SECE - S7700 V200R019C10 Log Reference

S7700 V200R019C10 Log Reference

This document provides the explanations, causes, and recommended actions of logs on the product.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

SECE

SECE/4/ARP_PACKET_BLOCK
SECE/4/ARPMISS
SECE/3/ARPS_DROP_PACKET_GLOBAL_SPDLMT
SECE/3/ARPS_DROP_PACKET_HDADDR_LEN
SECE/3/ARPS_DROP_PACKET_IF_SPDLMT
SECE/3/ARPS_DROP_PACKET_LENTH
SECE/3/ARPS_DROP_PACKET_OPTYPE
SECE/3/ARPS_DROP_PACKET_PROADDR_LEN
SECE/3/ARPS_DROP_PACKET_SRC_MAC
SECE/3/ARPS_DROP_PACKET_VLAN_SPDLMT
SECE/4/ARPSNP_TABLE_FULL
SECE/4/DAI_DROP_PACKET
SECE/4/GWCONFLICT
SECE/4/ICMP_GLOBAL_RATELIMIT
SECE/4/ICMP_INTF_RATELIMIT
SECE/4/ILLEGAL_IP_DROP_STAT
SECE/4/IPSG_VLANDROP_PACKET
SECE/4/IPSG_DROP_PACKET
SECE/4/IPSG_TABLE_RESOURCE
SECE/6/MFF_GW_MAC_CHANGED
SECE/3/NOT_SUPPORT
SECE/4/OLC_DELAY_TASK
SECE/4/OLC_DROP_PACKET
SECE/4/PORT_ATTACK
SECE/6/PORT_ATTACK_END
SECE/4/PORT_ATTACK_OCCUR
SECE/6/QUEUE_DROP
SECE/3/RESOURCE_INSUFFIEIENT
SECE/3/MFF_RESOURCE_LACK
SECE/3/IPSG_RESOURCE_LACK
SECE/4/SPECIFY_SIP_ATTACK
SECE/4/STICKY_MAC_CONFLICT
SECE/4/STORMCTRL_BC_BLOCKED
SECE/3/STORMCTRL_BC_FAIL
SECE/4/STORMCTRL_BC_UNBLOCK
SECE/4/STORMCTRL_IF_NORMAL
SECE/4/STORMCTRL_IF_ERROR_DOWN
SECE/4/STORMCTRL_MC_BLOCKED
SECE/3/STORMCTRL_MC_FAIL
SECE/4/STORMCTRL_MC_UNBLOCK
SECE/4/STORMCTRL_UC_BLOCKED
SECE/3/STORMCTRL_UC_FAIL
SECE/4/STORMCTRL_UC_UNBLOCK
SECE/4/STRACK_DENY
SECE/4/STRACK_ERROR_DOWN
SECE/3/STRACK_RESOURCE_LACK
SECE/4/USER_ATTACK
SECE/3/RESOURCE_LACK(STRACK)
SECE/4/UCSUPPRESS
SECE/4/UCSUPPRESSRESUME

SECE/4/ARP_PACKET_BLOCK

Message

SECE/4/ARP_PACKET_BLOCK: ARP packets were blocked. (SourceInterface=[STRING], BlockTime=[ULONG]seconds)

Description

All the packets on the interface are blocked at the time specified by block time.

Parameters

Parameter Name	Parameter Meaning
SourceInterface	Indicates the inbound interface of ARP packets.
BlockTime	Indicates the time ARP packets are blocked.

Possible Causes

After rate limiting on ARP packets is configured on an interface, if the rate of ARP packets exceeds the rate limit, the system delivers an ACL to discard ARP packets on the interface.

Procedure

If user services are not affected, the alarm does not need to be handled.
If the user services are intermittently disconnected, run the arp anti-attack rate-limit packet packet-number command in the interface view to adjust the ARP rate limit. Adjusting the rate limit may affect CPU usage. You are advised to contact technical support personnel.

SECE/4/ARPMISS

Message

SECE/4/ARPMISS: Attack occurred. (AttackType=Arp Miss Attack, SourceInterface=[STRING], SourceIP=[STRING], AttackPackets=[ULONG] packets per second)

Description

The rate exceeds the global ARP Miss rate limit.

Parameters

Parameter Name	Parameter Meaning
SourceInterface	Indicates the name of an interface.
SourceIP	Indicates the source IP address of attack packets.
AttackPackets	Indicates the rate of attack packets, in pps.

Possible Causes

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device (the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route), the device generates a large number of ARP Miss messages. When the rate of ARP Miss messages exceeds the global ARP Miss rate limit, the device generates the alarm.

Procedure

Run the reset cpu-defend statistics command to clear statistics on the ARP Miss messages sent to the CPU.
Wait for 1 minute, and run the display cpu-defend statistics all command to check the number of ARP Miss messages sent to the CPU within 1 minute. Check whether a large number of packets are discarded:
- If so, go to step 3.
- If not, verify that the network is secure and run the info-center source SECE channel 4 log state off command to disable the device from sending SECE log information.
Locate the attack source based on the IP address in the log information.
Check whether the attacker is infected with viruses.
- If so, you are advised to remove viruses from the user host. You can also add the address of the user to the blacklist or configure a blackhole MAC address entry to discard ARP request packets sent by the attacker.
- If not, go to step 4.
Run the display arp anti-attack configuration arpmiss-rate-limit command to check global configuration of source-based ARP-Miss suppression.
Run the arp-miss speed-limit source-ip [ ip-address ] maximum 0 command to configure the device not to limit the rate of ARP Miss messages based on source the IP address.
If the log is frequently generated, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/3/ARPS_DROP_PACKET_GLOBAL_SPDLMT

Message

SECE/3/ARPS_DROP_PACKET_GLOBAL_SPDLMT: Rate of global arp packets exceeds the limit. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The rate of ARP packets on the device exceeds the threshold.

