IdMgr.MoveIdFmEnblToDsblPort Log messages

  • 0
  • 2
  • Question
  • Updated 2 years ago
  • Answered
Hi Does anyone have an idea what caused this message

<Warn:IdMgr.MoveIdFmEnblToDsblPort> Slot-1: Moved the identity "Unknown_xx-xx-xx-xx" with MAC address xx:xx:xx:xx, detected by none, from Identity management enabled port x:x to disabled port 0:2.

The customer has started seeing these on the network. I am aware it is caused by MAC moves According to this

http://documentation.extremenetworks.com/ems_catalog_16/EMS_Messages/idmgmt/IdMgr_MoveIdFmEnblToDsbl...

but has anyone else found something else that causes it? The customer has IDM enabled and uses UPM scripts.
Photo of Justsomebodi

Justsomebodi

  • 1,572 Points 1k badge 2x thumb

Posted 2 years ago

  • 0
  • 2
Photo of Tripathy, Priya Ranjan

Tripathy, Priya Ranjan, ESE

  • 2,306 Points 2k badge 2x thumb
Actually for Kerberos snooping, clients must have a direct layer 2 connection to the switch; that is, the connection must not cross a layer3 boundary. If the connection does cross a layer3 boundary, the gateway's MAC address gets associated with the identity which in return may cause this messages. As you said customer has already enabled id management on the ports as well the UPM script hence you can always look into the type of events being generated at the time of issue.

Basically Identity management events generate corresponding UPM events. The UPM events that are generated include:

● IDENTITY-DETECT
● IDENTITY-UNDETECT
● IDENTITY-ROLE-ASSOCIATE
● IDENTITY-ROLE-DISSOCIATE

But not sure if these log messages are still noticed because Kerberos identities will be cleared immediately if the Aging timer is not configured else it will be cleared after Aging timer is expired for this Kerberos identity. 

Hope this helps..........
Photo of Tripathy, Priya Ranjan

Tripathy, Priya Ranjan, ESE

  • 2,306 Points 2k badge 2x thumb
Please let us know if the provided information is enough for you t o understand the possible cause of this log message. If you have any further queries then let us know.
Photo of Michal Rz

Michal Rz

  • 742 Points 500 badge 2x thumb
I have got the same issue, its occured when I enabled IDM on switch. It came out that I have two hosts with the same MAC and IP address on network on different locations.

"Identity management enabled port" was access port
and "disabled port x" was uplink with didnt have IDM enabled.
(Edited)
Photo of Yves Haslimann

Yves Haslimann

  • 898 Points 500 badge 2x thumb
I have got the same issue.

In my network its occured when I've enabled IDM on a switchport on which an access point is connected. IDM detects the username (Kerberos) on an access port and access point the same time, and it seems that's not working.