Printers loosing IP addresses

Unanswered Question
Aug 15th, 2008

We have several HP printers the repeatedly loose their IP address. They are models 8000N and 8150N.

I don't see any logs messages indicating that they are loosing their connection to the switch. I don't see any interface errors. We have tried several variations of autonegotiaion and hard coding speed/duplex to no avail. What is even stranger is that they seem to regain their address and start printing after a short while, usually between 10 and 40 minutes.

The switches they connect to are 6509E's running 12.2(18)SXF7.

The only problem I can find on the switches is that I get this log message "%PORT_SECURITY-SP-2-INELIGIBLE: Port security configuration on Gi3/44 is being made inactive since the port is now not eligible for port security as GigabitEthernet3/44 has static MAC entry configuration.. "

I'm a bit baffeled by that since I don't see any conflict in my configuration that should affect port security. Here is what a typical interface configuration looks like:

switchport

switchport access vlan 5

switchport mode access

switchport port-security

switchport port-security aging time 5

switchport port-security aging type inactivity

no ip address

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

Of course, some of the interfaces have the speed/duplex hard coded on them as we try to nail now the cause of the problem.

I'm just about out of ideas. Help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Fri, 08/15/2008 - 06:21

Hello Michael,

I've used error message decoder on the message.

Here it is the answer:

%PORT_SECURITY-2-INELIGIBLE:

Port security configuration on [chars] is being made inactive since the port is now not eligible for port security as [chars].

A port had port security configuration on it, but the port now has a configuration not supported with port security. Since the port is now not eligible for port security, the port security configuration on it is being made inactive.

Recommended Action: Check the port's configuration and remove the offending configuration that is not compatible with port security.

Related documents- No specific documents apply to this error message.

As a starting point I would remove the two commands about aging:

switchport port-security aging time 5

switchport port-security aging type inactivity

Port security can use two methods:

you can manually hardcode the secure MAC addresses ando so aging doesn't apply to this

or

you can have a max-number of dynamically learned MAC addresses that can use the port.

In this latter case the aging commands could apply.

I wonder if you are running DHCP server on your 6509E, and you have tried to create a reservation for the MAC address of the printer to get always the same IP address.

This could have caused the problem that the switch has treated this as an attempt to manually hard code the MAC on the port and so the message.

Hope to help

Giuseppe

mgottfried Fri, 08/15/2008 - 12:06

I used the decoder to figure out what the message meant. That is why I am baffeled. I don't see anything wrong with the configuration. The default is to have 1 mac address and that is dynamic. Because it is default it doesn't show up in the config. I'm not running DHCP on the switch.

I'm confuses as to why the aging commands would cause the problem. I want the mac to age out after 5 minutes of inactivity, thus those two commands in the configuration. Can you expand on why you think that might be the problem?

Giuseppe Larosa Fri, 08/15/2008 - 12:52

Hello Michael,

mine is only a guess

If you hardcode a MAC address on the port the aging commands are something that cannot coexist with that.

The message says static mac address so I pointed to the aging commands.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html#wp1053357

static should mean manually configured, sticky should mean persistent even after a reload

If the printers were to use a different MAC address the port security should trigger the error disable action and not the message you have seen.

I think that a port configured for port security that the switch thinks has a conflicting configuration is probably isolated for some time and later reenabled and this could explain the 30-40 minutes of out of service of your printers.

A later consistency check is passed, the port is reenabled and your printer is reachable again.

You have to understand what the printer does.

I would suggest to disable the port security on the port and to use a monitor session to capture the printer's tx traffic.

Another point to investigate is if this is related to DHCP lease time: is the frequency of the event proportional to the lease time or unrelated ?

If you increase the DHCP lease to one year that specific printer still suffer the problem or not ?

This could also be a bug in your IOS version because DHCP is external.

Hope to help

Giuseppe

rkhalil Fri, 08/15/2008 - 06:27

%PORT_SECURITY-2-INELIGIBLE:

Port security configuration on [chars] is being made inactive since the port is now not eligible for port security as [chars].

A port had port security configuration on it, but the port now has a configuration not supported with port security. Since the port is now not eligible for port security, the port security configuration on it is being made inactive.

Recommended Action: Check the port's configuration and remove the offending configuration that is not compatible with port security in this case may be a entry "mac-address-table static gi3/44 xx:xx:xx:xx:xx"

--

Regards,

Raul

(Please rate helpful posts)

jonesm111 Fri, 08/15/2008 - 14:47

I agree with Giuseppe... I've had a very simular problem in the past and that is exactly what it turned out to be. We increased the lease time on the DHCP server and that resolved it.

Actions

This Discussion