Port Error 1

[sohtnax]

How can I tell what caused this port to display "err-disabled"? Also, how can I correct this?

FastEthernet0/23 is down, line protocol is down
Hardware is Fast Ethernet, address is 0009.7c7a.a213 (bia 0009.7c7a.a213)
Description: Jack38L
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1856748 packets input, 200927498 bytes, 0 no buffer
Received 4900 broadcasts, 0 runts, 0 giants, 0 throttles
37 input errors, 37 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 101 multicast, 0 pause input
0 input packets with dribble condition detected
5917599 packets output, 14838557 bytes, 0 underruns
0 output errors, 0 collisions, 8 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out

 

[IPKONFIG]

Ok, this is an IOS based switch. Can you post your configuration? I don't see anything off hand that should cause the error disable state.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[sohtnax]

switch#sh config
Using 6719 out of 32768 bytes
!
! Last configuration change at 21:44:32 UTC Thu Feb 20 2003
! NVRAM config last updated at 21:44:35 UTC Thu Feb 20 2003
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname switch
!
enable secret 5 ????????????????????????
enable password 7 ???????????????????????
!
ip subnet-zero
ip name-server 209.144.50.125
ip name-server 209.144.50.140
!
spanning-tree extend system-id
!
!
interface FastEthernet0/1
no ip address
!
interface FastEthernet0/2
no ip address
!
interface FastEthernet0/3
description Jack27L - jmorgan
no ip address
duplex full
speed 100
!
interface FastEthernet0/4
no ip address
duplex full
speed 100
!
interface FastEthernet0/5
description Jack37 - albashir
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
shutdown
duplex full
speed 100
!
interface FastEthernet0/6
description Jack06L - jincognito
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/7
description Jack84L - czuck
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/8
no ip address
duplex full
speed 100
!
interface FastEthernet0/9
no ip address
duplex full
speed 100
!
interface FastEthernet0/10
no ip address
duplex full
speed 100
!
interface FastEthernet0/11
no ip address
duplex full
speed 100
!
interface FastEthernet0/12
no ip address
duplex full
speed 100
!
interface FastEthernet0/13
no ip address
duplex full
speed 100
!
interface FastEthernet0/14
description IBM Nas Lan2
no ip address
duplex full
speed 100
!
interface FastEthernet0/15
description IBM Nas Lan1
no ip address
duplex full
speed 100
!
interface FastEthernet0/16
no ip address
duplex full
speed 100
!
interface FastEthernet0/17
no ip address
duplex full
speed 100
!
interface FastEthernet0/18
no ip address
duplex full
speed 100
!
interface FastEthernet0/19
description Jack45R - mfayaz
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/20
description Jack45L - mfayaz
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/21
description Webloader
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/22
no ip address
duplex full
speed 100
!
interface FastEthernet0/23
description Jack38L - jpapamarkos
no ip address
duplex full
speed 100
flowcontrol receive desired
!
interface FastEthernet0/24
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/25
no ip address
duplex full
speed 100
!
interface FastEthernet0/26
description Jack100R - jcaputo
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/27
description Webloader
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/28
no ip address
duplex full
speed 100
!
interface FastEthernet0/29
description Jack83R - jdelgreco
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/30
description Jack09L - jnoonan
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/31
description Jack91L - jkassar
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/32
no ip address
duplex full
speed 100
!
interface FastEthernet0/33
no ip address
!
interface FastEthernet0/34
no ip address
duplex full
speed 100
!
interface FastEthernet0/35
description Jack11L - jrabolli
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/36
no ip address
duplex full
speed 100
!
interface FastEthernet0/37
no ip address
duplex full
speed 100
!
interface FastEthernet0/38
description Jack25R - ljennings
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/39
description PIX (yellow L)
no ip address
duplex full
!
interface FastEthernet0/40
description Jack18L
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/41
description Jack34L
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/42
description Jack34R
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/43
description Jack49L
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/44
no ip address
duplex full
speed 100
!
interface FastEthernet0/45
description Jack23L
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/46
no ip address
duplex full
speed 100
!
interface FastEthernet0/47
description Jack20AL
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
duplex full
speed 100
!
interface FastEthernet0/48
no ip address
duplex full
speed 100
!
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
description switch2 crossover
no ip address
!
interface Vlan1
ip address xx.x.x.xxx 255.255.255.0
no ip route-cache
!
ip default-gateway xx.x.x.xx
no ip http server
banner motd ^CThis is a private network. If you are an unauthorized
user disconnect immediately!^C
!
line con 0
session-timeout 10
line vty 0 4
session-timeout 10
timeout login response 150
password 7 ?????????????
login
line vty 5 15
password 7 ?????????????????
login
!
ntp clock-period 17180753
ntp server 208.184.49.9
end

