No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Log Reference

This document provides the explanations, causes, and recommended actions of logs on the product.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
SECE

SECE

SECE/4/ARP_PACKET_BLOCK

Message

SECE/4/ARP_PACKET_BLOCK: ARP packets were blocked. (SourceInterface=[STRING], BlockTime=[ULONG]seconds)

Description

All the packets on the interface are blocked at the time specified by block time.

Parameters

Parameter Name Parameter Meaning
SourceInterface Indicates the inbound interface of ARP packets.
BlockTime Indicates the time ARP packets are blocked.

Possible Causes

After rate limiting on ARP packets is configured on an interface, if the rate of ARP packets exceeds the rate limit, the system delivers an ACL to discard ARP packets on the interface.

Procedure

  • If user services are not affected, the alarm does not need to be handled.
  • If the user services are intermittently disconnected, run the arp anti-attack rate-limit packet packet-number command in the interface view to adjust the ARP rate limit. Adjusting the rate limit may affect CPU usage. You are advised to contact technical support personnel.

SECE/4/ARPMISS

Message

SECE/4/ARPMISS: Attack occurred. (AttackType=Arp Miss Attack, SourceInterface=[STRING], SourceIP=[STRING], AttackPackets=[ULONG] packets per second)

Description

The rate exceeds the global ARP Miss rate limit.

Parameters

Parameter Name Parameter Meaning

SourceInterface

Indicates the name of an interface.

SourceIP

Indicates the source IP address of attack packets.

AttackPackets

Indicates the rate of attack packets, in pps.

Possible Causes

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device (the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route), the device generates a large number of ARP Miss messages. When the rate of ARP Miss messages exceeds the global ARP Miss rate limit, the device generates the alarm.

Procedure

  1. Run the reset cpu-defend statistics command to clear statistics on the ARP Miss messages sent to the CPU.
  2. Wait for 1 minute, and run the display cpu-defend statistics all command to check the number of ARP Miss messages sent to the CPU within 1 minute. Check whether a large number of packets are discarded:

    • If so, go to step 3.

    • If not, verify that the network is secure and run the info-center source SECE channel 4 log state off command to disable the device from sending SECE log information.

  3. Locate the attack source based on the IP address in the log information.

    Check whether the attacker is infected with viruses.

    • If so, you are advised to remove viruses from the user host. You can also add the address of the user to the blacklist or configure a blackhole MAC address entry to discard ARP request packets sent by the attacker.

    • If not, go to step 4.

  4. Run the display arp anti-attack configuration arpmiss-rate-limit command to check global configuration of source-based ARP-Miss suppression.
  5. Run the arp-miss anti-attack rate-limit packet packet-number [ interval interval-value ] command to modify the maximum rate and rate limit duration of ARP Miss messages globally based on the site requirements.
  6. If the log is frequently generated, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/3/ARPS_DROP_PACKET_GLOBAL_SPDLMT

Message

SECE/3/ARPS_DROP_PACKET_GLOBAL_SPDLMT: Rate of global arp packets exceeds the limit. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The rate of ARP packets on the device exceeds the threshold.

Parameters

Parameter Name Parameter Meaning

SourceMAC

Indicates the source MAC address of the ARP packets.

SourceIP

Indicates the source IP address of the ARP packets.

SourceInterface

Indicates the source interface of the ARP packets.

DropTime

Indicates the packet discard time.

Possible Causes

The rate of ARP packets on the device exceeds the threshold.

Procedure

  • If the processing speed becomes slow or the CPU usage is high, a large number of ARP packets are sent to the CPU. To make the device run properly, run the arp anti-attack rate-limit command to reduce the rate threshold of ARP packets.

SECE/3/ARPS_DROP_PACKET_HDADDR_LEN

Message

SECE/3/ARPS_DROP_PACKET_HDADDR_LEN: Invalid hard address length. (HardAddressLength=[ULONG], SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The hardware address length in the ARP packet is invalid.

Parameters

Parameter Name Parameter Meaning

HardAddressLength

Indicates the MAC address length of the ARP packets.

SourceMAC

Indicates the source MAC address of the ARP packets.

SourceIP

Indicates the source IP address of the ARP packets.

SourceInterface

Indicates the source interface of the ARP packets.

DropTime

Indicates the packet discard time.

Possible Causes

The device receives an ARP packet with the hardware address that has an invalid length.

Procedure

  • Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
  • Find out the user who sends attack packets according to the SourceMAC field.
  • Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.

SECE/3/ARPS_DROP_PACKET_IF_SPDLMT

Message

SECE/3/ARPS_DROP_PACKET_IF_SPDLMT: Rate of arp packets on interface exceeds the limit. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The rate of ARP packets on the interface exceeds the threshold.

Parameters

Parameter Name Parameter Meaning

SourceMAC

Indicates the source MAC address of the ARP packets.

