cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
796
Views
25
Helpful
14
Replies
Aaron D
Beginner

How to turn off errdisable security violation - 6880

Trying to turn off errdisable (don't need an explanation of why errdisable is good, I get it) for a provider loopback scenario that's causing the port to go down. Attempted 'no errdisable detect all' and 'no errdisable detect cause security-violation shutdown vlan' and 'no errdisable detect security-violation shutdown vlan' to no avail. 

 

Nov 12 13:50:38.798 UTC: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Te5/9, new MAC address (a023.9f06.7f9f) is seen.AuditSessionID #^_^F^^N^B^C
Nov 12 13:50:38.798 UTC: %PM-4-ERR_DISABLE: security-violation error detected on Te5/9, putting Te5/9 in err-disable state

 

RTR-1# sh errdisable dete
ErrDisable Reason Detection status
----------------- ----------------
udld Enabled port
bpduguard Enabled port
security-violation Enabled port
channel-misconfig Enabled port
psecure-violation Enabled port
mac-limit Enabled port
unicast-flood Enabled port
vmps Enabled port
loopback Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
l2ptguard Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
storm-control Enabled port
inline-power Enabled port
arp-inspection Disabled
packet-buffer Enabled port
link-monitor-failure Enabled port
oam-remote-failure critic Enabled port
oam-remote-failure dying- Enabled port
oam-remote-failure link-f Enabled port
dot1ad-incomp-etype Enabled port
dot1ad-incomp-tunnel Enabled port
mvrp Enabled port
transceiver-incomp Enabled port
VSL transceiver-incomp Enabled port
FEX Licensing module remo Enabled port
RTR-1#

14 REPLIES 14
marce1000
VIP Advisor

 

                       - Depends, what is the (running)-config of the involved port ?

 M.

interface TenGigabitEthernet5/9
description xxxx
mtu 9216
ip address 10.0.1.11 255.255.255.254
no ip redirects
ip ospf network point-to-point
ip ospf ttl-security
ip ospf shutdown
ip ospf 10 area 0
ip ospf cost 1058
ipv6 enable
ipv6 nd ra suppress
no ipv6 redirects
ospfv3 network point-to-point
ospfv3 cost 1058
ospfv3 shutdown
ospfv3 10 ipv6 area 0
mpls ip
cts manual
no propagate sgt
sap pmk xxx mode-list gcm-encrypt
no keepalive
no mop enabled
service-policy type lan-queuing input 1P7Q4T
service-policy type lan-queuing output 1P7Q4T

 

        - Could be a bug , are you on a fairly recent or advisory software release for this particular platform ?

 M.

On a recent release...15.5(1)SY3. I was thinking bug as well...but thought I'd throw it out there. So far I haven't been able to find a bug in the search tool that's directly related. 

Leo Laohoo
VIP Community Legend


@Aaron D wrote:
security-violation Enabled port

NO errdisable detect cause security-violation shutdown VLAN <VLAN>

 

Already tried that, doesn't work. Keep in mind it's a layer 3 port...

thanks

Leo Laohoo
VIP Community Legend

What is the port config?

It's already posted above.

 

                                                - What is the output of 

show port-security interface Te5/9

 

RTR-2#sh port-security int ten5/9
port-security feature is not supported on this interface TenGigabitEthernet5/9

 

This smells like a bug...

 

 - Looks like it , there may be one other thing to consider : are you using a code-flavor on the device corresponding to the needs (ospf servicing etc.). I mean sometimes you have stuff as ipbase, ipservices,.... - does the code-flavor match the needs  (with licenses, although that is probably not related here).

 M.

Yes, we purchased adv services as that's what we use (BGP/OSPF/MPLS/IPv6/etc..) so have the flavor we need.

Alex Pfeil
Rising star

Did you complete a show run all | b 5/9?

This will show the complete config on the port.

Also, do show run all | i default.

This will show what items could be applied to a port that are not part of the port configuration.

Another way to troubleshoot is to remove one command at a time until the port does not go err-disabled.

Aaron D
Beginner

Found the command causing the issue:

cts manual

When removed I can have the provider run a loop.

CTS manual is used for WAN MACsec. Still searching for a way to stop the port from going errdisable, but now know cause.