SECE
- SECE/4/ARP_PACKET_BLOCK
- SECE/4/ARPMISS
- SECE/3/ARPS_DROP_PACKET_GLOBAL_SPDLMT
- SECE/3/ARPS_DROP_PACKET_HDADDR_LEN
- SECE/3/ARPS_DROP_PACKET_IF_SPDLMT
- SECE/3/ARPS_DROP_PACKET_LENTH
- SECE/3/ARPS_DROP_PACKET_OPTYPE
- SECE/3/ARPS_DROP_PACKET_PROADDR_LEN
- SECE/3/ARPS_DROP_PACKET_SRC_MAC
- SECE/3/ARPS_DROP_PACKET_VLAN_SPDLMT
- SECE/4/ARPSNP_TABLE_FULL
- SECE/4/DAI_DROP_PACKET
- SECE/4/GWCONFLICT
- SECE/4/ICMP_GLOBAL_RATELIMIT
- SECE/4/ICMP_INTF_RATELIMIT
- SECE/4/ILLEGAL_IP_DROP_STAT
- SECE/4/IPSG_VLANDROP_PACKET
- SECE/4/IPSG_DROP_PACKET
- SECE/4/IPSG_TABLE_RESOURCE
- SECE/6/MFF_GW_MAC_CHANGED
- SECE/3/NOT_SUPPORT
- SECE/4/OLC_DELAY_TASK
- SECE/4/OLC_DROP_PACKET
- SECE/4/PORT_ATTACK
- SECE/6/PORT_ATTACK_END
- SECE/4/PORT_ATTACK_OCCUR
- SECE/6/QUEUE_DROP
- SECE/3/RESOURCE_INSUFFIEIENT
- SECE/3/MFF_RESOURCE_LACK
- SECE/3/IPSG_RESOURCE_LACK
- SECE/4/SPECIFY_SIP_ATTACK
- SECE/4/STICKY_MAC_CONFLICT
- SECE/4/STORMCTRL_BC_BLOCKED
- SECE/3/STORMCTRL_BC_FAIL
- SECE/4/STORMCTRL_BC_UNBLOCK
- SECE/4/STORMCTRL_IF_NORMAL
- SECE/4/STORMCTRL_IF_ERROR_DOWN
- SECE/4/STORMCTRL_MC_BLOCKED
- SECE/3/STORMCTRL_MC_FAIL
- SECE/4/STORMCTRL_MC_UNBLOCK
- SECE/4/STORMCTRL_UC_BLOCKED
- SECE/3/STORMCTRL_UC_FAIL
- SECE/4/STORMCTRL_UC_UNBLOCK
- SECE/4/STRACK_DENY
- SECE/4/STRACK_ERROR_DOWN
- SECE/3/STRACK_RESOURCE_LACK
- SECE/4/USER_ATTACK
- SECE/3/RESOURCE_LACK(STRACK)
- SECE/4/UCSUPPRESS
- SECE/4/UCSUPPRESSRESUME
SECE/4/ARP_PACKET_BLOCK
Message
SECE/4/ARP_PACKET_BLOCK: ARP packets were blocked. (SourceInterface=[STRING], BlockTime=[ULONG]seconds)
Parameters
Parameter Name | Parameter Meaning |
---|---|
SourceInterface | Indicates the inbound interface of ARP packets. |
BlockTime | Indicates the time ARP packets are blocked. |
Possible Causes
After rate limiting on ARP packets is configured on an interface, if the rate of ARP packets exceeds the rate limit, the system delivers an ACL to discard ARP packets on the interface.
Procedure
- If user services are not affected, the alarm does not need to be handled.
- If the user services are intermittently disconnected, run the arp anti-attack rate-limit packet packet-number command in the interface view to adjust the ARP rate limit. Adjusting the rate limit may affect CPU usage. You are advised to contact technical support personnel.
SECE/4/ARPMISS
Message
SECE/4/ARPMISS: Attack occurred. (AttackType=Arp Miss Attack, SourceInterface=[STRING], SourceIP=[STRING], AttackPackets=[ULONG] packets per second)
Parameters
Parameter Name | Parameter Meaning |
---|---|
SourceInterface |
Indicates the name of an interface. |
SourceIP |
Indicates the source IP address of attack packets. |
AttackPackets |
Indicates the rate of attack packets, in pps. |
Possible Causes
If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device (the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route), the device generates a large number of ARP Miss messages. When the rate of ARP Miss messages exceeds the global ARP Miss rate limit, the device generates the alarm.
Procedure
- Run the reset cpu-defend statistics command to clear statistics on the ARP Miss messages sent to the CPU.
- Wait
for 1 minute, and run the display
cpu-defend statistics all command
to check the number of ARP Miss messages sent to the CPU within 1
minute. Check whether a large number of packets are discarded:
If so, go to step 3.