SourceIP

Indicates the source IP address of the ARP packets.

SourceInterface

Indicates the source interface of the ARP packets.

DropTime

Indicates the packet discard time.

Possible Causes

The rate of ARP packets on the interface exceeds the threshold.

Procedure

  • If the processing speed becomes slow or the CPU usage is high, a large number of ARP packets are sent to the CPU. To make the device run properly, run the arp anti-attack rate-limit command to reduce the rate threshold of ARP packets.

SECE/3/ARPS_DROP_PACKET_LENTH

Message

SECE/3/ARPS_DROP_PACKET_LENTH: Invalid packet length. (PacketLength=[ULONG], SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The length of the ARP packet is invalid.

Parameters

Parameter Name Parameter Meaning

PacketLength

Indicates the length of the ARP packet. The length ranges from 60 to 1518.

SourceMAC

Indicates the source MAC address of the ARP packets.

SourceIP

Indicates the source IP address of the ARP packets.

SourceInterface

Indicates the source interface of the ARP packets.

DropTime

Indicates the packet discard time.

Possible Causes

The device receives an ARP packet of invalid length.

Procedure

  • Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
  • Find out the user who sends attack packets according to the SourceMAC field.
  • Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.

SECE/3/ARPS_DROP_PACKET_OPTYPE

Message

SECE/3/ARPS_DROP_PACKET_OPTYPE: Invalid packet optype. (OperateType=[ULONG], SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The type of the ARP packet is invalid.

Parameters

Parameter Name Parameter Meaning

OperateType

Indicates the type of ARP packets.

SourceMAC

Indicates the source MAC address of the ARP packets.

SourceIP

Indicates the source IP address of the ARP packets.

SourceInterface

Indicates the source interface of the ARP packets.

DropTime

Indicates the packet discard time.

Possible Causes

The device receives an ARP packet of invalid type.

Procedure

  • Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
  • Find out the user who sends attack packets according to the SourceMAC field.
  • Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.

SECE/3/ARPS_DROP_PACKET_PROADDR_LEN

Message

SECE/3/ARPS_DROP_PACKET_PROADDR_LEN: Invalid protocol address length. (ProAddressLength=[ULONG], SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The protocol address length in the ARP packet is invalid.

Parameters

Parameter Name Parameter Meaning

ProAddressLength

Indicates the length of ARP packets.

SourceMAC

Indicates the source MAC address of the ARP packets.

SourceIP

Indicates the source IP address of the ARP packets.

SourceInterface

Indicates the source interface of the ARP packets.

DropTime

Indicates the packet discard time.

Possible Causes

The device receives an ARP packet with the protocol address that has an invalid length.

Procedure

  • Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
  • Find out the user who sends attack packets according to the SourceMAC field.
  • Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.

SECE/3/ARPS_DROP_PACKET_SRC_MAC

Message

SECE/3/ARPS_DROP_PACKET_SRC_MAC: Invalid source mac address. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The source MAC address in the ARP packet is invalid.

Parameters

Parameter Name Parameter Meaning

SourceMAC

Indicates the source MAC address of the ARP packets.

SourceIP

Indicates the source IP address of the ARP packets.

SourceInterface

Indicates the source interface of the ARP packets.

DropTime

Indicates the packet discard time.

Possible Causes

The device receives an ARP packet with invalid source MAC address.

Procedure

  • Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
  • Find out the user who sends attack packets according to the SourceMAC field.
  • Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.

SECE/3/ARPS_DROP_PACKET_VLAN_SPDLMT

Message

SECE/3/ARPS_DROP_PACKET_VLAN_SPDLMT: Rate of arp packets in vlan exceeds the limit. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], Vlan=[ULONG], DropTime=[STRING])

Description

The rate of ARP packets in the VLAN exceeds the threshold.

Parameters

Parameter Name Parameter Meaning

SourceMAC

Indicates the outer VLAN ID of packets.

SourceIP

Indicates the source MAC address of the ARP packets.

SourceInterface

Indicates the source IP address of the ARP packets.

Vlan

Indicates the source interface of the ARP packets.

DropTime

Indicates the packet discard time.

Possible Causes

The rate of ARP packets in the VLAN exceeds the threshold.

Procedure

  • If the processing speed becomes slow or the CPU usage is high, a large number of ARP packets are sent to the CPU. To make the device run properly, run the arp anti-attack rate-limit command to reduce the rate threshold of ARP packets.

SECE/4/ARPSNP_TABLE_FULL

Message

SECE/4/ARPSNP_TABLE_FULL: The number of ARP snooping entries has reached the specifications.(Specifications=[ULONG])

Description

The number of ARP snooping entries has reached the upper limit.

Parameters

Parameter Name Parameter Meaning
Specifications Number of ARP snooping entries.

Possible Causes

The switch generates too many ARP snooping entries and the number of ARP snooping entries reaches the upper limit.

