Trying to turn off errdisable (don't need an explanation of why errdisable is good, I get it) for a provider loopback scenario that's causing the port to go down. Attempted 'no errdisable detect all' and 'no errdisable detect cause security-violation shutdown vlan' and 'no errdisable detect security-violation shutdown vlan' to no avail.
Nov 12 13:50:38.798 UTC: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Te5/9, new MAC address (a023.9f06.7f9f) is seen.AuditSessionID #^_^F^^N^B^C
Nov 12 13:50:38.798 UTC: %PM-4-ERR_DISABLE: security-violation error detected on Te5/9, putting Te5/9 in err-disable state
RTR-1# sh errdisable dete
ErrDisable Reason Detection status
udld Enabled port
bpduguard Enabled port
security-violation Enabled port
channel-misconfig Enabled port
psecure-violation Enabled port
mac-limit Enabled port
unicast-flood Enabled port
vmps Enabled port
storm-control Enabled port
inline-power Enabled port
packet-buffer Enabled port
link-monitor-failure Enabled port
oam-remote-failure critic Enabled port
oam-remote-failure dying- Enabled port
oam-remote-failure link-f Enabled port
dot1ad-incomp-etype Enabled port
dot1ad-incomp-tunnel Enabled port
mvrp Enabled port
transceiver-incomp Enabled port
VSL transceiver-incomp Enabled port
FEX Licensing module remo Enabled port
ip address 10.0.1.11 255.255.255.254
no ip redirects
ip ospf network point-to-point
ip ospf ttl-security
ip ospf shutdown
ip ospf 10 area 0
ip ospf cost 1058
ipv6 nd ra suppress
no ipv6 redirects
ospfv3 network point-to-point
ospfv3 cost 1058
ospfv3 10 ipv6 area 0
no propagate sgt
sap pmk xxx mode-list gcm-encrypt
no mop enabled
service-policy type lan-queuing input 1P7Q4T
service-policy type lan-queuing output 1P7Q4T
On a recent release...15.5(1)SY3. I was thinking bug as well...but thought I'd throw it out there. So far I haven't been able to find a bug in the search tool that's directly related.
- Looks like it , there may be one other thing to consider : are you using a code-flavor on the device corresponding to the needs (ospf servicing etc.). I mean sometimes you have stuff as ipbase, ipservices,.... - does the code-flavor match the needs (with licenses, although that is probably not related here).
Did you complete a show run all | b 5/9?
This will show the complete config on the port.
Also, do show run all | i default.
This will show what items could be applied to a port that are not part of the port configuration.
Another way to troubleshoot is to remove one command at a time until the port does not go err-disabled.
Found the command causing the issue:
When removed I can have the provider run a loop.
CTS manual is used for WAN MACsec. Still searching for a way to stop the port from going errdisable, but now know cause.