 

[IPKONFIG]

Switchport port-security...why are you using this? This is what is causing your issues. If you remove those two commands you're problem will go away. Look at what Cisco has to say about this topic and see if this is what you really want:

You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.

If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.

After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways:

You can configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command.
You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.
You can configure a number of addresses and allow the rest to be dynamically configured.
--------------------------------------------------------------------------------
Note If the port shuts down, all dynamically learned addresses are removed.

--------------------------------------------------------------------------------

After the maximum number of secure MAC addresses is configured, they are stored in an address table. To ensure that an attached device has the full bandwidth of the port, configure the MAC address of the attached device and set the maximum number of addresses to one, which is the default.

A security violation occurs if the maximum number of secure MAC addresses has been added to the address table and a workstation whose MAC address is not in the address table attempts to access the interface.

You can configure the interface for one of these violation modes, based on the action to be taken if a violation occurs:

Restrict—A port security violation restricts data, causes the SecurityViolation counter to increment, and causes an SNMP Notification to be generated. The rate at which SNMP traps are generated can be controlled by the snmp-server enable traps port-security trap-rate command. The default value ("0&quot causes an SNMP trap to be generated for every security violation.
Shutdown—A port security violation causes the interface to shut down immediately. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure_violation global configuration command or you can manually reenable it by entering the shutdown and no shut down interface configuration commands. This is the default mode.
You can also customize the time to recover from the specified error disable cause (default is 300 seconds) by entering the errdisable recovery interval interval command.



"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[schim]

Dear sohtknax,

Don't read this story from this "instruktor".
On port fa0/23 is no port-security configured.So it is not shutdown because of a security violation.
As you can see there are input-errors on this port.I bet this is due to a defect patch-cord.
Replace the cord , go in enabled mode , conf t , int fa0/23
,shut , no shut.

this should do the job,

greet, Rob

 

[IPKONFIG]

I'm curious as to what fixed this problem sohtknax? Or is this a problem that keeps occuring?

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[sohtnax]

I changed all the cables and reset the counters and haven't had the problem since.

Thank you all for you help.

 

[junior238]

I've been reading these posts about err-disabled ports, and nobody seems to be giving an accurate solution. I've have ports that go err-disabled every day. Removing things like STP, and port security are not a solution. Here are some very useful commands when troubleshooting err-disabled ports.

switch#show inte status err-disable

This command will show you the ports that are err-disable and then give you the exact reason of why it is shutdown.


switch#show errdisable detect
ErrDisable Reason Detection status
----------------- ----------------
pagp-flap Enabled
dtp-flap Enabled
link-flap Enabled
gbic-invalid Enabled

This command will show you what auto detection is the switch is performing.


switch#show errdisable flap-values
ErrDisable Reason Flaps Time (sec)
----------------- ------ ----------
pagp-flap 3 30
dtp-flap 3 30
link-flap 5 10

This command will show you what values need to be met in order to go err-disable.


And most useful:
switch#show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
udld Disabled
bpduguard Disabled
channel-misconfig Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
psecure-violation Disabled
gbic-invalid Disabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

This command allows you to see what can be auto recovered. Now obviously all of these values can be modified through the config mode.


Hope this helps more the the other garbage I've been reading.

PJ

 

[sohtnax]

Thanks PJ!

 

[sohtnax]

None of those commands work on the 3500 and 3550 switches. Do you know the equivalent to them?

