cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4852
Views
15
Helpful
22
Replies

PM-4-ERR_DISABLE: security-violation error detected, catalyst 2960

ciscofoam
Level 1
Level 1

Hello,

Below is the "terminal monitor" output

%PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/35, putting Gi1/0/35 in err-disable state

%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/35, new MAC address (0800.2754.a0df) is seen.AuditSessionID Unassigned

After timeleft(sec) ends it is coming back; The problem is this keeps happening and I can not find this "0800.2754.a0df" and do not understand why this MAC tries to get assigned on this interface.How can I troubleshoot this? Trying to do root-cause-analysis. Thanks

 

#show errdisable recovery

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

Interface Errdisable reason Time left(sec)
--------- ----------------- --------------
Gi1/0/35 security-violation 183

22 Replies 22

Hello,

I did a MAC address vendor lookup, the MAC address apparently belongs to PCS, a time management and building security vendor. Check if you have any of the devices they sell (see screenshot) deployed.

https://www.pcs.com/en/

Hello

I think this is how we do MAC Address vendor lookup.

https://macaddress.io/mac-address-lookup/Jl2VXOm9k8

 

Can not we find out this with "traceroute mac" ? I want to find out what IP address this device uses and on what interface. Thanks

Hello,

are these PCS devices actually deployed somewhere in your company, and if so, are you able to physically locate them ?

If I can find out IP of this device I can locate them.

Hello,

the MAC address does show up, so it must exist somewhere. What is the layer 3 device (router or L3 switch) connected to the device that hosts port Gi1/0/35 ? If you do a 'show ip arp 0800.2754.a0df' on the router or L3 switch ?

Hello,

catalyst 2960 is in the title of this thread. This is a L3 cisco switch.What more do you need ? I already this 'show ip arp 0800.2754.a0df' .Thanks

No need to get angry. We are all volunteers trying to help you, for free. Either way, how big is your building ? That device is physically sitting somewhere. I would suggest a physical inspection of the building, which means. Walk through the building and try to find the device (check the website I originally linked to for ideas on what it could look like)...

I am not getting angry at all. why would I get angry anyway? All the time I am thanking, you can see it in my messages, and I appreciate. nobody heard of that brand or vendor or that kind of device. tech support team browses buildings every day and they do not know about that kind of device. I am going to "traceroute mac" this device from another cisco switch. Thanks 

Hello,

check if your switch supports this command:

2960(config)#mac address-table static 0800.2754.a0df vlan X drop

balaji.bandi
Hall of Fame
Hall of Fame

how is your config on the port -

show run interface GigabitEthernet1/0/35

Some Security devices and samrt controller have multiple mac address.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

I also tried this below, seems does not resolve this issue, dot1x is active on this port.Thanks

errdisable recovery cause security-violation

 

#show running-config interface gigabitEthernet 1/0/35
Building configuration...

Current configuration : 192 bytes
!
interface GigabitEthernet1/0/35
switchport access vlan 4
switchport mode access
power inline never
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
end

show running config 
check is there is manual mac config to this interface 

if you dont see mac in running then 
use multi-host for dot1x auth.

If there is why can not I list with this command?

show mac address-table

This gives no entries, I think this is how we can list manually configured MAC addresses

Switch# show port-security

 

Yes both work but if the Mac not appear in both show running and show port-security and you also mention that the port-security is not enable in port interface then I think that the issue is from:-
dot1x auth single mac address 
as @balaji.bandi some host use two mac address 
and hence the SW refuse auth the second mac for same port. 
how we can know that ?
remove the dot1x from port, shut/noshut the port, and see if the violation messgae disappear.
if the message disappear then you need make dot1x to be multi-host mode instead of single mode.

Review Cisco Networking for a $25 gift card