Solved: Port Security errdisabled problems

paolsolar-7 · ‎03-12-2019

Hi,

I am having troubles with a switch stack that has ports that keep becoming errdisabled due to port security. Each switchport is connected to an Avaya phone which is then connected to a laptop, so there should be only 2 MAC addresses being learnt per port. Below is the config of one of the ports that became errdisabled and all user ports are configured identically:

interface GigabitEthernet1/0/31
description sp1-phone-user
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport voice vlan 80
switchport port-security maximum 5
switchport port-security aging time 1
switchport port-security
no logging event link-status
no logging event power-inline-status
trust device cisco-phone
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy

And auto recovery is configured as follows:

errdisable recovery cause psecure-violation
errdisable recovery interval 1800

The switch stack config is as follows:

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 52 WS-C3650-48PD 03.06.04.E cat3k_caa-universalk9 INSTALL
2 52 WS-C3650-48PD 03.06.04.E cat3k_caa-universalk9 INSTALL
3 52 WS-C3650-48PD 03.06.04.E cat3k_caa-universalk9 INSTALL

And this is shown in the logs:

Mar 11 13:13:16.241: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/31, putting Gi1/0/31 in err-disable state
Mar 11 13:13:16.247: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 54e1.ad7e.7179 on port GigabitEthernet1/0/31.
Mar 11 13:43:16.245: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Gi1/0/31

We have this exact same setup (but with only 2 switches in the stack) in another office and we are not experiencing any problems there. Does anyone have an idea as to what could be causing it? Please let me know if any more information is required.

Cheers!

Jaderson Pessoa · ‎03-12-2019

Hello @paolsolar-7

Could you provide output from: show mac address-table | inc 54e1.ad7e.7179

Check if this mac was learned from other ports on your switch, if yes, disable this port to clear the mac address and enable it again. After it, test your phone to new port.

I had this symptons months times ago, because the mac address already was learned by another port.

Jaderson Pessoa
*** Rate All Helpful Responses ***

View solution in original post

Mark Malone · ‎03-12-2019

Hi
Your config looks ok should only require maximum 2
Is it always the same MAC looks to be a lenovo PC when i check the OUI not the phone causing it ?
what do you see when you do a show mac does it show only 2 macs

Any VMs running on the PC ?

show mac address-table interface gx/x/x

paolsolar-7 · ‎03-13-2019

Hi

Thanks for the reply. I've asked if there were any VMs running on this machine and I've been told there aren't. Unfortunately in the office in question there is a local tech support guy who just re-patches the port as soon as it goes down, so running "show mac address-table interface gx/x/x" won't show anything unless I get to do it as soon as the issue is reported.

Thanks for your help, if you have any suggestions please let me know. In the meantime I've asked the local tech to not re-patch should this happen again so I can see what's happening as it happens. Will post an update when I get more information.

Cheers.

Mark Malone · ‎03-13-2019

Another thing that can cause this is a faulty NIC card just to keep in mind if it happens again on the same device

Jaderson Pessoa · ‎03-12-2019

Hello @paolsolar-7

Could you provide output from: show mac address-table | inc 54e1.ad7e.7179

Check if this mac was learned from other ports on your switch, if yes, disable this port to clear the mac address and enable it again. After it, test your phone to new port.

I had this symptons months times ago, because the mac address already was learned by another port.

Jaderson Pessoa
*** Rate All Helpful Responses ***

paolsolar-7 · ‎03-13-2019

Hi Jaderson,

I've tried running that command but nothing is showing up, I presume the user has taken their laptop home or something. When I get another report of this I will run this command to see if the MAC is showing up elsewhere and post the results. Thanks for the information.

Cheers.

Jaderson Pessoa · ‎03-13-2019

Great,

Please, if possible, mark all post as solved and helpful that were help you.

Regards,

Jaderson Pessoa
*** Rate All Helpful Responses ***

Richard Burts · ‎03-13-2019

It might provide some insight if the original poster would post the output of show mac address table for that port so that we can see how many mac addresses, and what mac addresses are associated with that port. Is it possible that there are too many mac addresses on the port, or is there something about the particular mac address? So perhaps one step in troubleshooting would be a periodic show mac address table looking for that particular mac address.

HTH

Rick

HTH

Rick