Procedure

  1. If no update packet is received after the aging time of an ARP snooping entry expires, the entry is deleted. Wait for a period of time and check whether this log still exists.

    • If so, go to step 2.
    • If not, go to step 3.

  2. Run the reset arp snooping { all | interface interface-type interface-number | vlan vlan-id | ip-address ip-address | mac-address mac-address } command to delete unnecessary ARP snooping entries.
  3. End.

SECE/4/DAI_DROP_PACKET

Message

SECE/4/DAI_DROP_PACKET: Not hit the user-bind table. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The ARP packet does not match any entry in the DHCP snooping binding table.

Parameters

Parameter Name Parameter Meaning

SourceMAC

Indicates the source MAC address of the ARP packets.

SourceIP

Indicates the source IP address of the ARP packets.

SourceInterface

Indicates the source interface of the ARP packets.

DropTime

Indicates the packet discard time.

Possible Causes

The device receives an ARP packet that does not match any entry in the DHCP snooping binding table.

Procedure

  • Find out the interface where attacks occur according to Interface in the alarm message.
  • Run the display dhcp snooping user-bind command to check whether users who are not in the DHCP snooping binding table range are connected.
  • If new users are connected, run related DHCP snooping commands to generate the DHCP snooping binding entry.

SECE/4/GWCONFLICT

Message

SECE/4/GWCONFLICT: Attack occurred. (AttackType=Gateway Attack, SourceInterface=[STRING], SourceMAC=[STRING], PVlanID=[ULONG])

Description

An address conflicts with the gateway address.

Parameters

Parameter Name Parameter Meaning

SourceInterface

Indicates the interface that initiates the attack.

SourceMAC

Indicates the MAC address of the attack source.

PVlanID

Indicates the outer VLAN ID or single VLAN ID of the attack source.

Possible Causes

An address conflicts with the gateway address.

Procedure

  • 1. Run the display arp anti-attack gateway-duplicate item command to view the attacker.

SECE/4/ICMP_GLOBAL_RATELIMIT

Message

SECE/4/ICMP_GLOBAL_RATELIMIT: The rate of global ICMP packets exceeded the limit. (Threshold=[ULONG] packets per second)

Description

The total rate of ICMP packets on all interfaces has exceeded the rate limit.

Parameters

Parameter Name Parameter Meaning

Threshold

Indicates the global rate limit for ICMP packets.

Possible Causes

The rate of ICMP packets received in the system exceeds the configured global rate limit.

Procedure

  • If responses to ping operations are affected due to a small global rate limit for ICMP packets, run the icmp rate-limit total threshold threshold-value command to increase the global rate limit.

SECE/4/ICMP_INTF_RATELIMIT

Message

SECE/4/ICMP_INTF_RATELIMIT: The rate of ICMP packets on the interface exceeded the limit. (SourceInterface=[STRING], Threshold=[ULONG] packets per second)

Description

The rate of IGMP packets on an interface has exceeded the rate limit.

Parameters

Parameter Name Parameter Meaning

SourceInterface

Indicates the source interface of ICMP packets.

Threshold

Indicates the rate limit for ICMP packets.

Possible Causes

The rate of ICMP packets received on an interface exceeds the configured rate limit.

Procedure

  1. If responses to ping operations are affected due to a small rate limit for ICMP packets on the interface, run the icmp rate-limit interface interface-type interface-number threshold threshold-value command to increase the rate limit on the interface.
  2. If the number of ICMP packets received on the interface exceeds the global upper rate limit, run the icmp rate-limit total threshold threshold-value command to increase the global rate limit of ICMP packets, in addition to increasing the rate limit of ICMP packets on the interface.

SECE/4/IPSG_DROP_PACKET

Message

SECE/4/IPSG_DROP_PACKET: IP packets dropped by IPSG. (SourceInterface=[STRING], DropPacketNumber=[ULONG], DropTime=[STRING])

Description

IP packets are discarded by IPSG.

Parameters

Parameter Name Parameter Meaning

SourceInterface

Indicates the source interface of the packets.

DropPacketNumber

Indicates the number of discarded packets.

DropTime

Indicates the packet discard time.

Possible Causes

The device receives an IP packet that does not match any entry in the DHCP snooping binding table.

Procedure

  • Find out the interface where attacks occur according to Interface in the alarm message.
  • Run the display dhcp snooping user-bind command to check whether users who are not in the DHCP snooping binding table range are connected.
  • If new users are connected, run related DHCP snooping commands to generate the DHCP snooping binding entry.

SECE/4/IPSG_TABLE_RESOURCE

Message

SECE/4/IPSG_TABLE_RESOURCE: Resource for [STRING1] in slot [STRING2] is not enough.

Description

The hardware resources on the device are insufficient.