Parameters

Parameter Name	Parameter Meaning
SourceMAC	Indicates the source MAC address of the ARP packets.
SourceIP	Indicates the source IP address of the ARP packets.
SourceInterface	Indicates the source interface of the ARP packets.
DropTime	Indicates the packet discard time.

Possible Causes

The rate of ARP packets on the device exceeds the threshold.

Procedure

If the processing speed becomes slow or the CPU usage is high, a large number of ARP packets are sent to the CPU. To make the device run properly, run the arp anti-attack rate-limit command to reduce the rate threshold of ARP packets.

SECE/3/ARPS_DROP_PACKET_HDADDR_LEN

Message

SECE/3/ARPS_DROP_PACKET_HDADDR_LEN: Invalid hard address length. (HardAddressLength=[ULONG], SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The hardware address length in the ARP packet is invalid.

Parameters

Parameter Name	Parameter Meaning
HardAddressLength	Indicates the MAC address length of the ARP packets.
SourceMAC	Indicates the source MAC address of the ARP packets.
SourceIP	Indicates the source IP address of the ARP packets.
SourceInterface	Indicates the source interface of the ARP packets.
DropTime	Indicates the packet discard time.

Possible Causes

The device receives an ARP packet with the hardware address that has an invalid length.

Procedure

Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
Find out the user who sends attack packets according to the SourceMAC field.
Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.

SECE/3/ARPS_DROP_PACKET_IF_SPDLMT

Message

SECE/3/ARPS_DROP_PACKET_IF_SPDLMT: Rate of arp packets on interface exceeds the limit. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The rate of ARP packets on the interface exceeds the threshold.

Parameters

Parameter Name	Parameter Meaning
SourceMAC	Indicates the source MAC address of the ARP packets.
SourceIP	Indicates the source IP address of the ARP packets.
SourceInterface	Indicates the source interface of the ARP packets.
DropTime	Indicates the packet discard time.

Possible Causes

The rate of ARP packets on the interface exceeds the threshold.

Procedure

If the processing speed becomes slow or the CPU usage is high, a large number of ARP packets are sent to the CPU. To make the device run properly, run the arp anti-attack rate-limit command to reduce the rate threshold of ARP packets.

SECE/3/ARPS_DROP_PACKET_LENTH

Message

SECE/3/ARPS_DROP_PACKET_LENTH: Invalid packet length. (PacketLength=[ULONG], SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The length of the ARP packet is invalid.

Parameters

Parameter Name	Parameter Meaning
PacketLength	Indicates the length of the ARP packet. The length ranges from 60 to 1518.
SourceMAC	Indicates the source MAC address of the ARP packets.
SourceIP	Indicates the source IP address of the ARP packets.
SourceInterface	Indicates the source interface of the ARP packets.
DropTime	Indicates the packet discard time.

Possible Causes

The device receives an ARP packet of invalid length.

Procedure

Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
Find out the user who sends attack packets according to the SourceMAC field.
Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.

SECE/3/ARPS_DROP_PACKET_OPTYPE

Message

SECE/3/ARPS_DROP_PACKET_OPTYPE: Invalid packet optype. (OperateType=[ULONG], SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The type of the ARP packet is invalid.

Parameters

Parameter Name	Parameter Meaning
OperateType	Indicates the type of ARP packets.
SourceMAC	Indicates the source MAC address of the ARP packets.
SourceIP	Indicates the source IP address of the ARP packets.
SourceInterface	Indicates the source interface of the ARP packets.
DropTime	Indicates the packet discard time.

Possible Causes

The device receives an ARP packet of invalid type.

Procedure

Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
Find out the user who sends attack packets according to the SourceMAC field.
Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.

SECE/3/ARPS_DROP_PACKET_PROADDR_LEN

Message

SECE/3/ARPS_DROP_PACKET_PROADDR_LEN: Invalid protocol address length. (ProAddressLength=[ULONG], SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The protocol address length in the ARP packet is invalid.

Parameters

Parameter Name	Parameter Meaning
ProAddressLength	Indicates the length of ARP packets.
SourceMAC	Indicates the source MAC address of the ARP packets.
SourceIP	Indicates the source IP address of the ARP packets.
SourceInterface	Indicates the source interface of the ARP packets.
DropTime	Indicates the packet discard time.

Possible Causes

The device receives an ARP packet with the protocol address that has an invalid length.

Procedure

Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
Find out the user who sends attack packets according to the SourceMAC field.
Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.

SECE/3/ARPS_DROP_PACKET_SRC_MAC

Message

SECE/3/ARPS_DROP_PACKET_SRC_MAC: Invalid source mac address. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The source MAC address in the ARP packet is invalid.

Parameters

Parameter Name	Parameter Meaning
SourceMAC	Indicates the source MAC address of the ARP packets.
SourceIP	Indicates the source IP address of the ARP packets.
SourceInterface	Indicates the source interface of the ARP packets.
DropTime	Indicates the packet discard time.

Possible Causes

The device receives an ARP packet with invalid source MAC address.

Procedure

Find out the interface that initiates the attack according to the SourceInterface field in the alarm message.
Find out the user who sends attack packets according to the SourceMAC field.
Check whether the user host runs abnormally; if not, the user may be an attacker. In this case, you can take measures to prevent the user, for example, disconnect the user from the network.

SECE/3/ARPS_DROP_PACKET_VLAN_SPDLMT

Message

SECE/3/ARPS_DROP_PACKET_VLAN_SPDLMT: Rate of arp packets in vlan exceeds the limit. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], Vlan=[ULONG], DropTime=[STRING])

Description

The rate of ARP packets in the VLAN exceeds the threshold.

Parameters

Parameter Name	Parameter Meaning
SourceMAC	Indicates the outer VLAN ID of packets.
SourceIP	Indicates the source MAC address of the ARP packets.
SourceInterface	Indicates the source IP address of the ARP packets.
Vlan	Indicates the source interface of the ARP packets.
DropTime	Indicates the packet discard time.

Possible Causes

The rate of ARP packets in the VLAN exceeds the threshold.