If not, verify that the network is secure and run the info-center source SECE channel 4 log state off command to disable the device from sending SECE log information.
- Locate
the attack source based on the IP address in the log information.
Check whether the attacker is infected with viruses.
If so, you are advised to remove viruses from the user host. You can also add the address of the user to the blacklist or configure a blackhole MAC address entry to discard ARP request packets sent by the attacker.
If not, go to step 4.
- Run the display arp anti-attack configuration arpmiss-rate-limit command to check global configuration of source-based ARP-Miss suppression.
- Run the arp-miss speed-limit source-ip [ ip-address ] maximum 0 command to configure the device not to limit the rate of ARP Miss messages based on source the IP address.
- If the log is frequently generated, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/3/ARPS_DROP_PACKET_GLOBAL_SPDLMT
Message
SECE/3/ARPS_DROP_PACKET_GLOBAL_SPDLMT: Rate of global arp packets exceeds the limit. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])
SECE/3/ARPS_DROP_PACKET_HDADDR_LEN
Message
SECE/3/ARPS_DROP_PACKET_HDADDR_LEN: Invalid hard address length. (HardAddressLength=[ULONG], SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])
Parameters
Parameter Name | Parameter Meaning |
---|---|
HardAddressLength |
Indicates the MAC address length of the ARP packets. |
SourceMAC |
Indicates the source MAC address of the ARP packets. |
SourceIP |
Indicates the source IP address of the ARP packets. |
SourceInterface |
Indicates the source interface of the ARP packets. |
DropTime |
Indicates the packet discard time. |
Possible Causes
The device receives an ARP packet with the hardware address that has an invalid length.
Procedure
- Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
- Find out the user who sends attack packets according to the SourceMAC field.
- Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.
SECE/3/ARPS_DROP_PACKET_IF_SPDLMT
Message
SECE/3/ARPS_DROP_PACKET_IF_SPDLMT: Rate of arp packets on interface exceeds the limit. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])
SECE/3/ARPS_DROP_PACKET_LENTH
Message
SECE/3/ARPS_DROP_PACKET_LENTH: Invalid packet length. (PacketLength=[ULONG], SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])
Parameters
Parameter Name | Parameter Meaning |
---|---|
PacketLength |
Indicates the length of the ARP packet. The length ranges from 60 to 1518. |
SourceMAC |
Indicates the source MAC address of the ARP packets. |
SourceIP |
Indicates the source IP address of the ARP packets. |
SourceInterface |
Indicates the source interface of the ARP packets. |
DropTime |
Indicates the packet discard time. |
Procedure
- Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
- Find out the user who sends attack packets according to the SourceMAC field.
- Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.
SECE/3/ARPS_DROP_PACKET_OPTYPE
Message
SECE/3/ARPS_DROP_PACKET_OPTYPE: Invalid packet optype. (OperateType=[ULONG], SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])
Parameters
Parameter Name | Parameter Meaning |
---|---|
OperateType |
Indicates the type of ARP packets. |
SourceMAC |
Indicates the source MAC address of the ARP packets. |
SourceIP |
Indicates the source IP address of the ARP packets. |
SourceInterface |
Indicates the source interface of the ARP packets. |
DropTime |
Indicates the packet discard time. |
Procedure
- Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
- Find out the user who sends attack packets according to the SourceMAC field.
- Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.
SECE/3/ARPS_DROP_PACKET_PROADDR_LEN
Message
SECE/3/ARPS_DROP_PACKET_PROADDR_LEN: Invalid protocol address length. (ProAddressLength=[ULONG], SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])
Parameters
Parameter Name | Parameter Meaning |
---|---|
ProAddressLength |
Indicates the length of ARP packets. |
SourceMAC |
Indicates the source MAC address of the ARP packets. |
SourceIP |
Indicates the source IP address of the ARP packets. |
SourceInterface |
Indicates the source interface of the ARP packets. |
DropTime |
Indicates the packet discard time. |
Possible Causes
The device receives an ARP packet with the protocol address that has an invalid length.
Procedure
- Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
- Find out the user who sends attack packets according to the SourceMAC field.
- Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.
SECE/3/ARPS_DROP_PACKET_SRC_MAC
Message
SECE/3/ARPS_DROP_PACKET_SRC_MAC: Invalid source mac address. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])
Parameters
Parameter Name | Parameter Meaning |
---|---|
SourceMAC |
Indicates the source MAC address of the ARP packets. |
SourceIP |
Indicates the source IP address of the ARP packets. |
SourceInterface |
Indicates the source interface of the ARP packets. |
DropTime |
Indicates the packet discard time. |
Procedure
- Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
- Find out the user who sends attack packets according to the SourceMAC field.
- Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.