Parameters

Parameter Name Parameter Meaning

[STRING1]

Indicates a resource type.

[STRING2]

Indicates a slot number.

Possible Causes

The IP source guard function is enabled, but the device does not have enough hardware resources for the IP source guard function. The IP source guard function may not take effect.

Procedure

  1. Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
  2. Run the display current-configuration command to check the current configuration on the switch.
  3. Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.

    • Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
    • Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.

  4. If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/6/MFF_GW_MAC_CHANGED

Message

SECE/6/MFF_GW_MAC_CHANGED: The MAC of a gateway is changed. (IP=[IPADDR], OldMAC=[OCTET], NewMAC=[OCTET])

Description

The MAC address matching the MFF gateway's IP address changes.

Parameters

Parameter Name Parameter Meaning

IP

Indicates the IP address of the MFF gateway.

OldMAC

Indicates the original MAC address of the MFF gateway.

NewMAC

Indicates the changed MAC address of the MFF gateway.

Possible Causes

The MAC address matching the MFF gateway's IP address changes.

Procedure

  1. Check whether the gateway has changed its MAC address.
  2. If the MAC address of the gateway is changed, no operation is required.
  3. If the MAC address of the gateway is not changed, run the display mac-address command to check whether the VLAN ID and interface matching the changed MAC address are valid.
  4. If the MAC address belongs to an authorized user, the user's MAC address conflict with the MFF gateway's MAC address. Request the network administrator to change the user's MAC address or MFF gateway's MAC address.
  5. If the MAC address belongs to an unauthorized user, run the mac-address blackhole command to discard the packets from this user.
  6. If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/3/NOT_SUPPORT

Message

SECE/3/NOT_SUPPORT: Slot [STRING] does not support [STRING].

Description

The service is not supported by the LPU.

Parameters

Parameter Name Parameter Meaning
[STRING] Indicates a slot ID.
[STRING] Indicates the service type, for example, IPST.

Possible Causes

The service is delivered to all LPUs, and this log is printed for the LPUs that do not support this service.

Procedure

  1. Replace the LPU with an LPU that supports this service. For details, see S12700 V200R013C00 Configuration Guide - Security.

SECE/4/PORT_ATTACK

Message

SECE/4/PORT_ATTACK: Port attack occurred. (Slot=[STRING], SourceAttackInterface=[STRING], OuterVlan/InnerVlan=[ULONG]/[ULONG], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)

Description

A lot of attack packets from the corresponding VLAN are received on the interface.

Parameters

Parameter Name Parameter Meaning

Slot

Indicates the slot of an MPU or LPU.

SourceAttackInterface

Indicates the interface that initiates the attack.

OuterVlan

Indicates the outer VLAN ID or single VLAN ID of the attack source.

InnerVlan

Indicates the inner VLAN ID of the attack source.

AttackProtocol

Indicates the protocol type of attack packets.

AttackPackets

Indicates the rate of attack packets, in pps.

Possible Causes

A lot of attack packets from the corresponding VLAN are received on the interface.

Procedure

  1. Run the display auto-defend attack-source command to check whether attack packets exist on the interfaces.
  2. Analyze the packet characteristics. Configure static ACL and CAR according to the packet characteristics.
  3. Apply the policy to a specified LPU or MPU.
  4. Collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/6/PORT_ATTACK_END

Message

SECE/6/PORT_ATTACK_END: Auto port-defend stop. (SourceAttackInterface=[STRING], AttackProtocol=[STRING], ExceededPacketCountInSlot=[STRING])

Description

Port attack defense is canceled.

Parameters

Parameter Name Parameter Meaning
SourceAttackInterface Indicates the attack source interface.
AttackProtocol Indicates the protocol type of attack packets.
ExceededPacketCountInSlot

Indicates the number of discarded packets. When port attack defense is triggered on multiple interfaces, packet loss may be recorded on other interfaces besides the interface recorded in the log.

Possible Causes

After you exclude an attack source, the device cancels attack defense on the interface.

Procedure

  1. This log is informational only, and no action is required.

SECE/4/PORT_ATTACK_OCCUR

Message

SECE/4/PORT_ATTACK_OCCUR: Auto port-defend started. (SourceAttackInterface=[STRING], AttackProtocol=[STRING])

Description

Port attack defense is started.

Parameters

Parameter Name Parameter Meaning
SourceAttackInterface Indicates the attack source interface.
AttackProtocol Indicates the protocol type of attack packets.

Possible Causes

When the device detects attack packets on an interface, the device starts attack defense on the interface.

Procedure

  1. Check whether the attack actually occurs on the interface.
  2. If an attack actually occurs, locate the attack source. If no attack occurs, reconfigure the port attack defense function to ensure that valid protocol packets can be sent to the CPU.