Procedure

If the processing speed becomes slow or the CPU usage is high, a large number of ARP packets are sent to the CPU. To make the device run properly, run the arp anti-attack rate-limit command to reduce the rate threshold of ARP packets.

SECE/4/ARPSNP_TABLE_FULL

Message

SECE/4/ARPSNP_TABLE_FULL: The number of ARP snooping entries has reached the specifications. (Specifications=[ULONG])

Description

The number of ARP snooping entries has reached the upper limit.

Parameters

Parameter Name	Parameter Meaning
Specifications	Number of ARP snooping entries.

Possible Causes

The switch generates too many ARP snooping entries and the number of ARP snooping entries reaches the upper limit.

Procedure

If no update packet is received after the aging time of an ARP snooping entry expires, the entry is deleted. Wait for a period of time and check whether this log still exists.
- If so, go to step 2.
- If not, go to step 3.
Run the reset arp snooping { all | interface interface-type interface-number | vlan vlan-id | ip-address ip-address | mac-address mac-address } command to delete unnecessary ARP snooping entries.
End.

SECE/4/DAI_DROP_PACKET

Message

SECE/4/DAI_DROP_PACKET: Not hit the user-bind table. (SourceMAC=[STRING], SourceIP=[STRING], SourceInterface=[STRING], DropTime=[STRING])

Description

The ARP packet does not match any entry in the DHCP snooping binding table.

Parameters

Parameter Name	Parameter Meaning
SourceMAC	Indicates the source MAC address of the ARP packets.
SourceIP	Indicates the source IP address of the ARP packets.
SourceInterface	Indicates the source interface of the ARP packets.
DropTime	Indicates the packet discard time.

Possible Causes

The device receives an ARP packet that does not match any entry in the DHCP snooping binding table.

Procedure

Find out the interface where attacks occur according to Interface in the alarm message.
Run the display dhcp snooping user-bind command to check whether users who are not in the DHCP snooping binding table range are connected.
If new users are connected, run related DHCP snooping commands to generate the DHCP snooping binding entry.

SECE/4/GWCONFLICT

Message

SECE/4/GWCONFLICT: Attack occurred. (AttackType=Gateway Attack, SourceInterface=[STRING], SourceMAC=[STRING], PVlanID=[ULONG])

Description

An address conflicts with the gateway address.

Parameters

Parameter Name	Parameter Meaning
SourceInterface	Indicates the interface that initiates the attack.
SourceMAC	Indicates the MAC address of the attack source.
PVlanID	Indicates the outer VLAN ID or single VLAN ID of the attack source.

Possible Causes

An address conflicts with the gateway address.

Procedure

1. Run the display arp anti-attack gateway-duplicate item command to view the attacker.

SECE/4/ICMP_GLOBAL_RATELIMIT

Message

SECE/4/ICMP_GLOBAL_RATELIMIT: The rate of global ICMP packets exceeded the limit. (Threshold=[ULONG] packets per second)

Description

The total rate of ICMP packets on all interfaces has exceeded the rate limit.

Parameters

Parameter Name	Parameter Meaning
Threshold	Indicates the global rate limit for ICMP packets.

Possible Causes

The rate of ICMP packets received in the system exceeds the configured global rate limit.

Procedure

If responses to ping operations are affected due to a small global rate limit for ICMP packets, run the icmp rate-limit total threshold threshold-value command to increase the global rate limit.

SECE/4/ICMP_INTF_RATELIMIT

Message

SECE/4/ICMP_INTF_RATELIMIT: The rate of ICMP packets on the interface exceeded the limit. (SourceInterface=[STRING], Threshold=[ULONG] packets per second)

Description

The rate of IGMP packets on an interface has exceeded the rate limit.

Parameters

Parameter Name	Parameter Meaning
SourceInterface	Indicates the source interface of ICMP packets.
Threshold	Indicates the rate limit for ICMP packets.

Possible Causes

The rate of ICMP packets received on an interface exceeds the configured rate limit.

Procedure

If responses to ping operations are affected due to a small rate limit for ICMP packets on the interface, run the icmp rate-limit interface interface-type interface-number threshold threshold-value command to increase the rate limit on the interface.
If the number of ICMP packets received on the interface exceeds the global upper rate limit, run the icmp rate-limit total threshold threshold-value command to increase the global rate limit of ICMP packets, in addition to increasing the rate limit of ICMP packets on the interface.

SECE/4/ILLEGAL_IP_DROP_STAT

Message

SECE/4/ILLEGAL_IP_DROP_STAT: There are [STRING1] IP packets dropped due to invalid destination IP addresses. (ZeroIp=[STRING], LoopBackIp=[STRING], ClassEIp=[STRING])

Description

The device discards IP packets with invalid destination IP addresses and collects statistics on these packets.

Parameters

Parameter Name	Parameter Meaning
[STRING1]	Total number of discarded IP packets with invalid destination IP addresses.
ZeroIp	Number of IP packets destined to 0.0.0.0.
LoopBackIp	Number of IP packets destined to a loopback address.
ClassEIp	Number of IP packets destined to a Class E IP address.

Possible Causes

The drop illegal-dst-ip enable command has been run on the device to discard IP packets with invalid destination IP addresses. This log records the statistics about the discarded IP packets.

The following three types of IP addresses are invalid destination IP addresses and should not be used on the network:

IP address with all 0s, that is, 0.0.0.0
IP addresses with a network ID of 127, that is, 127.0.0.0 to 127.255.255.255
Class E IP addresses except 255.255.255.255, that is, 240.0.0.0 to 255.255.255.254

Procedure

Check whether the device is attacked. If so, eliminate the sources where attacks are initiated.
Collect log information and configuration information, and then contact technical support personnel.You can collect diagnostic information using the display diagnostic-information command.

SECE/4/IPSG_VLANDROP_PACKET

Message

SECE/4/IPSG_VLANDROP_PACKET: IP packets dropped by IPSG. (VLAN=[ULONG], DropPacketNumber=[ULONG], DropTime=[STRING])

Description

IP packets in a VLAN are discarded by IPSG.