As for everyone else, doing "sh" and then "no sh". Has not solved the problem for my ports. The following is an example:

Hardware is Fast Ethernet, address is 00XX.ebXX.d4XX (bia 00XX.ebXX.d4XX)
Description: XXXXXX
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Auto-duplex , Auto Speed , 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:03:57, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
447844161 packets input, 1956372911 bytes
Received 46171 broadcasts, 0 runts, 0 giants, 0 throttles
419 input errors, 97 CRC, 322 frame, 0 overrun, 0 ignored
0 watchdog, 3262 multicast
0 input packets with dribble condition detected
682622404 packets output, 1704364332 bytes, 9 underruns
61941 output errors, 186410541 collisions, 9 interface resets
0 babbles, 61941 late collision, 136360 deferred
0 lost carrier, 0 no carrier
9 output buffer failures, 0 output buffers swapped out

 

[scaine]

sohtnax,
You have two posts in this forum - one dealing with ports in err-disable, which I reckon is covered pretty well by junior238 above, and one on port's shutdown.

Schim's hopeful suggestion of changing the cable may work for err-disable if you have a lot of old, dodgy cables... but it's always better to get the definite answer as to what caused err-disable before possibly needlessly changing cables.

As for your other port problem - where the port goes "administratively down" - this is because you have port security enabled. I couldn't be bothered reading IPKONFIG's explanation of port security (we use it all the time) - the bottom line is that when this is enabled, you can only plug one device into a port. When you unplug that device to replace it with another, you must issue the following command on the 3550 :
clear port-security dynamic int fa0/20
shut
no shut

This will allow the switch to learn the "new" mac address of whatever you plug in. Once it's learnt that address, you're stuck with that device in that port unless you clear the port security address again.

A good gotcha- If you have a device in say, fa0/1, and one in say fa0/22, you'll hit a problem if you unplug fa0/22 and chuck the device away, then unplug fa0/1 and move it to fa0/22... even if you clear the port security on fa0/22! Why? Because even if you clear port security in fa0/22, the switch port will shut down again because it believes that this device still belongs to fa0/1!
The answer is to clear port security on both ports of course, but it's easy to overlook.

Also, port security can be configured to allow more than one device on each port - conf t/int fa0/x, then issue :
switchport port-security max 3
(for 3 devices)

Finally, you may want to change the behaviour of your switchports from shutdown to restrict. This will mean that when a violation occurs (some daft bugger swaps two devices ,for example, without telling you), instead of shutting the ports down, they will instead simply drop all packets on that interface until their rightful devices are plugged in again. In the example of the daft bugger above, he could simply plug the devices back in the right way round and everything would work again - because the ports wouldn't ever go to the "administratively down" state.

Hope this helps. And I hope you can fix all your problems by swapping the cable.

Good Luck.

 

[sohtnax]

How can I remove the port security all together?

 

[sohtnax]

I am using the command no switchport port security, but no luck. I still see the following when I do a config:

interface FastEthernet0/5
description Jack37
switchport mode access
switchport port-security
switchport port-security maximum 1
no ip address
shutdown
duplex full
speed 100

 

[scaine]

From the show conf command you just posted, your port is still shutdown for some reason. I'd really suggest that you issue the command :
show logg

...which will simply show you the last few entrys in the log file. Hopefully, you'll see something pertaining to fa0/5.

As for disabling port security, you shouldn't have any problems removing security with the following commands :
conf t
int fa0/5
no switchport port-security
<CTRL-Z>

...which I note is exactly what you did, so not much help. All I can add is that I've just done this on our switch (a Catalyst 3550) and it worked.

I would also note that once you've cleared switchport security on a port, make sure that the device isn't registered on another port, as I mentioned in my previous post.

Finally, be aware that you can't just issue the &quot;no shut&quot; command to bring an interface up after a port security violation. Bizzarely, you still have to issue the &quot;shut&quot; command before you issue the &quot;no shut&quot;, otherwise the port stays stubbornly shutdown!

Hope this helps.
Cheers,
Scaine.