SECE/6/QUEUE_DROP

Message

SECE/6/QUEUE_DROP: Rate of packets to cpu exceeded the QUEUE limit. (SlotId=[STRING], Queue0DropNumber=[STRING], Queue1DropNumber=[STRING], Queue2DropNumber=[STRING], Queue3DropNumber=[STRING], Queue4DropNumber=[STRING], Queue5DropNumber=[STRING], Queue6DropNumber=[STRING], Queue7DropNumber=[STRING])

Description

Some packets in queues sent to the CPU were dropped.

Parameters

Parameter Name Parameter Meaning

SlotId

Indicates a slot ID.

Queue0DropNumber/Queue1DropNumber/Queue2DropNumber/Queue3DropNumber/Queue4DropNumber/Queue5DropNumber/Queue6DropNumber/Queue7DropNumber

Indicates the number of packets dropped in every 10 minutes in queues 0 to 7.

Possible Causes

A large CPCAR value was set for packets to be sent to the CPU. As a result, a large number of packets were sent to the CPU.

Procedure

  1. Run the display cpu-defend configuration slot slot-id command to check whether the CPCAR value configured for each type of protocol packets is correct. The default CPCAR value is recommended.
  2. Collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/3/RESOURCE_INSUFFIEIENT

Message

SECE/3/RESOURCE_INSUFFIEIENT: Resource for [STRING1] in slot [STRING2] is insufficient.

Description

Attack source tracing, CAR, whitelist configuration, blacklist configuration, IP Source Trail, storm control, traffic-pppoe, or traffic suppression in VLANs fails due to insufficient resources.

Parameters

Parameter Name Parameter Meaning
STRING1 Indicates the operation type.
STRING2 Indicates the slot id.

Possible Causes

Attack source tracing, CAR, whitelist configuration, blacklist configuration, IP Source Trail, storm control, traffic-pppoe, or suppression on broadcast, unknown multicast, or unknown unicast packets in VLANs fails.

Procedure

  1. Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
  2. Run the display current-configuration command to check the current configuration on the switch.
  3. Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.

    • Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
    • Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.

  4. If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/3/MFF_RESOURCE_LACK

Message

SECE/3/MFF_RESOURCE_LACK: Resource for MFF in slot [STRING] is not enough. (Vlan=[ULONG])

Description

The ACL resources corresponding to MFF are insufficient, so delivery of ACL resources fails.

Parameters

Parameter Name Parameter Meaning

slot

Specifies the slot ID.

Vlan

Specifies a VLAN ID.

Possible Causes

When MFF is enabled in the VLAN view, if the ACL resources are insufficient, the device will generate this log.

Procedure

  1. Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
  2. Run the display current-configuration command to check the current configuration on the switch.
  3. Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.

    • Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
    • Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.

  4. If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/3/IPSG_RESOURCE_LACK

Message

SECE/3/IPSG_RESOURCE_LACK: Resource for IP Source Guard in slot [STRING] is not enough. (Vlan=[ULONG])

Description

The ACL resources corresponding to IPSG are insufficient, so delivery of ACL resources fails.

Parameters

Parameter Name Parameter Meaning

slot

Specifies the slot ID.

Vlan

Specifies a VLAN ID.

Possible Causes

When IPSG is enabled in the VLAN view, if the ACL resources are insufficient, the device will generate this log.

Procedure

  1. Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
  2. Run the display current-configuration command to check the current configuration on the switch.
  3. Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.

    • Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
    • Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.

  4. If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/SPECIFY_SIP_ATTACK

Message

SECE/4/SPECIFY_SIP_ATTACK: The specified source IP address attack occurred. (Slot=[STRING], SourceAttackIP=[STRING], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)

Description

The attack source is displayed when a device is attacked.

Parameters

Parameter Name Parameter Meaning
Slot

Indicates the slot of an MPU or LPU.

SourceAttackIP Indicates the source IP address of an attack.

AttackProtocol

Indicates the protocol type of attack packets.

AttackPackets Indicates the rate of attack packets, in pps.

Possible Causes

A lot of attack packets from the corresponding IP address were received on the interface.

Procedure

  1. Run the display auto-defend attack-source command to check whether the user attack packets exist.
  2. If so, run the auto-defend action deny [ timer time-length ] command to discard the attack packets.
  3. If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/STICKY_MAC_CONFLICT

Message

SECE/4/STICKY_MAC_CONFLICT: The MAC address entry of another type already exists. (MAC=[OCTET])

Description

The device failed to generate a snooping MAC entry after the user-bind ip sticky-mac command was run.

Parameters

Parameter Name Parameter Meaning
MAC MAC address that conflicts with the MAC address in the snooping MAC entry.

Possible Causes

A static MAC address on the device contains the same MAC address as that in the snooping MAC entry and its type is different from that of the snooping MAC entry.

Procedure

  1. The switch already has static MAC entries. The static MAC entries are not updated dynamically. Therefore, snooping MAC entries do not need to be generated based on the binding table. This log is informational only, and no action is required.

