Guest

Preview Tool

Cisco Bug: CSCur70946 - 5.2(1)SV3(1.1) : Storage vmotion blocks veth with port security

Last Modified

Sep 10, 2019

Products (3)

  • Cisco Nexus 1000V Switch for VMware vSphere
  • Cisco Nexus 1000V Switch
  • Cisco Application Virtual Switch

Known Affected Releases

5.2(1)SV3(1.1)

Description (partial)

Symptom:
Virtual machines veth go into block state after a storage vmotion when port security is enabled.
Nexus 1000v version VSM Version: 5.2(1)SV3(1.1)

Conditions:
Tested on Esxi 5.0 and 5.1, same behavior. Nonspecific to Esxi version.  

Esxi
VM storage vmotion
Nexus 1000v version:5.2(1)SV3(1.1)
Port-security configured for the port-profile

Veth interface of a machine that is in forwarding state goes to block after storage vmotion.

In VSM:
vsm#show logging log  << this will show similar error.

2-VEM_SYSLOG_CRIT: ERROR_DISABLE : LTL(52), Intf() psecure violation because MAC addr seen on port is already present on Veth

In esxcli of the host of the vm:
esxcli#vemcmd show port will show the LTL value change and change from fwd state to blk.

#    /opt/cisco/v170/nexus/vem-v170/sbin/vemcmd show port
#
#############################################
  LTL   VSM Port  Admin Link  State    Cause  PC-LTL  SGID  ORG  svcpath  Type    Vem Port
   17     Eth4/1     UP   UP    F/B*       -    1039     0    0        0                vmnic0
   18     Eth4/2     UP   UP    F/B*       -    1039     1    0        0                vmnic1
   19     Eth4/3     UP   UP    F/B*       -    1040     2    0        0                vmnic2
   49     Veth19     UP   UP    FWD        -       0     0    0        0                  vmk0
   50     Veth20     UP   UP    FWD        -       0     1    0        0                  vmk1
   51     Veth28     UP   UP    FWD        -       0     0    0        0  VXLAN           vmk2
   52     Veth38     UP   UP    FWD        -       0     1    0        0              Win2K8 - 3.eth1  << Notice the ltl value change from ltl 52 to 53 for Veth 38 for Win2K8-3-eth1.
   55     Veth29     UP   UP    FWD        -       0          0        0              Win2K8 - 3.eth0
 1039        Po1     UP   UP    F/B*       -       0          0        0                      
 1040        Po5     UP   UP    F/B*       -       0          0        0                      

* F/B: Port is BLOCKED on some of the vlans.
       One or more vlans are either not created or
       not in the list of allowed vlans for this port.
 Please run "vemcmd show port vlans" to see the details. 


   /opt/cisco/v170/nexus/vem-v170/sbin/vemcmd show port
#
#############################################
  LTL   VSM Port  Admin Link  State    Cause  PC-LTL  SGID  ORG  svcpath  Type    Vem Port
   17     Eth4/1     UP   UP    F/B*       -    1039     0    0        0                vmnic0
   18     Eth4/2     UP   UP    F/B*       -    1039     1    0        0                vmnic1
   19     Eth4/3     UP   UP    F/B*       -    1040     2    0        0                vmnic2
   49     Veth19     UP   UP    FWD        -       0     0    0        0                  vmk0
   50     Veth20     UP   UP    FWD        -       0     1    0        0                  vmk1
   51     Veth28     UP   UP    FWD        -       0     0    0        0  VXLAN           vmk2
   53     Veth38     UP   UP    BLK    PsecEr      0          0        0              Win2K8 - 3.eth1  << Blk state due to portsecurity after storage vmotion
   55     Veth29     UP   UP    FWD        -       0          0        0              Win2K8 - 3.eth0
 1039        Po1     UP   UP    F/B*       -       0          0        0                      
 1040        Po5     UP   UP    F/B*       -       0          0        0                      

  /opt/cisco/v170/nexus/vem-v170/sbin/vemcmd show port vlans
#
#############################################
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.