Solved: Re: How to turn off errdisable security violation - 6880

Aaron D · ‎11-12-2020

Trying to turn off errdisable (don't need an explanation of why errdisable is good, I get it) for a provider loopback scenario that's causing the port to go down. Attempted 'no errdisable detect all' and 'no errdisable detect cause security-violation shutdown vlan' and 'no errdisable detect security-violation shutdown vlan' to no avail.

Nov 12 13:50:38.798 UTC: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Te5/9, new MAC address (a023.9f06.7f9f) is seen.AuditSessionID #^_^F^^N^B^C
Nov 12 13:50:38.798 UTC: %PM-4-ERR_DISABLE: security-violation error detected on Te5/9, putting Te5/9 in err-disable state

RTR-1# sh errdisable dete
ErrDisable Reason Detection status
----------------- ----------------
udld Enabled port
bpduguard Enabled port
security-violation Enabled port
channel-misconfig Enabled port
psecure-violation Enabled port
mac-limit Enabled port
unicast-flood Enabled port
vmps Enabled port
loopback Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
l2ptguard Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
storm-control Enabled port
inline-power Enabled port
arp-inspection Disabled
packet-buffer Enabled port
link-monitor-failure Enabled port
oam-remote-failure critic Enabled port
oam-remote-failure dying- Enabled port
oam-remote-failure link-f Enabled port
dot1ad-incomp-etype Enabled port
dot1ad-incomp-tunnel Enabled port
mvrp Enabled port
transceiver-incomp Enabled port
VSL transceiver-incomp Enabled port
FEX Licensing module remo Enabled port
RTR-1#

Aaron D · ‎11-18-2020

Found the command causing the issue:

cts manual

When removed I can have the provider run a loop.

CTS manual is used for WAN MACsec. Still searching for a way to stop the port from going errdisable, but now know cause.

View solution in original post

marce1000 · ‎11-12-2020

- Depends, what is the (running)-config of the involved port ?

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Aaron D · ‎11-12-2020

interface TenGigabitEthernet5/9
description xxxx
mtu 9216
ip address 10.0.1.11 255.255.255.254
no ip redirects
ip ospf network point-to-point
ip ospf ttl-security
ip ospf shutdown
ip ospf 10 area 0
ip ospf cost 1058
ipv6 enable
ipv6 nd ra suppress
no ipv6 redirects
ospfv3 network point-to-point
ospfv3 cost 1058
ospfv3 shutdown
ospfv3 10 ipv6 area 0
mpls ip
cts manual
no propagate sgt
sap pmk xxx mode-list gcm-encrypt
no keepalive
no mop enabled
service-policy type lan-queuing input 1P7Q4T
service-policy type lan-queuing output 1P7Q4T

marce1000 · ‎11-12-2020

- Could be a bug , are you on a fairly recent or advisory software release for this particular platform ?

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Aaron D · ‎11-12-2020

On a recent release...15.5(1)SY3. I was thinking bug as well...but thought I'd throw it out there. So far I haven't been able to find a bug in the search tool that's directly related.

Leo Laohoo · ‎11-12-2020

@Aaron D wrote:
security-violation Enabled port

NO errdisable detect cause security-violation shutdown VLAN <VLAN>

Aaron D · ‎11-12-2020

Already tried that, doesn't work. Keep in mind it's a layer 3 port...

thanks

Leo Laohoo · ‎11-12-2020

What is the port config?

Aaron D · ‎11-13-2020

It's already posted above.

marce1000 · ‎11-13-2020

- What is the output of

show port-security interface Te5/9

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Aaron D · ‎11-13-2020

RTR-2#sh port-security int ten5/9
port-security feature is not supported on this interface TenGigabitEthernet5/9

This smells like a bug...

marce1000 · ‎11-13-2020

- Looks like it , there may be one other thing to consider : are you using a code-flavor on the device corresponding to the needs (ospf servicing etc.). I mean sometimes you have stuff as ipbase, ipservices,.... - does the code-flavor match the needs (with licenses, although that is probably not related here).

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Aaron D · ‎11-13-2020

Yes, we purchased adv services as that's what we use (BGP/OSPF/MPLS/IPv6/etc..) so have the flavor we need.

Alex Pfeil · ‎11-13-2020

Did you complete a show run all | b 5/9?

This will show the complete config on the port.

Also, do show run all | i default.

This will show what items could be applied to a port that are not part of the port configuration.

Another way to troubleshoot is to remove one command at a time until the port does not go err-disabled.

Aaron D · ‎11-18-2020

Found the command causing the issue:

cts manual

When removed I can have the provider run a loop.

CTS manual is used for WAN MACsec. Still searching for a way to stop the port from going errdisable, but now know cause.