Header Only - DO NOT REMOVE - Extreme Networks

IdMgr.MoveIdFmEnblToDsblPort Log messages

Userlevel 1
Hi Does anyone have an idea what caused this message

Slot-1: Moved the identity "Unknown_xx-xx-xx-xx" with MAC address xx:xx:xx:xx, detected by none, from Identity management enabled port x:x to disabled port 0:2.

The customer has started seeing these on the network. I am aware it is caused by MAC moves According to this


but has anyone else found something else that causes it? The customer has IDM enabled and uses UPM scripts.

4 replies

Userlevel 4
Actually for Kerberos snooping, clients must have a direct layer 2 connection to the switch; that is, the connection must not cross a layer3 boundary. If the connection does cross a layer3 boundary, the gateway's MAC address gets associated with the identity which in return may cause this messages. As you said customer has already enabled id management on the ports as well the UPM script hence you can always look into the type of events being generated at the time of issue.

Basically Identity management events generate corresponding UPM events. The UPM events that are generated include:


But not sure if these log messages are still noticed because Kerberos identities will be cleared immediately if the Aging timer is not configured else it will be cleared after Aging timer is expired for this Kerberos identity.

Hope this helps..........
Userlevel 4
Please let us know if the provided information is enough for you t o understand the possible cause of this log message. If you have any further queries then let us know.
Userlevel 2
I have got the same issue, its occured when I enabled IDM on switch. It came out that I have two hosts with the same MAC and IP address on network on different locations.

"Identity management enabled port" was access port
and "disabled port x" was uplink with didnt have IDM enabled.
Userlevel 1
I have got the same issue.

In my network its occured when I've enabled IDM on a switchport on which an access point is connected. IDM detects the username (Kerberos) on an access port and access point the same time, and it seems that's not working.