How to Access BMC IPMI: Remote Console on a Dedicated Server
Technical guide to access the BMC via IPMI on a dedicated server, with SOL serial console, power control, and practical troubleshooting.
The BMC (Baseboard Management Controller) is the management processor embedded on the motherboard of dedicated servers. It operates independently of the main operating system, on a dedicated network port with stand-by power — meaning you can diagnose and control the hardware even when the OS is frozen, the kernel has panicked, or the server is powered off.
This tutorial is for sysadmins receiving their first dedicated server who need to understand how to access the BMC via IPMI: opening a serial console (SOL), controlling power, checking hardware sensors, and working around the most common errors. The focus is on Linux servers, but the IPMI protocol is OS-agnostic.
Estimated time: 15 to 25 minutes, depending on your familiarity with the command line and the response speed of your provider’s BMC.
Prerequisites
Before starting, make sure you have access to the BMC connection details and the client tool installed locally.
Access to the provider’s panel (for credentials and the BMC IP), a Linux machine or WSL with ipmitool installed, and network connectivity to TCP/UDP port 623 on the BMC address. In restricted environments, VPN or a bastion host is usually required.
Typical IPMI connection parameters are:
RMCP+ (IPMI 2.0) 623 17 (recommended) admin or ADMIN To install ipmitool on Debian/Ubuntu-based distributions:
sudo apt update
sudo apt install -y ipmitoolOn RHEL-based distros (Rocky, Alma, CentOS Stream):
sudo dnf install -y ipmitoolThe BMC password should never be the same as the OS root password. If your provider delivers both equal by default, change the BMC password right after first access — we will see how in the operations section.
Connecting to the BMC for the first time
The IPMI connection uses the RMCP+ protocol on UDP port 623. The base ipmitool command accepts address, username, password, and cipher suite. Each call authenticates again — there is no persistent session like SSH.
Test basic connectivity with the mc info command, which reads information from the management controller itself:
ipmitool -I lanplus -H BMC_IP -U USERNAME -P PASSWORD -C 17 mc infoReplace BMC_IP, USERNAME, and PASSWORD with the values provided by your hosting provider. The -I lanplus flag forces IPMI 2.0 transport over LAN, which is the only one accepted by modern BMCs.
If the command returns information such as Manufacturer Name, Product Name, and Firmware Revision, authentication worked and the BMC is responding. Note the firmware version — BMC updates are rare but critical when there is a public CVE.
If you see Error: Unable to establish IPMI v2 / RMCP+ session, jump straight to the troubleshooting section. The most common causes are an incompatible cipher suite, wrong password, or firewall blocking UDP 623.
To avoid passing the password in plain text on the command line (which leaks into shell history and ps aux), use the IPMI_PASSWORD environment variable:
export IPMI_PASSWORD='your-password-here'
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 mc infoThe -E flag tells ipmitool to read the password from IPMI_PASSWORD. In automated scripts, use this or a credentials file with 0600 permissions.
Controlling the server’s power state
The BMC provides access to the same physical controls as the power, reset, and power-cycle buttons — without requiring physical presence in the datacenter. Use with caution: these commands have immediate effect on the hardware.
Check the current state before any action:
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 chassis power statusThe response is Chassis Power is on or Chassis Power is off. This command is non-destructive and safe to run at any time.
To send a graceful shutdown via ACPI (equivalent to briefly pressing the power button — the OS receives the signal and shuts down cleanly):
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 chassis power softIf the OS is fully frozen and does not respond to ACPI, use chassis power off — this is the equivalent of holding the power button for 5 seconds.
chassis power off cuts power immediately — there is no disk flush, no OS shutdown. It can cause filesystem corruption on write-heavy workloads. Prefer power soft whenever the OS is still responding.
To power on a server that is off:
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 chassis power onFor a hard reset (equivalent to the physical reset button — does not cut power but restarts the CPU):
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 chassis power resetAnd for a power cycle (turns off and back on with a ~5 second pause):
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 chassis power cycleOpening a serial console via SOL
SOL (Serial over LAN) redirects the output of the server’s physical serial console (usually ttyS0 or ttyS1) through the BMC. You see the screen as if you were plugged into a monitor connected directly to the board — including BIOS POST, GRUB, kernel messages, and the OS login.
Before opening SOL, make sure no other SOL session is active — only one is allowed at a time. Deactivate any previous session:
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 sol deactivateThe command returns Info: SOL payload already de-activated if there was no session — this is normal and not an error.
Open the SOL session:
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 sol activateThe screen will clear and you enter the serial console. If the server is running Linux with getty configured on ttyS0, just press Enter to see the login prompt. If it is at GRUB or in the middle of boot, you see the messages in real time.