SECE/4/STORMCTRL_BC_BLOCKED

Message

SECE/4/STORMCTRL_BC_BLOCKED: Broadcast packets are blocked at interface [STRING].

Description

Broadcast packets were blocked on the interface.

Parameters

Parameter Name Parameter Meaning

[STRING]

Indicates the interface name.

Possible Causes

A broadcast storm occurred on the interface, and the rate of broadcast packets received on the interface exceeded the upper threshold specified by the storm-control command. As a result, broadcast packets were blocked on the interface.

Procedure

  • Check whether the broadcast storm is caused by a loop. If so, remove the loop. When the average rate of broadcast packets received on the interface falls below the lower threshold, broadcast packets are properly forwarded by the interface. For the broadcast storm troubleshooting procedure, see MAC Address Flapping Occurs on a Layer 2 Network and STP Faults Occur in the Revelations of Troublesolving.

SECE/3/STORMCTRL_BC_FAIL

Message

SECE/3/STORMCTRL_BC_FAIL: Failed to block broadcast packets from the Interface [STRING] because the hardware resources are insufficient.

Description

An interface fails to block broadcast packets because ACL resources are insufficient.

Parameters

Parameter Name Parameter Meaning
[STRING] Indicates the interface name.

Possible Causes

ACL resources are insufficient.

Procedure

  1. Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
  2. Run the display current-configuration command to check the current configuration on the switch.
  3. Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.

    • Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
    • Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.

  4. If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/STORMCTRL_BC_UNBLOCK

Message

SECE/4/STORMCTRL_BC_UNBLOCK: Broadcast packets are unblocked at interface [STRING].

Description

Broadcast packets are forwarded on the interface.

Parameters

Parameter Name Parameter Meaning

[STRING]

Indicates the interface name.

Possible Causes

The broadcast traffic on interfaces does not reach the lower limit of storm control.

Procedure

  • This log message is informational and no action is required.

SECE/4/STORMCTRL_IF_NORMAL

Message

SECE/4/STORMCTRL_IF_NORMAL: Interface [STRING] is normal for storm-control.

Description

The interface status is recovered.

Parameters

Parameter Name Parameter Meaning

[STRING]

Indicates the interface name.

Possible Causes

  • The interface status is changed from shutdown to normal.

  • The upper and lower limits of storm control are deleted.

  • The storm suppression action is canceled.

Procedure

  • This log message is informational and no action is required.

SECE/4/STORMCTRL_IF_ERROR_DOWN

Message

SECE/4/STORMCTRL_IF_ERROR_DOWN: Interface [STRING] is error-down for storm-control.

Description

The storm control function was configured, and a broadcast storm occurred on the interface. As a result, the interface status became Error-Down.

Parameters

Parameter Name Parameter Meaning

[STRING]

Indicates the interface name.

Possible Causes

The storm control function was configured on the interface, and the storm control action was set to error-down. A broadcast storm occurred due to a loop, attack, or hardware fault, and the average rate of broadcast, multicast, or unknown unicast packets exceeded the upper threshold. As a result, the storm control action was performed and the interface status became Error-Down.

Procedure

  1. Check whether the broadcast storm is caused by a loop. If so, remove the loop. For the broadcast storm troubleshooting procedure, see MAC Address Flapping Occurs on a Layer 2 Network and STP Faults Occur in the Revelations of Troublesolving.
  2. Run shutdown and undo shutdown commands in sequence on the interface. If many interfaces are in Error-Down state, run the error-down auto-recovery cause storm-control interval interval-value command in the system view to enable these interfaces to go Up and set a recovery delay. Then run the display error-down recovery command to check whether there are still interfaces in Error-Down state.

SECE/4/STORMCTRL_MC_BLOCKED

Message

SECE/4/STORMCTRL_MC_BLOCKED: Multicast packets are blocked at interface [STRING].

Description

Multicast packets were blocked on the interface.

Parameters

Parameter Name Parameter Meaning

[STRING]

Indicates the interface name.

Possible Causes

A broadcast storm occurred on the interface, and the rate of multicast packets received on the interface exceeded the upper threshold specified by the storm-control command. As a result, multicast packets were blocked on the interface.

Procedure

  • Check whether the broadcast storm is caused by a loop. If so, remove the loop. When the average rate of multicast packets received on the interface falls below the lower threshold, multicast packets are properly forwarded by the interface. For the broadcast storm troubleshooting procedure, see MAC Address Flapping Occurs on a Layer 2 Network and STP Faults Occur in the Revelations of Troublesolving.

SECE/3/STORMCTRL_MC_FAIL

Message

SECE/3/STORMCTRL_MC_FAIL: Failed to block multicast packets from the Interface [STRING] because the hardware resources are insufficient.

Description

An interface fails to block multicast packets because ACL resources are insufficient.

