syslog message %SW_MATM-4-MACFLAP_NOTIF and what it means

Unanswered Question
May 10th, 2009

I need expert help from Cisco gurus in this forum:

I recently swapped out a pair of Catalyst 3750s running IOS image c3750-ipservicesk9-mz.122-25.SEE3.bin with a pair of newer

hardware 3750s running IOS image c3750-ipservicesk9-mz.122-35.SE5.bin. Between these two switches is an EtherChannel. There

is NOTHING connected to these two switches other than a pair of Checkpoint Secureplatform NGx R65 with HFA_02 and the upstream

router. The Etherchannel is working fine and there are NO errors on the trunk ports which are part of the EtherChannel. We

just copy the configuration from the old switches over to the new switches. Everything is identical other than the hardware

is newer 3750s supporting Copper Gig interfaces. Those 3750s are our Internet switches. The back-side of the Checpoint firewalls

are connected to a pair of Catalyst 6513s running IOS 12.2(18)SXF11. By the way, the Checkpoint firewalls are running in

ClusterXL Active/Active Unicast mode (i.e. 30% on FW-A and 70% on FW-B).

Ever since we moved over to the new hardware, we have been getting a bunch of these messages in the catlyst 3750 log, at the rate

of 5 messages every 10 seconds:

May 10 21:43:35: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe01 in vlan 100 is flapping between port Gi1/0/48 and port Gi1/0/9

May 10 21:43:50: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe01 in vlan 100 is flapping between port Gi1/0/48 and port Gi1/0/9

Basically Gi1/0/48 and Gi1/0/9 are the ports that the checkpoint firewall interfaces are connected to. The MAC address in the log

is the Checkpoint ClusterXL IP address, similar to VRRP IP address if you are familiar with Nokia, well, sort of.

I have no issues with the Checkpoint firewall interfaces connected to the Catalyst 6513s.

If I move the connections back to the old catalyst 3750s, then these messages go away. They came back as soon as I connected them

to the new Catalyst 3750s.

There are NO spanning tree loop. The two 3750s are connected to each other and nothing else.

Anyone know what this message means and how to make it go away? Many thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
iyde Tue, 05/12/2009 - 07:20

It looks to me like the two Checkpoints frequently sends out data with the same MAC address. I assume that the MAC address is the shared virtual MAC address of the Cehckpoints.

My guess (as I don't know for sure) is, that Cisco has changed the logging info level or such from the IOS version you ahd on the old 3750 boxes to the new 3750G boxes you are using now.



This Discussion