%SISF-4-ENTRY_BLOCKED- IP Device-Tracking causing issues ?

steffen.bodensohn@heraeus.com · ‎08-31-2022

Hello everybody,

we are currently testing Softwareversion 17.06.3 and see log messages on the switch from "Switch Integrated Security Features (SISF)". I guess those messages are related to device-tracking or dhcp snooping.

%SISF-4-ENTRY_BLOCKED: Entry blocked Entry creation blocked, not possible to free space

We are currently using SW Version 16.12.3a -> on this SW Version we don´t see those log messages.

Has maybe anybody a clue how to solve this issue?

Best regards,

steffen

marce1000 · ‎08-31-2022

- Ref : https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/16_xe/smg/xe-16-10/b-sem-16-10-1/b-sem-16-10-1_chapter_0110.html

>...


%SISF-4-ENTRY_BLOCKED : Entry blocked [chars]
Explanation	An attempt to install an entry in the IPv6 binding table was blocked. This can be due to a conflicting entry or maximum number of entries reached
Recommended Action	If the maximum table size is reached, consider increasing it. If a conflicting entry already exist, this maybe an attempt to steal address ownership. You should investigate which host is connected on the interface and wether it should be disconnected

%SISF-4-ENTRY_BLOCKED : Entry blocked [chars]ExplanationAn attempt to install an entry in the IPv6 binding table was blocked. This can be due to a conflicting entry or maximum number of entries reachedRecommended ActionIf the maximum table size is reached, consider increasing it. If a conflicting entry already exist, this maybe an attempt to steal address ownership. You should investigate which host is connected on the interface and wether it should be disconnected

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

steffen.bodensohn@heraeus.com · ‎08-31-2022

Yes, we know this article.

But we don’t use IPv6 and also disabled protocol dhcpv6 learning in device-tracking policy already.

would be great to know the command to checke size und utilization of the binding table.

best regards

marce1000 · ‎09-01-2022

- What switch model is this ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

steffen.bodensohn@heraeus.com · ‎09-01-2022

C9200-48P

We migrated two switches in production environment to 17.06.03 and both Switches are logging the same.

Device-Tracking policy is as following for "host" ports:

device-tracking policy DEV-TRACKING
no protocol ndp
no protocol dhcp6
no protocol udp

For Interswitchlinks:

device-tracking policy DEV-TRACKING_UPLINK
trusted-port
device-role switch
no protocol ndp
no protocol dhcp6
no protocol udp

TomBaz83 · ‎10-03-2022

did you find a solution? We upgraded some switches to 17.6.4 and have the same issue ...

Found your topic to late, so I opened a new topic ... sry for that

%SISF-4-ENTRY_BLOCKED : Entry blocked --> Log Warning 17.6.4 - Cisco Community

steffen.bodensohn@heraeus.com · ‎10-04-2022

Hi TomBaz83,

we figured out that those messages were caused only on ports to Accesspoints (we only use Meraki AP´s). We deactivated device-tracking on those ports and the message was is gone (trusted-port, device-role switch). We had the feelding that this message was more a "cosmetic" iussue than causing real heavy problems. We already migrated one of our locations completly to 17.06.3 (Cisco 9500, 9300 and 9200 platforms) and it works stable since 2 weeks now. Seems to be a good release in my opinion.

device-tracking policy DEV-TRACKING_UPLINK
trusted-port
device-role switch
no protocol ndp
no protocol dhcp6
no protocol udp

interface GigabitEthernet2/0/3

device-tracking attach-policy DEV-TRACKING_UPLINK

Best regards,

steffen

TomBaz83 · ‎10-04-2022

seems that fix the issue ... and I'm with u, I also think it is "only" a "cosmetic" issue

Andrii Oliinyk · ‎07-30-2025

it late to this discussion. but just for the case: it's possible that your particular SW applied limit of 4 IPv4 entries (or MAC entries) per port as i noticed to be the case in SDA-fields with programmed LISP-generated policy. it was possible to heal it (thanks to God) with increasing IPv4 addresses limit with policy's "limit" subcommand. not sure latest C9K SW has fixed it.
another one command worth to try (i didnt test it though) is global "device-tracking binding max-entries"