11-12-2020 08:14 AM
Trying to turn off errdisable (don't need an explanation of why errdisable is good, I get it) for a provider loopback scenario that's causing the port to go down. Attempted 'no errdisable detect all' and 'no errdisable detect cause security-violation shutdown vlan' and 'no errdisable detect security-violation shutdown vlan' to no avail.
Nov 12 13:50:38.798 UTC: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Te5/9, new MAC address (a023.9f06.7f9f) is seen.AuditSessionID #^_^F^^N^B^C
Nov 12 13:50:38.798 UTC: %PM-4-ERR_DISABLE: security-violation error detected on Te5/9, putting Te5/9 in err-disable state
RTR-1# sh errdisable dete
ErrDisable Reason Detection status
----------------- ----------------
udld Enabled port
bpduguard Enabled port
security-violation Enabled port
channel-misconfig Enabled port
psecure-violation Enabled port
mac-limit Enabled port
unicast-flood Enabled port
vmps Enabled port
loopback Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
l2ptguard Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
storm-control Enabled port
inline-power Enabled port
arp-inspection Disabled
packet-buffer Enabled port
link-monitor-failure Enabled port
oam-remote-failure critic Enabled port
oam-remote-failure dying- Enabled port
oam-remote-failure link-f Enabled port
dot1ad-incomp-etype Enabled port
dot1ad-incomp-tunnel Enabled port
mvrp Enabled port
transceiver-incomp Enabled port
VSL transceiver-incomp Enabled port
FEX Licensing module remo Enabled port
RTR-1#
Solved! Go to Solution.
11-18-2020 06:59 PM - edited 11-18-2020 07:04 PM
Found the command causing the issue:
cts manual
When removed I can have the provider run a loop.
CTS manual is used for WAN MACsec. Still searching for a way to stop the port from going errdisable, but now know cause.
11-12-2020 08:45 AM
- Depends, what is the (running)-config of the involved port ?
M.
11-12-2020 08:58 AM
interface TenGigabitEthernet5/9
description xxxx
mtu 9216
ip address 10.0.1.11 255.255.255.254
no ip redirects
ip ospf network point-to-point
ip ospf ttl-security
ip ospf shutdown
ip ospf 10 area 0
ip ospf cost 1058
ipv6 enable
ipv6 nd ra suppress
no ipv6 redirects
ospfv3 network point-to-point
ospfv3 cost 1058
ospfv3 shutdown
ospfv3 10 ipv6 area 0
mpls ip
cts manual
no propagate sgt
sap pmk xxx mode-list gcm-encrypt
no keepalive
no mop enabled
service-policy type lan-queuing input 1P7Q4T
service-policy type lan-queuing output 1P7Q4T
11-12-2020 09:52 AM
- Could be a bug , are you on a fairly recent or advisory software release for this particular platform ?
M.
11-12-2020 10:00 AM
On a recent release...15.5(1)SY3. I was thinking bug as well...but thought I'd throw it out there. So far I haven't been able to find a bug in the search tool that's directly related.
11-12-2020 01:55 PM
@Aaron D wrote:
security-violation Enabled port
NO errdisable detect cause security-violation shutdown VLAN <VLAN>
11-12-2020 05:53 PM
Already tried that, doesn't work. Keep in mind it's a layer 3 port...
thanks
11-12-2020 10:26 PM
What is the port config?
11-13-2020 06:32 AM
It's already posted above.
11-13-2020 07:26 AM
- What is the output of
show port-security interface Te5/9
11-13-2020 07:30 AM
RTR-2#sh port-security int ten5/9
port-security feature is not supported on this interface TenGigabitEthernet5/9
This smells like a bug...
11-13-2020 07:58 AM
- Looks like it , there may be one other thing to consider : are you using a code-flavor on the device corresponding to the needs (ospf servicing etc.). I mean sometimes you have stuff as ipbase, ipservices,.... - does the code-flavor match the needs (with licenses, although that is probably not related here).
M.
11-13-2020 10:23 AM
Yes, we purchased adv services as that's what we use (BGP/OSPF/MPLS/IPv6/etc..) so have the flavor we need.
11-13-2020 11:07 AM
Did you complete a show run all | b 5/9?
This will show the complete config on the port.
Also, do show run all | i default.
This will show what items could be applied to a port that are not part of the port configuration.
Another way to troubleshoot is to remove one command at a time until the port does not go err-disabled.
11-18-2020 06:59 PM - edited 11-18-2020 07:04 PM
Found the command causing the issue:
cts manual
When removed I can have the provider run a loop.
CTS manual is used for WAN MACsec. Still searching for a way to stop the port from going errdisable, but now know cause.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: