me, but that finally helped me to solve the problem, was the fact that old credentials were still valid to enter the IDRAC web interface.

TIP: every advice to check for IPMIv2/UDP 623 service availability with nmap or to "activate SOL (Serial Over Lan)" are helpful: "SOL activate" can be easily performed on the IDRAC web interface:

Menu Overview/ IDRAC SETTINGS/Network/SerialOverLAN

Every advice to "unlock" credentials through ipmitool various commands just can not and must not work. But, if web interface is not accessible, then you need to access the IDRAC through everything you can except ipmitools, at least in the case of a Dell machine (at first try BIOS "/IDRAC Settings/User configuration", or ssh, telnet, or anything else such as RACADM, or even the real serial interface with a db9 cable and a tty terminal (eg a PC with hyperterminal or anyother soft tty emulator).

Yours sincerely, Pierre