Parameters

Parameter Name Parameter Meaning
[STRING] Indicates the interface name.

Possible Causes

ACL resources are insufficient.

Procedure

  1. Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
  2. Run the display current-configuration command to check the current configuration on the switch.
  3. Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.

    • Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
    • Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.

  4. If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/STORMCTRL_MC_UNBLOCK

Message

SECE/4/STORMCTRL_MC_UNBLOCK: Multicast packets are unblocked at interface [STRING].

Description

Multicast packets are forwarded on the interface.

Parameters

Parameter Name Parameter Meaning

[STRING]

Indicates the interface name.

Possible Causes

The multicast traffic on interfaces does not reach the lower limit of storm control.

Procedure

  • This log message is informational and no action is required.

SECE/4/STORMCTRL_UC_BLOCKED

Message

SECE/4/STORMCTRL_UC_BLOCKED: Unicast packets are blocked at interface [STRING].

Description

Unknown unicast packets were blocked on the interface.

Parameters

Parameter Name Parameter Meaning

[STRING]

Indicates the interface name.

Possible Causes

A broadcast storm occurred on the interface, and the rate of unknown unicast packets received on the interface exceeded the upper threshold specified by the storm-control command. As a result, unknown unicast packets were blocked on the interface.

Procedure

  • Check whether the broadcast storm is caused by a loop. If so, remove the loop. When the average rate of unknown unicast packets received on the interface falls below the lower threshold, unknown unicast packets are properly forwarded by the interface. For the broadcast storm troubleshooting procedure, see MAC Address Flapping Occurs on a Layer 2 Network and STP Faults Occur in the Revelations of Troublesolving.

SECE/3/STORMCTRL_UC_FAIL

Message

SECE/3/STORMCTRL_UC_FAIL: Failed to block unicast packets from the Interface [STRING] because the hardware resources are insufficient.

Description

An interface fails to block unknown unicast packets because ACL resources are insufficient.

Parameters

Parameter Name Parameter Meaning
[STRING] Indicates the interface name.

Possible Causes

ACL resources are insufficient.

Procedure

  1. Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
  2. Run the display current-configuration command to check the current configuration on the switch.
  3. Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.

    • Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
    • Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.

  4. If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/STORMCTRL_UC_UNBLOCK

Message

SECE/4/STORMCTRL_UC_UNBLOCK: Unicast packets are unblocked at interface [STRING].

Description

Unknown unicast packets are forwarded on the interface.

Parameters

Parameter Name Parameter Meaning

[STRING]

Indicates the interface name.

Possible Causes

The unknown unicast traffic on interfaces does not reach the lower limit of storm control.

Procedure

  • This log message is informational and no action is required.

SECE/4/STRACK_DENY

Message

SECE/4/STRACK_DENY: Some packets are dropped because an attack is detected. (Interface=[OCTET], SourceIP=[IPADDR])

SECE/4/STRACK_DENY: Some packets are dropped because an attack is detected. (Interface=[OCTET], SourceMAC=[OCTET])

SECE/4/STRACK_DENY: Some packets are dropped because an attack is detected. (Interface=[OCTET], CVLAN=[INTEGER], PVLAN=[INTEGER])

Description

The switch discards some packets because it detects an attack.

Parameters

Parameter Name Parameter Meaning
Interface Indicates the interface that receives attack packets.
SourceMAC Indicates the source MAC address of attack packets. The value is 0 if source IP address-based tracing is configured.
SourceIP Indicates the source IP address of attack packets. The value is 0 if source MAC address-based tracing is configured.
CVLAN Indicates the inner VLAN ID of attack packets.
PVLAN Indicates the outer VLAN ID of attack packets.

Possible Causes

The attack tracing module detects an attack, and the attack defense action is set to deny.

Procedure

  1. Check whether the discarded packets are sent from an authorized user.
  2. If the sender is an authorized user, run the auto-defend whitelist whitelist-num { acl acl_number | interface interface-type interface-number } command to add the user to the whitelist. Then packets sent from this user are not discarded.
  3. If the sender is an attacker, you do not need to perform any operation.

SECE/4/STRACK_ERROR_DOWN

Message

SECE/4/STRACK_ERROR_DOWN: Interface's status is changed to error-down because an attack is detected. (Interface=[OCTET])

Description

An interface transitions to error-down state because an attack is detected on the interface.

Parameters

Parameter Name Parameter Meaning
Interface Indicates the interface that receives attack packets.

Possible Causes

The attack tracing module detects an attack, and the attack defense action is set to error-down.

Procedure

  1. Check whether the discarded packets are sent from an authorized user.
  2. If the sender is an authorized user, run the auto-defend whitelist whitelist-num { acl acl_number | interface interface-type interface-number } command to add the user to the whitelist. Then packets sent from this user are not discarded.
  3. If the sender is an attacker, you do not need to perform any operation.