To exit without killing the server, type ~. (tilde followed by dot) on a new line. If you are inside SSH and ipmitool runs on a remote host, use ~~. — each extra ~ escapes one level of nested SSH.
For SOL to work with Linux during boot and at runtime, the kernel needs to have the console redirected to ttyS0. Add console=tty0 console=ttyS0,115200n8 to the GRUB parameters in /etc/default/grub and run update-grub. Without that, you will only see the BIOS POST and nothing from Linux.
Monitoring sensors and hardware logs
The BMC keeps an inventory of sensors (CPU temperature, fan RPM, voltages, power supply status) and a persistent hardware event log (SEL — System Event Log). These data survive reboots and are essential for diagnosing physical problems.
List all sensors and their current values:
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 sensor listThe output includes temperature, voltage, fan RPM, and discrete power supply status. Look for cr (critical) or nc (non-critical) in the status column — these indicate a current issue or degradation. Sensors with na or ns mean “not available” or “no sensor”, and are normal for empty slots.
Read the BMC System Event Log:
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 sel listTypical events include Power Supply: Presence detected, OEM record, Memory: Correctable ECC. Correctable memory errors in series are the classic canary for a DIMM that is dying — catch this before it becomes an uncorrectable failure and a crash.
Verification
To confirm everything is working, run this basic sequence:
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 mc info
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 chassis power status
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 sensor list | head -20If all three commands return valid data without Unable to establish session, your authentication, connectivity, and permissions are correct. Save the credentials in a password manager and document the BMC IP alongside the server documentation.
Troubleshooting
Error: Unable to establish IPMI v2 / RMCP+ session
The cause is almost always one of three: incompatible cipher suite, wrong password, or firewall blocking port 623/UDP. Try different cipher suites — some older BMCs need -C 3, while more modern ones require -C 17. To diagnose the firewall:
nc -uvz BMC_IP 623If it returns Connection refused or times out, the port is blocked along the route or on the BMC firewall.
Error: SOL payload already activated
This means there is another SOL session active — it may be your own previous session that did not close cleanly, or another admin connected. Force deactivation:
ipmitool -I lanplus -H BMC_IP -U USERNAME -E -C 17 sol deactivateAnd try opening it again. If it persists, restart the BMC itself with mc reset cold — this reboots only the BMC, without affecting the OS.
SOL console is empty even with the server powered on
Linux is not redirecting output to ttyS0. Connect via SSH, edit /etc/default/grub, add console=tty0 console=ttyS0,115200n8 to GRUB_CMDLINE_LINUX, run update-grub, and reboot. After the reboot, the full boot will appear on SOL.
Next steps
With the BMC working, it is worth exploring related topics:
- Configure a dedicated VLAN for IPMI management, isolating it from production traffic
- Automate periodic collection of sensors and SEL for alerts via Zabbix or similar
- Apply firmware updates to the BMC when your provider releases them — always during a maintenance window
- Change the default password and create additional users with granular permissions via
ipmitool user - Document the out-of-band recovery procedure for the rest of the team
Hostini dedicated servers come with BMC released to the customer by default, with the management IP and credentials delivered at handover — no need to open a ticket for emergency access.
Frequently asked questions
What is the difference between BMC, IPMI, iDRAC and iLO?
BMC (Baseboard Management Controller) is the physical management chip on the motherboard. IPMI is the standard protocol for communicating with the BMC. iDRAC (Dell), iLO (HP), and XClarity (Lenovo) are proprietary BMC implementations with their own web interfaces, but all of them speak IPMI on the backend.
Can I access the BMC without rebooting the server?
Yes. The BMC runs on a dedicated processor with stand-by power independent of the main OS. It stays available even with the server powered off (as long as the power cable is connected) and does not affect operating system uptime.
Why does ipmitool show RAKP 2 HMAC invalid?
That error indicates an incorrect username or password in the RMCP+ protocol. Confirm credentials in the provider's panel and use cipher suite 17 (-C 17), which is more widely accepted on modern BMCs than the default cipher 3.
Does the SOL serial console replace SSH?
No. SOL (Serial over LAN) is useful for emergencies: frozen OS, kernel panic, broken network configuration, boot troubleshooting. For daily use, SSH is faster and more practical — SOL processes one character at a time and is slow for common tasks.
Is it safe to expose IPMI on the public internet?
Not recommended. BMCs have historically had serious vulnerabilities and outdated firmware. The ideal is to keep the IPMI interface on a private network and access it via VPN or bastion host. If you must expose it temporarily, restrict access by IP on the BMC firewall.
How do I exit the SOL console without killing the server?
The default escape sequence is ~. (tilde followed by dot) on a new line. Some BIOSes require ~~. when you are inside a nested SSH session. This ends the IPMI session without affecting OS state or sending any power signal.