Parameters

Parameter Name	Parameter Meaning
VLAN	Indicates the VLAN ID of the packets.
DropPacketNumber	Indicates the number of discarded packets.
DropTime	Indicates the packet discard time.

Possible Causes

The device receives an IP packet that does not match any entry in the DHCP snooping binding table.

Procedure

Find out the VLAN where attacks occur according to VLAN in the alarm message.
Run the display dhcp snooping user-bind command to check whether users who are not in the DHCP snooping binding table range are connected.
If new users are connected, run related DHCP snooping commands to generate the DHCP snooping binding entry.

SECE/4/IPSG_DROP_PACKET

Message

SECE/4/IPSG_DROP_PACKET: IP packets dropped by IPSG. (SourceInterface=[STRING], DropPacketNumber=[ULONG], DropTime=[STRING])

Description

IP packets in an interface are discarded by IPSG.

Parameters

Parameter Name	Parameter Meaning
SourceInterface	Indicates the source interface of the packets.
DropPacketNumber	Indicates the number of discarded packets.
DropTime	Indicates the packet discard time.

Possible Causes

The device receives an IP packet that does not match any entry in the DHCP snooping binding table.

Procedure

Find out the interface where attacks occur according to Interface in the log message.
Run the display dhcp snooping user-bind command to check whether users who are not in the DHCP snooping binding table range are connected.
If new users are connected, run related DHCP snooping commands to generate the DHCP snooping binding entry.

SECE/4/IPSG_TABLE_RESOURCE

Message

SECE/4/IPSG_TABLE_RESOURCE: Resource for [STRING1] in slot [STRING2] is not enough.

Description

The hardware resources on the device are insufficient.

Parameters

Parameter Name	Parameter Meaning
[STRING1]	Indicates a resource type.
[STRING2]	Indicates a slot number.

Possible Causes

The IP source guard function is enabled, but the device does not have enough hardware resources for the IP source guard function. The IP source guard function may not take effect.

Procedure

Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
Run the display current-configuration command to check the current configuration on the switch.
Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/6/MFF_GW_MAC_CHANGED

Message

SECE/6/MFF_GW_MAC_CHANGED: The MAC of a gateway is changed. (IP=[IPADDR], OldMAC=[OCTET], NewMAC=[OCTET])

Description

The MAC address matching the MFF gateway's IP address changes.

Parameters

Parameter Name	Parameter Meaning
IP	Indicates the IP address of the MFF gateway.
OldMAC	Indicates the original MAC address of the MFF gateway.
NewMAC	Indicates the changed MAC address of the MFF gateway.

Possible Causes

The MAC address matching the MFF gateway's IP address changes.

Procedure

Check whether the gateway has changed its MAC address.
If the MAC address of the gateway is changed, no operation is required.
If the MAC address of the gateway is not changed, run the display mac-address command to check whether the VLAN ID and interface matching the changed MAC address are valid.
If the MAC address belongs to an authorized user, the user's MAC address conflict with the MFF gateway's MAC address. Request the network administrator to change the user's MAC address or MFF gateway's MAC address.
If the MAC address belongs to an unauthorized user, run the mac-address blackhole command to discard the packets from this user.
If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/3/NOT_SUPPORT

Message

SECE/3/NOT_SUPPORT: Slot [STRING] does not support [STRING].

Description

The service is not supported by the LPU.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates a slot ID.
[STRING]	Indicates the service type, for example, IPST.

Possible Causes

The service is delivered to all LPUs, and this log is printed for the LPUs that do not support this service.

Procedure

Replace the LPU with an LPU that supports this service. For details, see S7700 V200R019C10 Configuration Guide - Security.

SECE/4/OLC_DELAY_TASK

Message

SECE/4/OLC_DELAY_TASK: Task is delayed because cpu is overloaded on the board in slot [STRING]. (Task=[STRING], RunTime=[ULONG] ms, DelayTime=[ULONG] ms)

Description

The CPU usage reached the OLC start threshold, and the monitored task was delayed.

Parameters

Parameter Name	Parameter Meaning
slot	Indicates the slot ID.
Task	Indicates the task name.
RunTime	Indicates the task running time, in milliseconds.
DelayTime	Indicates the delay in processing the task, in milliseconds.

Possible Causes

A large amount of traffic of a monitored task was sent to the CPU or an attack was initiated.

Procedure

Run the display cpu-usage command to view the current CPU usage.
Run the display cpu-overload-control statistics command to view OLC statistics to locate the task that is delayed.
If the CPU usage is within the acceptable range, run the undo cpu-overload-control task enable command to disable the OLC function for the task. Otherwise, no further action is required.

SECE/4/OLC_DROP_PACKET

Message

SECE/4/OLC_DROP_PACKET: Some packets are dropped because cpu is overloaded on the board in slot [STRING]. (Protocol=[STRING], PassedPacketCount= [ULONG], DroppedPacketCount=[ULONG])

Description

The CPU usage reached the OLC start threshold, and the monitored protocol packets were discarded.

Parameters

Parameter Name	Parameter Meaning
slot	Indicates the slot ID.
Protocol	Indicates the protocol type of packets.
PassedPacketCount	Indicates the number of passed packets.
DroppedPacketCount	Indicates the number of discarded packets.

Possible Causes

A large number of packets of a monitored protocol were sent to the CPU or an attack was initiated.

Procedure

Run the display cpu-usage command to view the current CPU usage.
Run the display cpu-overload-control statistics command to view OLC statistics to locate the type of discarded protocol packets.
If the CPU usage is within the acceptable range, run the cpu-overload-control packet-type disable command to disable the OLC function for the protocol. Otherwise, no further action is required.

SECE/4/PORT_ATTACK

Message

SECE/4/PORT_ATTACK: Port attack occurred. (Slot=[STRING], SourceAttackInterface=[STRING], OuterVlan/InnerVlan=[ULONG]/[ULONG], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)

Description

A lot of attack packets from the corresponding VLAN are received on the interface.

Parameters

Parameter Name	Parameter Meaning
Slot	Indicates the slot of an MPU or LPU.
SourceAttackInterface	Indicates the interface that initiates the attack.
OuterVlan	Indicates the outer VLAN ID or single VLAN ID of the attack source.
InnerVlan	Indicates the inner VLAN ID of the attack source.
AttackProtocol	Indicates the protocol type of attack packets.
AttackPackets	Indicates the rate of attack packets, in pps.

Possible Causes

A lot of attack packets from the corresponding VLAN are received on the interface.

Procedure

Run the display auto-defend attack-source command to check whether attack packets exist on the interfaces.
Analyze the features of attack packets, configure the traffic policy according to this information to perform CAR on the packets, and then apply this policy to the LPU or MPU where the attack occurred.
Collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/6/PORT_ATTACK_END

Message

SECE/6/PORT_ATTACK_END: Auto port-defend stop. (SourceAttackInterface=[STRING], AttackProtocol=[STRING], ExceededPacketCountInSlot=[STRING])

Description

Port attack defense is canceled.

Parameters

Parameter Name	Parameter Meaning
SourceAttackInterface	Indicates the attack source interface.
AttackProtocol	Indicates the protocol type of attack packets.
ExceededPacketCountInSlot	Indicates the number of discarded packets. When port attack defense is triggered on multiple interfaces, packet loss may be recorded on other interfaces besides the interface recorded in the log.

Possible Causes

After you exclude an attack source, the device cancels attack defense on the interface.

Procedure

This log is informational only, and no action is required.

SECE/4/PORT_ATTACK_OCCUR

Message

SECE/4/PORT_ATTACK_OCCUR: Auto port-defend started. (SourceAttackInterface=[STRING], AttackProtocol=[STRING])

Description

Port attack defense is started.

Parameters

Parameter Name	Parameter Meaning
SourceAttackInterface	Indicates the attack source interface.
AttackProtocol	Indicates the protocol type of attack packets.

Possible Causes

When the device detects attack packets on an interface, the device starts attack defense on the interface.

Procedure

Check whether the attack actually occurs on the interface.
If an attack actually occurs, locate the attack source. If no attack occurs, reconfigure the port attack defense function to ensure that valid protocol packets can be sent to the CPU.

SECE/6/QUEUE_DROP

Message

SECE/6/QUEUE_DROP: Rate of packets to cpu exceeded the QUEUE limit. (SlotId=[STRING], Queue0DropNumber=[STRING], Queue1DropNumber=[STRING], Queue2DropNumber=[STRING], Queue3DropNumber=[STRING], Queue4DropNumber=[STRING], Queue5DropNumber=[STRING], Queue6DropNumber=[STRING], Queue7DropNumber=[STRING])

Description

Some packets in queues sent to the CPU were dropped.

Parameters

Parameter Name	Parameter Meaning
SlotId	Indicates a slot ID.
Queue0DropNumber/Queue1DropNumber/Queue2DropNumber/Queue3DropNumber/Queue4DropNumber/Queue5DropNumber/Queue6DropNumber/Queue7DropNumber	Indicates the number of packets dropped in every 10 minutes in queues 0 to 7.

Possible Causes

A large CPCAR value was set for packets to be sent to the CPU. As a result, a large number of packets were sent to the CPU.

Procedure

Run the display cpu-defend configuration slot slot-id command to check whether the CPCAR value configured for each type of protocol packets is correct. The default CPCAR value is recommended.
Collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/3/RESOURCE_INSUFFIEIENT

Message

SECE/3/RESOURCE_INSUFFIEIENT: Resource for [STRING1] in slot [STRING2] is insufficient.

Description

Attack source tracing, CAR, whitelist configuration, blacklist configuration, IP Source Trail, storm control, traffic-pppoe, or traffic suppression in VLANs fails due to insufficient resources.

Parameters

Parameter Name	Parameter Meaning
STRING1	Indicates the operation type.
STRING2	Indicates the slot id.

Possible Causes

Attack source tracing, CAR, whitelist configuration, blacklist configuration, IP Source Trail, storm control, traffic-pppoe, or suppression on broadcast, unknown multicast, or unknown unicast packets in VLANs fails.

Procedure

Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
Run the display current-configuration command to check the current configuration on the switch.
Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/3/MFF_RESOURCE_LACK

Message

SECE/3/MFF_RESOURCE_LACK: Resource for MFF in slot [STRING] is not enough. (Vlan=[ULONG])

Description

The ACL resources corresponding to MFF are insufficient, so delivery of ACL resources fails.

Parameters

Parameter Name	Parameter Meaning
slot	Specifies the slot ID.
Vlan	Specifies a VLAN ID.

Possible Causes

When MFF is enabled in the VLAN view, if the ACL resources are insufficient, the device will generate this log.

Procedure

Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
Run the display current-configuration command to check the current configuration on the switch.
Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/3/IPSG_RESOURCE_LACK

Message

SECE/3/IPSG_RESOURCE_LACK: Resource for IP Source Guard in slot [STRING] is not enough. (Vlan=[ULONG])

Description

The ACL resources corresponding to IPSG are insufficient, so delivery of ACL resources fails.

Parameters

Parameter Name	Parameter Meaning
slot	Specifies the slot ID.
Vlan	Specifies a VLAN ID.

Possible Causes

When IPSG is enabled in the VLAN view, if the ACL resources are insufficient, the device will generate this log.

Procedure

Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
Run the display current-configuration command to check the current configuration on the switch.
Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/SPECIFY_SIP_ATTACK

Message

SECE/4/SPECIFY_SIP_ATTACK: The specified source IP address attack occurred. (Slot=[STRING], SourceAttackIP=[STRING], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)

Description

The attack source is displayed when a device is attacked.

Parameters

Parameter Name	Parameter Meaning
Slot	Indicates the slot of an MPU or LPU.
SourceAttackIP	Indicates the source IP address of an attack.
AttackProtocol	Indicates the protocol type of attack packets.
AttackPackets	Indicates the rate of attack packets, in pps.

Possible Causes

A lot of attack packets from the corresponding IP address were received on the interface.

Procedure

Run the display auto-defend attack-source command to check whether the user attack packets exist.
If so, run the auto-defend action deny [ timer time-length ] command to discard the attack packets.
If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/STICKY_MAC_CONFLICT

Message

SECE/4/STICKY_MAC_CONFLICT: The MAC address entry of another type already exists. (MAC=[OCTET])

Description

The device failed to generate a snooping MAC entry after the user-bind ip sticky-mac command was run.

Parameters

Parameter Name	Parameter Meaning
MAC	MAC address that conflicts with the MAC address in the snooping MAC entry.

Possible Causes

A static MAC address on the device contains the same MAC address as that in the snooping MAC entry and its type is different from that of the snooping MAC entry.

Procedure

The switch already has static MAC entries. The static MAC entries are not updated dynamically. Therefore, snooping MAC entries do not need to be generated based on the binding table. This log is informational only, and no action is required.

SECE/4/STORMCTRL_BC_BLOCKED

Message

SECE/4/STORMCTRL_BC_BLOCKED: Broadcast packets are blocked at interface [STRING].

Description

Broadcast packets were blocked on the interface.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates the interface name.

Possible Causes

A broadcast storm occurred on the interface, and the rate of broadcast packets received on the interface exceeded the upper threshold specified by the storm-control command. As a result, broadcast packets were blocked on the interface.

Procedure

Check whether the broadcast storm is caused by a loop. If so, remove the loop. When the average rate of broadcast packets received on the interface falls below the lower threshold, broadcast packets are properly forwarded by the interface. For the broadcast storm troubleshooting procedure, see MAC Address Flapping Occurs on a Layer 2 Network and STP Faults Occur in the Revelations of Troublesolving.

SECE/3/STORMCTRL_BC_FAIL

Message

SECE/3/STORMCTRL_BC_FAIL: Failed to block broadcast packets from the Interface [STRING] because the hardware resources are insufficient.

Description

An interface fails to block broadcast packets because ACL resources are insufficient.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates the interface name.

Possible Causes

ACL resources are insufficient.

Procedure

Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
Run the display current-configuration command to check the current configuration on the switch.
Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/STORMCTRL_BC_UNBLOCK

Message

SECE/4/STORMCTRL_BC_UNBLOCK: Broadcast packets are unblocked at interface [STRING].

Description

Broadcast packets are forwarded on the interface.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates the interface name.

Possible Causes

The broadcast traffic on interfaces does not reach the lower limit of storm control.

Procedure

This log message is informational and no action is required.

SECE/4/STORMCTRL_IF_NORMAL

Message

SECE/4/STORMCTRL_IF_NORMAL: Interface [STRING] is normal for storm-control.

Description

The interface status is recovered.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates the interface name.

Possible Causes

The interface status is changed from shutdown to normal.
The upper and lower limits of storm control are deleted.
The storm suppression action is canceled.

Procedure

This log message is informational and no action is required.

SECE/4/STORMCTRL_IF_ERROR_DOWN

Message

SECE/4/STORMCTRL_IF_ERROR_DOWN: Interface [STRING] is error-down for storm-control.

Description

The storm control function was configured, and a broadcast storm occurred on the interface. As a result, the interface status became Error-Down.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates the interface name.

Possible Causes

The storm control function was configured on the interface, and the storm control action was set to error-down. A broadcast storm occurred due to a loop, attack, or hardware fault, and the average rate of broadcast, multicast, or unknown unicast packets exceeded the upper threshold. As a result, the storm control action was performed and the interface status became Error-Down.

Procedure

Check whether the broadcast storm is caused by a loop. If so, remove the loop. For the broadcast storm troubleshooting procedure, see MAC Address Flapping Occurs on a Layer 2 Network and STP Faults Occur in the Revelations of Troublesolving.
Run shutdown and undo shutdown commands in sequence on the interface. If many interfaces are in Error-Down state, run the error-down auto-recovery cause storm-control interval interval-value command in the system view to enable these interfaces to go Up and set a recovery delay. Then run the display error-down recovery command to check whether there are still interfaces in Error-Down state.

SECE/4/STORMCTRL_MC_BLOCKED

Message

SECE/4/STORMCTRL_MC_BLOCKED: Multicast packets are blocked at interface [STRING].

Description

Multicast packets were blocked on the interface.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates the interface name.

Possible Causes

A broadcast storm occurred on the interface, and the rate of multicast packets received on the interface exceeded the upper threshold specified by the storm-control command. As a result, multicast packets were blocked on the interface.

Procedure

Check whether the broadcast storm is caused by a loop. If so, remove the loop. When the average rate of multicast packets received on the interface falls below the lower threshold, multicast packets are properly forwarded by the interface. For the broadcast storm troubleshooting procedure, see MAC Address Flapping Occurs on a Layer 2 Network and STP Faults Occur in the Revelations of Troublesolving.

SECE/3/STORMCTRL_MC_FAIL

Message

SECE/3/STORMCTRL_MC_FAIL: Failed to block multicast packets from the Interface [STRING] because the hardware resources are insufficient.

Description

An interface fails to block multicast packets because ACL resources are insufficient.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates the interface name.

Possible Causes

ACL resources are insufficient.

Procedure

Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
Run the display current-configuration command to check the current configuration on the switch.
Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/STORMCTRL_MC_UNBLOCK

Message

SECE/4/STORMCTRL_MC_UNBLOCK: Multicast packets are unblocked at interface [STRING].

Description

Multicast packets are forwarded on the interface.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates the interface name.

Possible Causes

The multicast traffic on interfaces does not reach the lower limit of storm control.

Procedure

This log message is informational and no action is required.

SECE/4/STORMCTRL_UC_BLOCKED

Message

SECE/4/STORMCTRL_UC_BLOCKED: Unicast packets are blocked at interface [STRING].

Description

Unknown unicast packets were blocked on the interface.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates the interface name.

Possible Causes

A broadcast storm occurred on the interface, and the rate of unknown unicast packets received on the interface exceeded the upper threshold specified by the storm-control command. As a result, unknown unicast packets were blocked on the interface.

Procedure

Check whether the broadcast storm is caused by a loop. If so, remove the loop. When the average rate of unknown unicast packets received on the interface falls below the lower threshold, unknown unicast packets are properly forwarded by the interface. For the broadcast storm troubleshooting procedure, see MAC Address Flapping Occurs on a Layer 2 Network and STP Faults Occur in the Revelations of Troublesolving.

SECE/3/STORMCTRL_UC_FAIL

Message

SECE/3/STORMCTRL_UC_FAIL: Failed to block unicast packets from the Interface [STRING] because the hardware resources are insufficient.

Description

An interface fails to block unknown unicast packets because ACL resources are insufficient.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates the interface name.

Possible Causes

ACL resources are insufficient.

Procedure

Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
Run the display current-configuration command to check the current configuration on the switch.
Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/STORMCTRL_UC_UNBLOCK

Message

SECE/4/STORMCTRL_UC_UNBLOCK: Unicast packets are unblocked at interface [STRING].

Description

Unknown unicast packets are forwarded on the interface.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates the interface name.

Possible Causes

The unknown unicast traffic on interfaces does not reach the lower limit of storm control.

Procedure

This log message is informational and no action is required.

SECE/4/STRACK_DENY

Message

SECE/4/STRACK_DENY: Some packets are dropped because an attack is detected. (Interface=[OCTET], SourceIP=[IPADDR])

SECE/4/STRACK_DENY: Some packets are dropped because an attack is detected. (Interface=[OCTET], SourceMAC=[OCTET])

SECE/4/STRACK_DENY: Some packets are dropped because an attack is detected. (Interface=[OCTET], CVLAN=[INTEGER], PVLAN=[INTEGER])

Description

The switch discards some packets because it detects an attack.

Parameters

Parameter Name	Parameter Meaning
Interface	Indicates the interface that receives attack packets.
SourceMAC	Indicates the source MAC address of attack packets.
SourceIP	Indicates the source IP address of attack packets.
CVLAN	Indicates the inner VLAN ID of attack packets.
PVLAN	Indicates the outer VLAN ID of attack packets.

Possible Causes

The attack tracing module detects an attack, and the attack defense action is set to deny.

Procedure

Check whether the discarded packets are sent from an authorized user.
If the sender is an authorized user, run the auto-defend whitelist whitelist-num { acl acl_number | interface interface-type interface-number } command to add the user to the whitelist. Then packets sent from this user are not discarded.
If the sender is an attacker, you do not need to perform any operation.

SECE/4/STRACK_ERROR_DOWN

Message

SECE/4/STRACK_ERROR_DOWN: Interface's status is changed to error-down because an attack is detected. (Interface=[OCTET])

Description

An interface transitions to error-down state because an attack is detected on the interface.

Parameters

Parameter Name	Parameter Meaning
Interface	Indicates the interface that receives attack packets.

Possible Causes

The attack tracing module detects an attack, and the attack defense action is set to error-down.

Procedure

Check whether the discarded packets are sent from an authorized user.
If the sender is an authorized user, run the auto-defend whitelist whitelist-num { acl acl_number | interface interface-type interface-number } command to add the user to the whitelist. Then packets sent from this user are not discarded.
If the sender is an attacker, you do not need to perform any operation.

SECE/3/STRACK_RESOURCE_LACK

Message

SECE/3/STRACK_RESOURCE_LACK: Resource for [STRING1] in slot [STRING2] is not enough.

Description

The resource for attack source tracing is insufficient.

Parameters

Parameter Name	Parameter Meaning
[STRING1]	Indicates the service type.
[STRING2]	Indicates a slot ID.

Possible Causes

The discard action in attack source tracing is implemented using ACL resource. The deny action fails to be delivered because the ACL resource is insufficient.

Procedure

Run the display acl resource [ slot slot ] command to view information about ACL resources, including ACL4 and ACL6 resources.
Run the display current-configuration command to check the current configuration on the switch.
Check the services that occupy ACL resources based on ACL resource information and the current configuration as follows, and delete unnecessary services to release ACL resources.
- Check whether NAC, IPSG, MQC, and ACL-based simplified traffic policy services that occupy a large amount of ACL resources exist on the switch.
- Check the services that occupy ACL resources based on fields in the ACL resource information. For example, MQC, ACL-based simplified traffic policy, SVF, MPLS, and BFD for VPLS services occupy UDF ACL resources. If a large amount of UDF ACL resources are occupied, check these services first.
If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/USER_ATTACK

Message

SECE/4/USER_ATTACK: User attack occurred. (Slot=[STRING], SourceAttackInterface=[STRING], OuterVlan/InnerVlan=[ULONG ]/[ULONG], UserMacAddress=[STRING], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)

Description

User attack information is generated on an MPU or LPU.

Parameters

Parameter Name	Parameter Meaning
Slot	Indicates the slot of an MPU or LPU.
SourceAttackInterface	Indicates the interface that initiates the attack.
OuterVlan	Indicates the outer VLAN ID or single VLAN ID of the attack source.
InnerVlan	Indicates the inner VLAN ID of the attack source.
UserMacAddress	Indicates the MAC address of the attack source.
AttackProtocol	Indicates the protocol type of attack packets.
AttackPackets	Indicates the rate of attack packets, in pps.

Possible Causes

A lot of attack packets from the corresponding VLAN or MAC address are received on the interface.

Procedure

Run the display auto-defend attack-source command to check whether user attack packets exist.
Analyze the features of attack packets, configure the traffic policy according to this information to perform CAR on the packets, and then apply this policy to the LPU or MPU where the attack occurred.
Collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/3/RESOURCE_LACK(STRACK)

Message

SECE/3/RESOURCE_LACK: Resource for STRACK in slot [STRING] is not enough.

Description

The hardware resources on the LPU were insufficient for the attack source tracing function.

Parameters

Parameter Name	Parameter Meaning
[STRING]	Indicates the slot ID of the LPU.

Possible Causes

The discard action in attack source tracing was implemented using ACL resources. This action failed to be delivered due to insufficient ACL resources.

Procedure

Run the display current-configuration command to check the configurations that lead to insufficient ACL resources.
Adjust ACL resources. Delete unnecessary ACLs to release resources.
If the fault persists, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/UCSUPPRESS

Message

SECE/4/UCSUPPRESS: MAC address flapping started on port. The rate of unknown unicast packets was limited to 50% of the port bandwidth. (Interface=[STRING])

Description

The device detected MAC address flapping on an interface, and suppressed unknown unicast traffic to 50% of the interface rate.

Parameters

Parameter Name	Parameter Meaning
Interface	Indicates the name of an interface.

Possible Causes

When storm control and traffic suppression are not configured, the switch suppressed unknown unicast traffic on an interface when detecting MAC address flapping on this interface.

Procedure

Run the snmp-agent trap enable feature-name l2ifppi command to enable the alarm function for MAC address flapping, including hwmflpbdalarm for MAC address flapping in a BD, hwmflpvlanalarm for MAC address flapping in a VLAN and hwmflpvsialarm for MAC address flapping in a VSI. Check whether these alarms are generated.
- If so, go to step 2.
- If not, go to step 3.
Based on the generated alarms, take measures by referring to L2IFPPI_1.3.6.1.4.1.2011.5.25.160.3.7 hwMflpVlanAlarm, L2IFPPI_1.3.6.1.4.1.2011.5.25.160.3.17 hwMflpBdAlarm or L2IFPPI_1.3.6.1.4.1.2011.5.25.160.3.8 hwMflpVsiAlarm. Then, check whether the recovery log SECE/4/UCSUPPRESSRESUME is recorded.
- If so, no further action is required.
- If not, go to step 4.
Check whether the recovery log SECE/4/UCSUPPRESSRESUME is recorded.
- If so, no further action is required.
- If not, go to step 4.
Contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.

SECE/4/UCSUPPRESSRESUME

Message

SECE/4/UCSUPPRESSRESUME: MAC address flapping finished on port. Unknown unicast packets were normally forwarded. (Interface=[STRING])

Description

MAC address flapping stopped and unknown unicast traffic was normally forwarded on an interface.

Parameters

Parameter Name	Parameter Meaning
Interface	Indicates the name of an interface.

Possible Causes

Unknown unicast traffic suppression was triggered by MAC address flapping on an interface. When MAC address flapping stopped, unknown unicast traffic was normally forwarded on the interface.

Procedure

This log message is informational only, and no action is required.

SECE/4/ARP_PACKET_BLOCK
SECE/4/ARPMISS
SECE/3/ARPS_DROP_PACKET_GLOBAL_SPDLMT
SECE/3/ARPS_DROP_PACKET_HDADDR_LEN
SECE/3/ARPS_DROP_PACKET_IF_SPDLMT
SECE/3/ARPS_DROP_PACKET_LENTH
SECE/3/ARPS_DROP_PACKET_OPTYPE
SECE/3/ARPS_DROP_PACKET_PROADDR_LEN
SECE/3/ARPS_DROP_PACKET_SRC_MAC
SECE/3/ARPS_DROP_PACKET_VLAN_SPDLMT
SECE/4/ARPSNP_TABLE_FULL
SECE/4/DAI_DROP_PACKET
SECE/4/GWCONFLICT
SECE/4/ICMP_GLOBAL_RATELIMIT
SECE/4/ICMP_INTF_RATELIMIT
SECE/4/ILLEGAL_IP_DROP_STAT
SECE/4/IPSG_VLANDROP_PACKET
SECE/4/IPSG_DROP_PACKET
SECE/4/IPSG_TABLE_RESOURCE
SECE/6/MFF_GW_MAC_CHANGED
SECE/3/NOT_SUPPORT
SECE/4/OLC_DELAY_TASK
SECE/4/OLC_DROP_PACKET
SECE/4/PORT_ATTACK
SECE/6/PORT_ATTACK_END
SECE/4/PORT_ATTACK_OCCUR
SECE/6/QUEUE_DROP
SECE/3/RESOURCE_INSUFFIEIENT
SECE/3/MFF_RESOURCE_LACK
SECE/3/IPSG_RESOURCE_LACK
SECE/4/SPECIFY_SIP_ATTACK
SECE/4/STICKY_MAC_CONFLICT
SECE/4/STORMCTRL_BC_BLOCKED
SECE/3/STORMCTRL_BC_FAIL
SECE/4/STORMCTRL_BC_UNBLOCK
SECE/4/STORMCTRL_IF_NORMAL
SECE/4/STORMCTRL_IF_ERROR_DOWN
SECE/4/STORMCTRL_MC_BLOCKED
SECE/3/STORMCTRL_MC_FAIL
SECE/4/STORMCTRL_MC_UNBLOCK
SECE/4/STORMCTRL_UC_BLOCKED
SECE/3/STORMCTRL_UC_FAIL
SECE/4/STORMCTRL_UC_UNBLOCK
SECE/4/STRACK_DENY
SECE/4/STRACK_ERROR_DOWN
SECE/3/STRACK_RESOURCE_LACK
SECE/4/USER_ATTACK
SECE/3/RESOURCE_LACK(STRACK)
SECE/4/UCSUPPRESS
SECE/4/UCSUPPRESSRESUME

Translation

简体中文

Download

Updated: 2021-11-11

Document ID: EDOC1100126883

Downloads: 18

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode