It was affected 17.3.3 (may be it was appearing on your version) check the bug to see if that symptom of your issue.

Workaround: - Do not use port-security inactivity/absolute timers in combination with Dot1x Critical Voice VLAN on Data Clients. Further Problem Description: Affects Catalyst 9000 series with 16.12.5 and 17.3.3. When Port Security timers are used in combination with Critical VOICE VLAN on DATA clients. The DATA VLAN client is moved to Critical Voice VLAN when AAA server is down. Then if the port-security timers are enabled the MAC entry in the DATA VLAN will age out and get removed. Since this MAC has already been learned in the Voice VLAN it will not re-learn the MAC again in the DATA VLAN which will cause the data traffic from this MAC to flood. Similar to bug CSCvs91593, but port-security scenario is not covered there.

It is just the Data Vlan and this affect users to move from one point to another. I have configured a max of 4 mac addresses and I thought this would make it possible for the mac not to stuck on a specific interface.

i would expect some more details you need to present for us to understand your environment,, is this stack? user device moving on same switch ? ( to a different port ?) - what log do you see on the switch when the user moves to another port ?

what is the config on the port, and what MAC address is stuck, is that released after some time or got stuck for days?

if the port security is not configured never seen or observed this issue on our Cat 9300 switches running the same Code as you 17.3.3

User movement is on the same devices to a different port. On the logs, the port goes in error disabled mode. 

" %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/31, putting Gi1/0/31 in err-disable state
Oct 28 14:14:52.483  %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address XXXXXXXXXXXXXXXX on port GigabitEthernet1/0/31."

And it does not release it until shtdown the interface where it is stuck, only then it will pick up on the other.

Tx

Salom

yes if the device moved to other ports - that is a security violation since the MAC address is already in the switch (if that is not cleared and aging time configured) - that port go in disabled, Do you still see MAC address on the OLD port, when the new device moved to new port ?  - Why does the Fixed device keep moving different ports (is this a business requirement ).

can you provide the config applied to the port

show run interface GigabitEthernet1/0/31

show port-security interface gig1/0/31

Do you have - switchport port-security aging time configured?

check some good explanations of the issue you have :

https://community.cisco.com/t5/switching/port-security-aging-time-what-is-it-good-for/td-p/1864366

show run interface GigabitEthernet1/0/31

!
interface GigabitEthernet1/0/31
switchport access vlan X
switchport mode access
switchport port-security maximum 4
switchport port-security
spanning-tree portfast
end

show port-security interface gig1/0/31

Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 4
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : XXXXXXXXXXXXXXXXXXXXX
Security Violation Count : 3

Do you have - switchport port-security aging time configured?

No I did not configure aging time.

tx

Salom

SecureStatic Address Aging : Disabled <<-
enable address aging 
make time equal to MAC aging 
and that it 
this will make MAC address aging in 
mac address table 
port-security table

Should the address aging be set to 0 minutes?

the default value of port-security aging is 300 which equal to mac-address aging time, 
so I recommend keep the default value as cisco recommend. 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-10/configuration_guide/sec/b_1610_sec_9500_cg/b_1610_sec_9500_cg_chapter_0101011.pdf

Thanks, I will apply the config and revert.

here is my tested config :

interface GigabitEthernet1/0/1
switchport access vlan 100
switchport port-security maximum 4
switchport port-security violation restrict
switchport port-security aging time 5
switchport port-security aging type inactivity
switchport port-security
no logging event link-status
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
!

! if you like error disable recovery

errdisable recovery cause security-violation

!
show port-security interface GigabitEthernet1/0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 5 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 4
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : XXXXXXXXXXXXXXX
Security Violation Count : 247

I have applied the configs and I am getting the below.Note: I had to remove switchport port-security violation restrict, to allow the user to work as the port was going into error disabled mode.

Oct 31 15:00:12.436 : %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/31, putting Gi1/0/31 in err-disable sta te
Oct 31 15:00:12.439 : %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address xxxxxxxxxxxxxx d on port GigabitEthernet1/0/31.

Oct 31 15:00:13.436 : %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/31, changed state to down
Oct 31 15:00:14.437 : %LINK-3-UPDOWN: Interface GigabitEthernet1/0/31, changed state to down

Oct 31 15:00:22.628 : %LINK-5-CHANGED: Interface GigabitEthernet1/0/31, changed state to administratively down

Oct 31 15:00:29.540 : %LINK-3-UPDOWN: Interface GigabitEthernet1/0/31, changed state to down
Oct 31 15:00:30.495 : %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/31, putting Gi1/0/31 in err-disable sta te

Oct 31 15:00:30.499 : %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address xxxxxxxxxxxxxx d on port GigabitEthernet1/0/31.