Solved: Not able to recover port from err-disable

shoaib sheikh · ‎06-21-2015

Hello All,

I am not able to recover interface from port security violation. Let me know the reason.

Is this related to what this person is saying on the link http://blog.glinskiy.com/2013/02/port-security-side-effect.html.

#show port-security int GigabitEthernet3/0/6
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0023.245e.f4d7:11
Security Violation Count : 1

#config t
Enter configuration commands, one per line. End with CNTL/Z.
(config)#int GigabitEthernet3/0/6
(config-if)#shu
(config-if)#no shut
(config-if)#

Jun 22 03:50:33: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi3/0/6, putting Gi3/0/6 in err-disable state (-3)
Jun 22 03:50:33: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0023.245e.f4d7 on port GigabitEthernet3/0/6. (-3)

interface GigabitEthernet3/0/6
switchport access vlan 11
switchport mode access
switchport nonegotiate
switchport port-security
no cdp enable
end

(config)#do show mac address-table int GigabitEthernet3/0/6
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----

Doing debug on interface show nothing in output but terminal monitor shows reason for port security violation.

InayathUlla Sharieff · ‎06-21-2015

Maximum MAC Addresses : 1

HAs there been any other PC connected to this port earlier?

View solution in original post

johnlloyd_13 · ‎06-21-2015

hi,

could you remove port-security command?

conf t

default int g3/0/6

OR

int g3/0/6

shut

no switchport port-security

no shut

shoaib sheikh · ‎06-21-2015

Hi John,

Thanks for reply.That would work but it will disable port security on interface. I wanted just to recover port from error disable.

johnlloyd_13 · ‎06-21-2015

hi,

you can just configure auto recovery in global config.

the default timer of 300 seconds can also be changed.

errdisable recovery cause psecure-violation

errdisable recovery interval <sec>

use show errdisable recovery to verify its operation.

shoaib sheikh · ‎06-22-2015

Hi John,

Thanks for reply. Will try and let u know.

Leo Laohoo · ‎06-22-2015

That would work but it will disable port security on interface. I wanted just to recover port from error disable.

This statement doesn't make any logical sense.

If the port goes into a legitimate error-disable then why enable AUTO recovery? Might as well remove the command to go into error disable when MAC address >1.

What you're asking to do is like driving down a major highway with one foot on the accelerator and another foot on the brake.

shoaib sheikh · ‎06-22-2015

Hello Leo,

I am observing this issue on specific ports not on all ports. for other ports I just do

no switchport port-security mac-address sticky 0023.248f.242e

shut

no shut

It will re-enable port security and automatically starts working for other machines. I dont wanted error recovery automatically, it should be manual,

InayathUlla Sharieff · ‎06-21-2015

Maximum MAC Addresses : 1

HAs there been any other PC connected to this port earlier?

shoaib sheikh · ‎06-22-2015

Hello Inayath,

Accidentally clicked on correct answer . you are right it happened when another PC was connected on that port.