SECE/3/STRACK_RESOURCE_LACK

Message

SECE/3/STRACK_RESOURCE_LACK: Resource for [STRING1] in slot [STRING2] is not enough.

Description

The resource for attack source tracing is insufficient.

Parameters

Parameter Name Parameter Meaning
[STRING1] Indicates the service type.
[STRING2] Indicates a slot ID.

Possible Causes

The discard action in attack source tracing is implemented using ACL resource. The deny action fails to be delivered because the ACL resource is insufficient.

Procedure

  1. Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
  2. Run the display current-configuration command to check the current configuration on the switch.
  3. Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.

    • Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
    • Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.

  4. If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/USER_ATTACK

Message

SECE/4/USER_ATTACK: User attack occurred. (Slot=[STRING], SourceAttackInterface=[STRING], OuterVlan/InnerVlan=[ULONG ]/[ULONG], UserMacAddress=[STRING], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)

Description

User attack information is generated on an MPU or LPU.

Parameters

Parameter Name Parameter Meaning

Slot

Indicates the slot of an MPU or LPU.

SourceAttackInterface

Indicates the interface that initiates the attack.

OuterVlan

Indicates the outer VLAN ID or single VLAN ID of the attack source.

InnerVlan

Indicates the inner VLAN ID of the attack source.

UserMacAddress

Indicates the MAC address of the attack source.

AttackProtocol

Indicates the protocol type of attack packets.

AttackPackets

Indicates the rate of attack packets, in pps.

Possible Causes

A lot of attack packets from the corresponding VLAN or MAC address are received on the interface.

Procedure

  1. Run the display auto-defend attack-source command to check whether user attack packets exist.
  2. Analyze the packet characteristics. Configure static ACL and CAR according to the packet characteristics.
  3. Apply the policy to a specified LPU or MPU.
  4. Collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/3/RESOURCE_LACK(STRACK)

Message

SECE/3/RESOURCE_LACK: Resource for STRACK in slot [STRING] is not enough.

Description

The hardware resources on the LPU were insufficient for the attack source tracing function.

Parameters

Parameter Name Parameter Meaning

[STRING]

Indicates the slot ID of the LPU.

Possible Causes

The discard action in attack source tracing was implemented using ACL resources. This action failed to be delivered due to insufficient ACL resources.

Procedure

  1. Run the display current-configuration command to check the configurations that lead to insufficient ACL resources.
  2. Adjust ACL resources. Delete unnecessary ACLs to release resources.
  3. If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/UCSUPPRESS

Message

SECE/4/UCSUPPRESS: MAC address flapping started on port. The rate of unknown unicast packets was limited to 50% of the port bandwidth. (Interface=[STRING])

Description

The device detected MAC address flapping on an interface, and suppressed unknown unicast traffic to 50% of the interface rate.

Parameters

Parameter Name Parameter Meaning

Interface

Indicates the name of an interface.

Possible Causes

When storm control and traffic suppression are not configured, the switch suppressed unknown unicast traffic on an interface when detecting MAC address flapping on this interface.

Procedure

  1. Run the snmp-agent trap enable feature-name l2ifppi command to enable the alarm function for MAC address flapping, including hwmflpbdalarm for MAC address flapping in a BD, hwmflpvlanalarm for MAC address flapping in a VLAN and hwmflpvsialarm for MAC address flapping in a VSI. Check whether these alarms are generated.

    • If so, go to step 2.
    • If not, go to step 3.

  2. Based on the generated alarms, take measures by referring to L2IFPPI_1.3.6.1.4.1.2011.5.25.160.3.7 hwMflpVlanAlarm, L2IFPPI_1.3.6.1.4.1.2011.5.25.160.3.17 hwMflpBdAlarm or L2IFPPI_1.3.6.1.4.1.2011.5.25.160.3.8 hwMflpVsiAlarm. Then, check whether the recovery log SECE/4/UCSUPPRESSRESUME is recorded.

    • If so, no further action is required.
    • If not, go to step 4.

  3. Check whether the recovery log SECE/4/UCSUPPRESSRESUME is recorded.

    • If so, no further action is required.
    • If not, go to step 4.

  4. Contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/UCSUPPRESSRESUME

Message

SECE/4/UCSUPPRESSRESUME: MAC address flapping finished on port. Unknown unicast packets were normally forwarded. (Interface=[STRING])

Description

MAC address flapping stopped and unknown unicast traffic was normally forwarded on an interface.

Parameters

Parameter Name Parameter Meaning

Interface

Indicates the name of an interface.

Possible Causes

Unknown unicast traffic suppression was triggered by MAC address flapping on an interface. When MAC address flapping stopped, unknown unicast traffic was normally forwarded on the interface.

Procedure

  • This log message is informational only, and no action is required.
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065665

Views: 6304

Downloads: 15

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next