Enterasys S8 Flapping ports
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-25-2014 08:57 AM
We're observing a higher-than-desired number of "bad" ethernet port > negotiations. On Two ports of this Switch , I ve tried all posible combinations of ( duplex , negocitation speed etc) in both sides, but these ports continues up/down.
These port not have much traffic.
Does any have any experience that they can share regarding issues that might > cause less-than-optimal negotiation? ( cable issues, NIC driver bugs, > Enterasys S8 configuration)?
Help is much appreciated.
Cheers
These port not have much traffic.
Does any have any experience that they can share regarding issues that might > cause less-than-optimal negotiation? ( cable issues, NIC driver bugs, > Enterasys S8 configuration)?
Help is much appreciated.
Cheers
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-09-2014 08:01 PM
Thanks for your post James.
We just experienced a partial meltdown due to this issue with Microsoft SCCM 2012 causing MAC's to be spoofed. This was confusing the hell out of our switches and causing rolling blackouts:
https://supportforums.cisco.com/discussion/11835361/mac-address-flapping-and-sccm-wake-proxy
This explains that when clients were going to sleep, the issue was worse. Apparently Microsoft use some sort of election process to work out which PC on the local subnet becomes the "MAC spoofing master".
We only found the problem by getting Wireshark out - the first thing that jumped out was some clients pinging all others on the local subnet and ARP'ing to find each other's MAC's. Normally a client has no reason to speak to another client, most traffic should be client to server.
The PC's sending out all the pings were also recieving lots of TCP SYN's on port 25536 from other PC's on the LAN. SCCM's SleepAgentService.exe was the process running on port 25536 on the affected workstation.
Now I have an explanation for why the link flaps also. 🙂
Whoever at Microsoft thought MAC spoofing was a good idea needs their head examined! It might work fine on a $50 Netgear or D-Link, but it's going to cause severe issues on enterprise grade switches from any manufacturer.
More here:
https://social.technet.microsoft.com/Forums/en-US/a0ba31d1-e3cc-4218-80ee-f67583fb4ddd/client-settng...
The funny thing is while looking at this problem I kept thinking it was the type of thing malware would do (or at least rather bizzare malware) - guess I wasn't too far from the truth!
Thanks,
Mark
We just experienced a partial meltdown due to this issue with Microsoft SCCM 2012 causing MAC's to be spoofed. This was confusing the hell out of our switches and causing rolling blackouts:
https://supportforums.cisco.com/discussion/11835361/mac-address-flapping-and-sccm-wake-proxy
This explains that when clients were going to sleep, the issue was worse. Apparently Microsoft use some sort of election process to work out which PC on the local subnet becomes the "MAC spoofing master".
We only found the problem by getting Wireshark out - the first thing that jumped out was some clients pinging all others on the local subnet and ARP'ing to find each other's MAC's. Normally a client has no reason to speak to another client, most traffic should be client to server.
The PC's sending out all the pings were also recieving lots of TCP SYN's on port 25536 from other PC's on the LAN. SCCM's SleepAgentService.exe was the process running on port 25536 on the affected workstation.
Now I have an explanation for why the link flaps also. 🙂
Whoever at Microsoft thought MAC spoofing was a good idea needs their head examined! It might work fine on a $50 Netgear or D-Link, but it's going to cause severe issues on enterprise grade switches from any manufacturer.
More here:
https://social.technet.microsoft.com/Forums/en-US/a0ba31d1-e3cc-4218-80ee-f67583fb4ddd/client-settng...
The funny thing is while looking at this problem I kept thinking it was the type of thing malware would do (or at least rather bizzare malware) - guess I wasn't too far from the truth!
Thanks,
Mark
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-26-2014 06:42 AM
Thanks for your reply James is much apreciated,
But i have checked the hardware part, My Enterasys S8, have more than 400 Gigabit Ethernet port but only flap 4, in two different machines (that have one port intel and one port broadcom each one).
The counnters no have CRC errors or discard , and the machines have linux operating system both, No Energy Saving configurated, and have updated Driver in both cases ...
Today i am trying to connect one port to a Windows PC and monitoring for one hour for example ... I post the results here....
Cheers
But i have checked the hardware part, My Enterasys S8, have more than 400 Gigabit Ethernet port but only flap 4, in two different machines (that have one port intel and one port broadcom each one).
The counnters no have CRC errors or discard , and the machines have linux operating system both, No Energy Saving configurated, and have updated Driver in both cases ...
Today i am trying to connect one port to a Windows PC and monitoring for one hour for example ... I post the results here....
Cheers
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-25-2014 10:11 PM
Port flaps are almost always caused by some hardware issue, typically a bad/damaged cable or a sick NIC. I've never seen bad negotiations causing this. There is a new(er) feature that Microsoft has that is sometimes called Wake-on-LAN. When configured, the PC goes to sleep and wakes periodically to see if it is supposed to fully wake up. When it does that, it brings the link UP, then checks, then takes the link back DOWN if it isn't supposed to wake up then. That looks like a link flap and can happen several hundred times overnight.
If that hasn't been configured, go after the cable, especially if it happens when the PC is supposed to be online during the day. Check for connectors falling out, tangled in someone's feet, smashed behind desks, etc. We find physical damage to be the most prevalent issue for machines not working.
James
If that hasn't been configured, go after the cable, especially if it happens when the PC is supposed to be online during the day. Check for connectors falling out, tangled in someone's feet, smashed behind desks, etc. We find physical damage to be the most prevalent issue for machines not working.
James