SECE/3/ARPS_DROP_PACKET_VLAN_SPDLMT
Message
SECE/3/ARPS_DROP_PACKET_VLAN_SPDLMT: Rate of arp packets in vlan exceeds the limit. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], Vlan=[ULONG], DropTime=[STRING])
Parameters
Parameter Name | Parameter Meaning |
---|---|
SourceMAC |
Indicates the outer VLAN ID of packets. |
SourceIP |
Indicates the source MAC address of the ARP packets. |
SourceInterface |
Indicates the source IP address of the ARP packets. |
Vlan |
Indicates the source interface of the ARP packets. |
DropTime |
Indicates the packet discard time. |
SECE/4/ARPSNP_TABLE_FULL
Message
SECE/4/ARPSNP_TABLE_FULL: The number of ARP snooping entries has reached the specifications. (Specifications=[ULONG])
Possible Causes
The switch generates too many ARP snooping entries and the number of ARP snooping entries reaches the upper limit.
Procedure
- If no update packet is received after the aging time of an ARP snooping entry expires, the entry is deleted. Wait for a period of time and check whether this log still exists.
- If so, go to step 2.
- If not, go to step 3.
- Run the reset arp snooping { all | interface interface-type interface-number | vlan vlan-id | ip-address ip-address | mac-address mac-address } command to delete unnecessary ARP snooping entries.
- End.
SECE/4/DAI_DROP_PACKET
Message
SECE/4/DAI_DROP_PACKET: Not hit the user-bind table. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])
Parameters
Parameter Name | Parameter Meaning |
---|---|
SourceMAC |
Indicates the source MAC address of the ARP packets. |
SourceIP |
Indicates the source IP address of the ARP packets. |
SourceInterface |
Indicates the source interface of the ARP packets. |
DropTime |
Indicates the packet discard time. |
Possible Causes
The device receives an ARP packet that does not match any entry in the DHCP snooping binding table.
Procedure
- Find out the interface where attacks occur according to Interface in the alarm message.
- Run the display dhcp snooping user-bind command to check whether users who are not in the DHCP snooping binding table range are connected.
- If new users are connected, run related DHCP snooping commands to generate the DHCP snooping binding entry.
SECE/4/GWCONFLICT
Message
SECE/4/GWCONFLICT: Attack occurred. (AttackType=Gateway Attack, SourceInterface=[STRING], SourceMAC=[STRING], PVlanID=[ULONG])
SECE/4/ICMP_GLOBAL_RATELIMIT
Message
SECE/4/ICMP_GLOBAL_RATELIMIT: The rate of global ICMP packets exceeded the limit. (Threshold=[ULONG] packets per second)
Parameters
Parameter Name | Parameter Meaning |
---|---|
Threshold |
Indicates the global rate limit for ICMP packets. |
SECE/4/ICMP_INTF_RATELIMIT
Message
SECE/4/ICMP_INTF_RATELIMIT: The rate of ICMP packets on the interface exceeded the limit. (SourceInterface=[STRING], Threshold=[ULONG] packets per second)
Parameters
Parameter Name | Parameter Meaning |
---|---|
SourceInterface |
Indicates the source interface of ICMP packets. |
Threshold |
Indicates the rate limit for ICMP packets. |
Possible Causes
The rate of ICMP packets received on an interface exceeds the configured rate limit.
Procedure
- If responses to ping operations are affected due to a small rate limit for ICMP packets on the interface, run the icmp rate-limit interface interface-type interface-number threshold threshold-value command to increase the rate limit on the interface.
- If the number of ICMP packets received on the interface exceeds the global upper rate limit, run the icmp rate-limit total threshold threshold-value command to increase the global rate limit of ICMP packets, in addition to increasing the rate limit of ICMP packets on the interface.
SECE/4/ILLEGAL_IP_DROP_STAT
Message
SECE/4/ILLEGAL_IP_DROP_STAT: There are [STRING1] IP packets dropped due to invalid destination IP addresses. (ZeroIp=[STRING], LoopBackIp=[STRING], ClassEIp=[STRING])
Description
The device discards IP packets with invalid destination IP addresses and collects statistics on these packets.
Parameters
Parameter Name | Parameter Meaning |
---|---|
[STRING1] |
Total number of discarded IP packets with invalid destination IP addresses. |
ZeroIp |
Number of IP packets destined to 0.0.0.0. |
LoopBackIp |
Number of IP packets destined to a loopback address. |
ClassEIp |
Number of IP packets destined to a Class E IP address. |
Possible Causes
The drop illegal-dst-ip enable command has been run on the device to discard IP packets with invalid destination IP addresses. This log records the statistics about the discarded IP packets.
- IP address with all 0s, that is, 0.0.0.0
- IP addresses with a network ID of 127, that is, 127.0.0.0 to 127.255.255.255
- Class E IP addresses except 255.255.255.255, that is, 240.0.0.0 to 255.255.255.254
SECE/4/IPSG_VLANDROP_PACKET
Message
SECE/4/IPSG_VLANDROP_PACKET: IP packets dropped by IPSG. (VLAN=[ULONG], DropPacketNumber=[ULONG], DropTime=[STRING])
Parameters
Parameter Name | Parameter Meaning |
---|---|
VLAN |
Indicates the VLAN ID of the packets. |
DropPacketNumber |
Indicates the number of discarded packets. |
DropTime |
Indicates the packet discard time. |
Possible Causes
The device receives an IP packet that does not match any entry in the DHCP snooping binding table.
Procedure
- Find out the VLAN where attacks occur according to VLAN in the alarm message.
- Run the display dhcp snooping user-bind command to check whether users who are not in the DHCP snooping binding table range are connected.
- If new users are connected, run related DHCP snooping commands to generate the DHCP snooping binding entry.
SECE/4/IPSG_DROP_PACKET
Message
SECE/4/IPSG_DROP_PACKET: IP packets dropped by IPSG. (SourceInterface=[STRING], DropPacketNumber=[ULONG], DropTime=[STRING])
Parameters
Parameter Name | Parameter Meaning |
---|---|
SourceInterface |
Indicates the source interface of the packets. |
DropPacketNumber |
Indicates the number of discarded packets. |
DropTime |
Indicates the packet discard time. |
Possible Causes
The device receives an IP packet that does not match any entry in the DHCP snooping binding table.
Procedure
- Find out the interface where attacks occur according to Interface in the log message.
- Run the display dhcp snooping user-bind command to check whether users who are not in the DHCP snooping binding table range are connected.
- If new users are connected, run related DHCP snooping commands to generate the DHCP snooping binding entry.
SECE/4/IPSG_TABLE_RESOURCE
Parameters
Parameter Name | Parameter Meaning |
---|---|
[STRING1] |
Indicates a resource type. |
[STRING2] |
Indicates a slot number. |
Possible Causes
The IP source guard function is enabled, but the device does not have enough hardware resources for the IP source guard function. The IP source guard function may not take effect.
Procedure
- Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
- Run the display current-configuration command to check the current configuration on the switch.
- Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
- If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/6/MFF_GW_MAC_CHANGED
Message
SECE/6/MFF_GW_MAC_CHANGED: The MAC of a gateway is changed. (IP=[IPADDR], OldMAC=[OCTET], NewMAC=[OCTET])
Parameters
Parameter Name | Parameter Meaning |
---|---|
IP |
Indicates the IP address of the MFF gateway. |
OldMAC |
Indicates the original MAC address of the MFF gateway. |
NewMAC |
Indicates the changed MAC address of the MFF gateway. |
Procedure
- Check whether the gateway has changed its MAC address.
- If the MAC address of the gateway is changed, no operation is required.
- If the MAC address of the gateway is not changed, run the display mac-address command to check whether the VLAN ID and interface matching the changed MAC address are valid.
- If the MAC address belongs to an authorized user, the user's MAC address conflict with the MFF gateway's MAC address. Request the network administrator to change the user's MAC address or MFF gateway's MAC address.
- If the MAC address belongs to an unauthorized user, run the mac-address blackhole command to discard the packets from this user.
- If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/3/NOT_SUPPORT
SECE/4/OLC_DELAY_TASK
Message
SECE/4/OLC_DELAY_TASK: Task is delayed because cpu is overloaded on the board in slot [STRING]. (Task=[STRING], RunTime=[ULONG] ms, DelayTime=[ULONG] ms)
Parameters
Parameter Name | Parameter Meaning |
---|---|
slot |
Indicates the slot ID. |
Task |
Indicates the task name. |
RunTime |
Indicates the task running time, in milliseconds. |
DelayTime |
Indicates the delay in processing the task, in milliseconds. |
Possible Causes
A large amount of traffic of a monitored task was sent to the CPU or an attack was initiated.
Procedure
- Run the display cpu-usage command to view the current CPU usage.
- Run the display cpu-overload-control statistics command to view OLC statistics to locate the task that is delayed.
- If the CPU usage is within the acceptable range, run the undo cpu-overload-control task enable command to disable the OLC function for the task. Otherwise, no further action is required.
SECE/4/OLC_DROP_PACKET
Message
SECE/4/OLC_DROP_PACKET: Some packets are dropped because cpu is overloaded on the board in slot [STRING]. (Protocol=[STRING], PassedPacketCount= [ULONG], DroppedPacketCount=[ULONG])
Description
The CPU usage reached the OLC start threshold, and the monitored protocol packets were discarded.
Parameters
Parameter Name | Parameter Meaning |
---|---|
slot |
Indicates the slot ID. |
Protocol |
Indicates the protocol type of packets. |
PassedPacketCount |
Indicates the number of passed packets. |
DroppedPacketCount |
Indicates the number of discarded packets. |
Possible Causes
A large number of packets of a monitored protocol were sent to the CPU or an attack was initiated.
Procedure
- Run the display cpu-usage command to view the current CPU usage.
- Run the display cpu-overload-control statistics command to view OLC statistics to locate the type of discarded protocol packets.
- If the CPU usage is within the acceptable range, run the cpu-overload-control packet-type disable command to disable the OLC function for the protocol. Otherwise, no further action is required.
SECE/4/PORT_ATTACK
Message
SECE/4/PORT_ATTACK: Port attack occurred. (Slot=[STRING], SourceAttackInterface=[STRING], OuterVlan/InnerVlan=[ULONG]/[ULONG], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)
Parameters
Parameter Name | Parameter Meaning |
---|---|
Slot |
Indicates the slot of an MPU or LPU. |
SourceAttackInterface |
Indicates the interface that initiates the attack. |
OuterVlan |
Indicates the outer VLAN ID or single VLAN ID of the attack source. |
InnerVlan |
Indicates the inner VLAN ID of the attack source. |
AttackProtocol |
Indicates the protocol type of attack packets. |
AttackPackets |
Indicates the rate of attack packets, in pps. |
Procedure
- Run the display auto-defend attack-source command to check whether attack packets exist on the interfaces.
- Analyze the features of attack packets, configure the traffic policy according to this information to perform CAR on the packets, and then apply this policy to the LPU or MPU where the attack occurred.
- Collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/6/PORT_ATTACK_END
Message
SECE/6/PORT_ATTACK_END: Auto port-defend stop. (SourceAttackInterface=[STRING], AttackProtocol=[STRING], ExceededPacketCountInSlot=[STRING])
Parameters
Parameter Name | Parameter Meaning |
---|---|
SourceAttackInterface | Indicates the attack source interface. |
AttackProtocol | Indicates the protocol type of attack packets. |
ExceededPacketCountInSlot | Indicates the number of discarded packets. When port attack defense is triggered on multiple interfaces, packet loss may be recorded on other interfaces besides the interface recorded in the log. |
SECE/4/PORT_ATTACK_OCCUR
Message
SECE/4/PORT_ATTACK_OCCUR: Auto port-defend started. (SourceAttackInterface=[STRING], AttackProtocol=[STRING])
Parameters
Parameter Name | Parameter Meaning |
---|---|
SourceAttackInterface | Indicates the attack source interface. |
AttackProtocol | Indicates the protocol type of attack packets. |
SECE/6/QUEUE_DROP
Message
SECE/6/QUEUE_DROP: Rate of packets to cpu exceeded the QUEUE limit. (SlotId=[STRING], Queue0DropNumber=[STRING], Queue1DropNumber=[STRING], Queue2DropNumber=[STRING], Queue3DropNumber=[STRING], Queue4DropNumber=[STRING], Queue5DropNumber=[STRING], Queue6DropNumber=[STRING], Queue7DropNumber=[STRING])
Parameters
Parameter Name | Parameter Meaning |
---|---|
SlotId |
Indicates a slot ID. |
Queue0DropNumber/Queue1DropNumber/Queue2DropNumber/Queue3DropNumber/Queue4DropNumber/Queue5DropNumber/Queue6DropNumber/Queue7DropNumber |
Indicates the number of packets dropped in every 10 minutes in queues 0 to 7. |
Possible Causes
A large CPCAR value was set for packets to be sent to the CPU. As a result, a large number of packets were sent to the CPU.
Procedure
- Run the display cpu-defend configuration slot slot-id command to check whether the CPCAR value configured for each type of protocol packets is correct. The default CPCAR value is recommended.
- Collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/3/RESOURCE_INSUFFIEIENT
Description
Attack source tracing, CAR, whitelist configuration, blacklist configuration, IP Source Trail, storm control, traffic-pppoe, or traffic suppression in VLANs fails due to insufficient resources.
Parameters
Parameter Name | Parameter Meaning |
---|---|
STRING1 | Indicates the operation type. |
STRING2 | Indicates the slot id. |
Possible Causes
Attack source tracing, CAR, whitelist configuration, blacklist configuration, IP Source Trail, storm control, traffic-pppoe, or suppression on broadcast, unknown multicast, or unknown unicast packets in VLANs fails.
Procedure
- Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
- Run the display current-configuration command to check the current configuration on the switch.
- Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
- If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/3/MFF_RESOURCE_LACK
Description
The ACL resources corresponding to MFF are insufficient, so delivery of ACL resources fails.
Possible Causes
When MFF is enabled in the VLAN view, if the ACL resources are insufficient, the device will generate this log.
Procedure
- Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
- Run the display current-configuration command to check the current configuration on the switch.
- Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
- If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/3/IPSG_RESOURCE_LACK
Message
SECE/3/IPSG_RESOURCE_LACK: Resource for IP Source Guard in slot [STRING] is not enough. (Vlan=[ULONG])
Description
The ACL resources corresponding to IPSG are insufficient, so delivery of ACL resources fails.
Possible Causes
When IPSG is enabled in the VLAN view, if the ACL resources are insufficient, the device will generate this log.
Procedure
- Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
- Run the display current-configuration command to check the current configuration on the switch.
- Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
- If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/4/SPECIFY_SIP_ATTACK
Message
SECE/4/SPECIFY_SIP_ATTACK: The specified source IP address attack occurred. (Slot=[STRING], SourceAttackIP=[STRING], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)
Parameters
Parameter Name | Parameter Meaning |
---|---|
Slot | Indicates the slot of an MPU or LPU. |
SourceAttackIP | Indicates the source IP address of an attack. |
AttackProtocol |
Indicates the protocol type of attack packets. |
AttackPackets | Indicates the rate of attack packets, in pps. |
Possible Causes
A lot of attack packets from the corresponding IP address were received on the interface.
Procedure
- Run the display auto-defend attack-source command to check whether the user attack packets exist.
- If so, run the auto-defend action deny [ timer time-length ] command to discard the attack packets.
- If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/4/STICKY_MAC_CONFLICT
Message
SECE/4/STICKY_MAC_CONFLICT: The MAC address entry of another type already exists. (MAC=[OCTET])
Description
The device failed to generate a snooping MAC entry after the user-bind ip sticky-mac command was run.
Parameters
Parameter Name | Parameter Meaning |
---|---|
MAC | MAC address that conflicts with the MAC address in the snooping MAC entry. |
SECE/4/STORMCTRL_BC_BLOCKED
Possible Causes
A broadcast storm occurred on the interface, and the rate of broadcast packets received on the interface exceeded the upper threshold specified by the storm-control command. As a result, broadcast packets were blocked on the interface.
Procedure
- Check whether the broadcast storm is caused by a loop. If so, remove the loop. When the average rate of broadcast packets received on the interface falls below the lower threshold, broadcast packets are properly forwarded by the interface. For the broadcast storm troubleshooting procedure, see MAC Address Flapping Occurs on a Layer 2 Network and STP Faults Occur in the Revelations of Troublesolving.
SECE/3/STORMCTRL_BC_FAIL
Message
SECE/3/STORMCTRL_BC_FAIL: Failed to block broadcast packets from the Interface [STRING] because the hardware resources are insufficient.
Procedure
- Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
- Run the display current-configuration command to check the current configuration on the switch.
- Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
- If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/4/STORMCTRL_BC_UNBLOCK
SECE/4/STORMCTRL_IF_NORMAL
SECE/4/STORMCTRL_IF_ERROR_DOWN
Description
The storm control function was configured, and a broadcast storm occurred on the interface. As a result, the interface status became Error-Down.
Possible Causes
The storm control function was configured on the interface, and the storm control action was set to error-down. A broadcast storm occurred due to a loop, attack, or hardware fault, and the average rate of broadcast, multicast, or unknown unicast packets exceeded the upper threshold. As a result, the storm control action was performed and the interface status became Error-Down.
Procedure
- Check whether the broadcast storm is caused by a loop. If so, remove the loop. For the broadcast storm troubleshooting procedure, see MAC Address Flapping Occurs on a Layer 2 Network and STP Faults Occur in the Revelations of Troublesolving.
- Run shutdown and undo shutdown commands in sequence on the interface. If many interfaces are in Error-Down state, run the error-down auto-recovery cause storm-control interval interval-value command in the system view to enable these interfaces to go Up and set a recovery delay. Then run the display error-down recovery command to check whether there are still interfaces in Error-Down state.
SECE/4/STORMCTRL_MC_BLOCKED
Possible Causes
A broadcast storm occurred on the interface, and the rate of multicast packets received on the interface exceeded the upper threshold specified by the storm-control command. As a result, multicast packets were blocked on the interface.
Procedure
- Check whether the broadcast storm is caused by a loop. If so, remove the loop. When the average rate of multicast packets received on the interface falls below the lower threshold, multicast packets are properly forwarded by the interface. For the broadcast storm troubleshooting procedure, see MAC Address Flapping Occurs on a Layer 2 Network and STP Faults Occur in the Revelations of Troublesolving.
SECE/3/STORMCTRL_MC_FAIL
Message
SECE/3/STORMCTRL_MC_FAIL: Failed to block multicast packets from the Interface [STRING] because the hardware resources are insufficient.
Procedure
- Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
- Run the display current-configuration command to check the current configuration on the switch.
- Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
- If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/4/STORMCTRL_MC_UNBLOCK
SECE/4/STORMCTRL_UC_BLOCKED
Possible Causes
A broadcast storm occurred on the interface, and the rate of unknown unicast packets received on the interface exceeded the upper threshold specified by the storm-control command. As a result, unknown unicast packets were blocked on the interface.
Procedure
- Check whether the broadcast storm is caused by a loop. If so, remove the loop. When the average rate of unknown unicast packets received on the interface falls below the lower threshold, unknown unicast packets are properly forwarded by the interface. For the broadcast storm troubleshooting procedure, see MAC Address Flapping Occurs on a Layer 2 Network and STP Faults Occur in the Revelations of Troublesolving.
SECE/3/STORMCTRL_UC_FAIL
Message
SECE/3/STORMCTRL_UC_FAIL: Failed to block unicast packets from the Interface [STRING] because the hardware resources are insufficient.
Description
An interface fails to block unknown unicast packets because ACL resources are insufficient.
Procedure
- Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
- Run the display current-configuration command to check the current configuration on the switch.
- Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
- If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/4/STORMCTRL_UC_UNBLOCK
SECE/4/STRACK_DENY
Message
SECE/4/STRACK_DENY: Some packets are dropped because an attack is detected. (Interface=[OCTET], SourceIP=[IPADDR])
SECE/4/STRACK_DENY: Some packets are dropped because an attack is detected. (Interface=[OCTET], SourceMAC=[OCTET])
SECE/4/STRACK_DENY: Some packets are dropped because an attack is detected. (Interface=[OCTET], CVLAN=[INTEGER], PVLAN=[INTEGER])
Parameters
Parameter Name | Parameter Meaning |
---|---|
Interface |
Indicates the interface that receives attack packets. |
SourceMAC |
Indicates the source MAC address of attack packets. |
SourceIP |
Indicates the source IP address of attack packets. |
CVLAN |
Indicates the inner VLAN ID of attack packets. |
PVLAN |
Indicates the outer VLAN ID of attack packets. |
Possible Causes
The attack tracing module detects an attack, and the attack defense action is set to deny.
Procedure
- Check whether the discarded packets are sent from an authorized user.
- If the sender is an authorized user, run the auto-defend whitelist whitelist-num { acl acl_number | interface interface-type interface-number } command to add the user to the whitelist. Then packets sent from this user are not discarded.
- If the sender is an attacker, you do not need to perform any operation.
SECE/4/STRACK_ERROR_DOWN
Message
SECE/4/STRACK_ERROR_DOWN: Interface's status is changed to error-down because an attack is detected. (Interface=[OCTET])
Description
An interface transitions to error-down state because an attack is detected on the interface.
Parameters
Parameter Name | Parameter Meaning |
---|---|
Interface | Indicates the interface that receives attack packets. |
Possible Causes
The attack tracing module detects an attack, and the attack defense action is set to error-down.
Procedure
- Check whether the discarded packets are sent from an authorized user.
- If the sender is an authorized user, run the auto-defend whitelist whitelist-num { acl acl_number | interface interface-type interface-number } command to add the user to the whitelist. Then packets sent from this user are not discarded.
- If the sender is an attacker, you do not need to perform any operation.
SECE/3/STRACK_RESOURCE_LACK
Parameters
Parameter Name | Parameter Meaning |
---|---|
[STRING1] | Indicates the service type. |
[STRING2] | Indicates a slot ID. |
Possible Causes
The discard action in attack source tracing is implemented using ACL resource. The deny action fails to be delivered because the ACL resource is insufficient.
Procedure
- Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
- Run the display current-configuration command to check the current configuration on the switch.
- Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
- If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/4/USER_ATTACK
Message
SECE/4/USER_ATTACK: User attack occurred. (Slot=[STRING], SourceAttackInterface=[STRING], OuterVlan/InnerVlan=[ULONG ]/[ULONG], UserMacAddress=[STRING], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)
Parameters
Parameter Name | Parameter Meaning |
---|---|
Slot |
Indicates the slot of an MPU or LPU. |
SourceAttackInterface |
Indicates the interface that initiates the attack. |
OuterVlan |
Indicates the outer VLAN ID or single VLAN ID of the attack source. |
InnerVlan |
Indicates the inner VLAN ID of the attack source. |
UserMacAddress |
Indicates the MAC address of the attack source. |
AttackProtocol |
Indicates the protocol type of attack packets. |
AttackPackets |
Indicates the rate of attack packets, in pps. |
Possible Causes
A lot of attack packets from the corresponding VLAN or MAC address are received on the interface.
Procedure
- Run the display auto-defend attack-source command to check whether user attack packets exist.
- Analyze the features of attack packets, configure the traffic policy according to this information to perform CAR on the packets, and then apply this policy to the LPU or MPU where the attack occurred.
- Collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/3/RESOURCE_LACK(STRACK)
Description
The hardware resources on the LPU were insufficient for the attack source tracing function.
Possible Causes
The discard action in attack source tracing was implemented using ACL resources. This action failed to be delivered due to insufficient ACL resources.
Procedure
- Run the display current-configuration command to check the configurations that lead to insufficient ACL resources.
- Adjust ACL resources. Delete unnecessary ACLs to release resources.
- If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/4/UCSUPPRESS
Message
SECE/4/UCSUPPRESS: MAC address flapping started on port. The rate of unknown unicast packets was limited to 50% of the port bandwidth. (Interface=[STRING])
Description
The device detected MAC address flapping on an interface, and suppressed unknown unicast traffic to 50% of the interface rate.
Possible Causes
When storm control and traffic suppression are not configured, the switch suppressed unknown unicast traffic on an interface when detecting MAC address flapping on this interface.
Procedure
- Run the snmp-agent trap enable feature-name l2ifppi command to enable the alarm function for MAC address flapping, including hwmflpbdalarm for MAC address
flapping in a BD, hwmflpvlanalarm for MAC address flapping in
a VLAN and hwmflpvsialarm for MAC address flapping in a VSI. Check
whether these alarms are generated.
- If so, go to step 2.
- If not, go to step 3.
- Based on the generated alarms, take measures by referring
to L2IFPPI_1.3.6.1.4.1.2011.5.25.160.3.7 hwMflpVlanAlarm, L2IFPPI_1.3.6.1.4.1.2011.5.25.160.3.17 hwMflpBdAlarm or L2IFPPI_1.3.6.1.4.1.2011.5.25.160.3.8 hwMflpVsiAlarm. Then, check whether the recovery log SECE/4/UCSUPPRESSRESUME is recorded.
- If so, no further action is required.
- If not, go to step 4.
- Check whether the recovery log SECE/4/UCSUPPRESSRESUME is recorded.
- If so, no further action is required.
- If not, go to step 4.
- Contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
SECE/4/UCSUPPRESSRESUME
Message
SECE/4/UCSUPPRESSRESUME: MAC address flapping finished on port. Unknown unicast packets were normally forwarded. (Interface=[STRING])
Description
MAC address flapping stopped and unknown unicast traffic was normally forwarded on an interface.
- SECE/4/ARP_PACKET_BLOCK
- SECE/4/ARPMISS
- SECE/3/ARPS_DROP_PACKET_GLOBAL_SPDLMT
- SECE/3/ARPS_DROP_PACKET_HDADDR_LEN
- SECE/3/ARPS_DROP_PACKET_IF_SPDLMT
- SECE/3/ARPS_DROP_PACKET_LENTH
- SECE/3/ARPS_DROP_PACKET_OPTYPE
- SECE/3/ARPS_DROP_PACKET_PROADDR_LEN
- SECE/3/ARPS_DROP_PACKET_SRC_MAC
- SECE/3/ARPS_DROP_PACKET_VLAN_SPDLMT
- SECE/4/ARPSNP_TABLE_FULL
- SECE/4/DAI_DROP_PACKET
- SECE/4/GWCONFLICT
- SECE/4/ICMP_GLOBAL_RATELIMIT
- SECE/4/ICMP_INTF_RATELIMIT
- SECE/4/ILLEGAL_IP_DROP_STAT
- SECE/4/IPSG_VLANDROP_PACKET
- SECE/4/IPSG_DROP_PACKET
- SECE/4/IPSG_TABLE_RESOURCE
- SECE/6/MFF_GW_MAC_CHANGED
- SECE/3/NOT_SUPPORT
- SECE/4/OLC_DELAY_TASK
- SECE/4/OLC_DROP_PACKET
- SECE/4/PORT_ATTACK
- SECE/6/PORT_ATTACK_END
- SECE/4/PORT_ATTACK_OCCUR
- SECE/6/QUEUE_DROP
- SECE/3/RESOURCE_INSUFFIEIENT
- SECE/3/MFF_RESOURCE_LACK
- SECE/3/IPSG_RESOURCE_LACK
- SECE/4/SPECIFY_SIP_ATTACK
- SECE/4/STICKY_MAC_CONFLICT
- SECE/4/STORMCTRL_BC_BLOCKED
- SECE/3/STORMCTRL_BC_FAIL
- SECE/4/STORMCTRL_BC_UNBLOCK
- SECE/4/STORMCTRL_IF_NORMAL
- SECE/4/STORMCTRL_IF_ERROR_DOWN
- SECE/4/STORMCTRL_MC_BLOCKED
- SECE/3/STORMCTRL_MC_FAIL
- SECE/4/STORMCTRL_MC_UNBLOCK
- SECE/4/STORMCTRL_UC_BLOCKED
- SECE/3/STORMCTRL_UC_FAIL
- SECE/4/STORMCTRL_UC_UNBLOCK
- SECE/4/STRACK_DENY
- SECE/4/STRACK_ERROR_DOWN
- SECE/3/STRACK_RESOURCE_LACK
- SECE/4/USER_ATTACK
- SECE/3/RESOURCE_LACK(STRACK)
- SECE/4/UCSUPPRESS
- SECE/4/UCSUPPRESSRESUME