PacketFence - BTS - PacketFence
View Issue Details
0001183PacketFencecorepublic2011-02-11 16:402011-10-25 09:01
ryacketta 
obilodeau 
normalminoralways
closedfixed 
2.0.1 
2.2.02.2.0 
9383cc837db8b1949158d40cafad4c0dcbd26f2e
0001183: Nortel regressions
Feb 11 16:27:00 pfsetvlan(11) INFO: 00:16:cb:89:6b:50 is a secure MAC address at 137.143.212.20 ifIndex 149 VLAN . De-authorizing
 (new entry 02:00:00:00:01:49) (main::do_port_security)
Use of uninitialized value in numeric eq (==) at /usr/local/pf/sbin/pfsetvlan
        line 1914 (0000001)
    (W uninitialized) An undefined value was used as if it were already
    defined. It was interpreted as a "" or a 0, but maybe it was a mistake.
    To suppress this warning assign a defined value to your variables.

    To help you figure out what was undefined, perl tells you what operation
    you used the undefined value in. Note, however, that perl optimizes your
    program and the operation displayed in the warning may not necessarily
    appear literally in your program. For example, "that $foo" is
    usually optimized into "that " . $foo, and the warning will refer to
    the concatenation (.) operator, even though there is no . in your
    program.

Use of uninitialized value in concatenation (.) or string at
        /usr/local/pf/sbin/pfsetvlan line 1916 (0000001)
This happens when I move a test PC from one Port to another on the switch. Could also be causing the mac-security-table to not be updated with the new port for the mac.

[root@pfence ]# rpm -qa packetfence
packetfence-2.0.1-1.el5
No tags attached.
? Nortel.pm (22,388) 2011-03-18 11:06
https://www.packetfence.org/bugs/file_download.php?file_id=78&type=bug
Issue History
2011-02-11 16:40ryackettaNew Issue
2011-02-11 16:47ryackettaNote Added: 0001860
2011-02-15 11:29obilodeauStatusnew => assigned
2011-02-15 11:29obilodeauAssigned To => obilodeau
2011-02-15 11:44obilodeauNote Added: 0001865
2011-02-15 11:44obilodeauStatusassigned => feedback
2011-02-15 14:11ryackettaNote Added: 0001868
2011-02-16 10:10obilodeauNote Added: 0001869
2011-03-02 13:51ryackettaNote Added: 0001891
2011-03-02 14:09ryackettaNote Added: 0001892
2011-03-02 14:10ryackettaNote Edited: 0001891
2011-03-02 14:20ryackettaNote Added: 0001893
2011-03-02 14:25ryackettaNote Edited: 0001892
2011-03-02 14:44ryackettaNote Added: 0001894
2011-03-02 14:44ryackettaNote Edited: 0001893
2011-03-02 14:44ryackettaNote Edited: 0001894
2011-03-02 14:46ryackettaNote Edited: 0001891
2011-03-02 17:36ryackettaNote Added: 0001895
2011-03-03 09:38ryackettaNote Added: 0001896
2011-03-03 10:29ryackettaNote Added: 0001897
2011-03-03 10:32ryackettaNote Edited: 0001897
2011-03-03 14:12ryackettaNote Added: 0001898
2011-03-09 08:58ryackettaNote Added: 0001905
2011-03-14 17:31obilodeauNote Added: 0001922
2011-03-14 17:31obilodeauTarget Version => +1
2011-03-15 08:28ryackettaNote Added: 0001925
2011-03-15 08:41ryackettaNote Added: 0001926
2011-03-15 08:41ryackettaNote Edited: 0001925
2011-03-18 09:33obilodeauRelationship addedhas duplicate 0001195
2011-03-18 11:06obilodeauFile Added: Nortel.pm
2011-03-18 11:08obilodeauNote Added: 0001949
2011-03-18 11:34ryackettaNote Added: 0001953
2011-03-18 11:38obilodeauNote Added: 0001954
2011-03-18 11:38obilodeauRelationship deletedhas duplicate 0001195
2011-03-18 13:14ryackettaNote Added: 0001959
2011-03-18 14:22obilodeaumtn revision => 9383cc837db8b1949158d40cafad4c0dcbd26f2e
2011-03-18 14:22obilodeauStatusfeedback => resolved
2011-03-18 14:22obilodeauFixed in Version => +1
2011-03-18 14:22obilodeauResolutionopen => fixed
2011-03-18 14:36obilodeauSummarypfsetVlan Use of uninitialized value => Nortel regressions
2011-05-04 11:32obilodeauFixed in Version+1 => 2.2.0
2011-05-04 11:40obilodeauStatusresolved => closed
2011-10-25 09:01obilodeauTarget Version+1 => 2.2.0

Notes
(0001860)
ryacketta   
2011-02-11 16:47   
my $is_voice_vlan = ($vlan == $switch->getVoiceVlan($ifIndex));
                    my $fakeMac = $switch->generateFakeMac($is_voice_vlan, $ifIndex);
                    $logger->info( "$mac is a secure MAC address at "
                            . $switch->{_ip}
                            . " ifIndex $ifIndex VLAN $vlan. De-authorizing (new entry $fakeMac)"
                    );

Looks like $vlan is unknown as per the log output:
Feb 11 16:27:00 pfsetvlan(11) INFO: 00:16:cb:89:6b:50 is a secure MAC address at 137.143.212.20 ifIndex 149 VLAN . De-authorizing
 (new entry 02:00:00:00:01:49) (main::do_port_security)

switch: BayStack 470 48-T
(0001865)
obilodeau   
2011-02-15 11:44   
I just re-validated the code and there's no obvious reason why would @{ $secureMacAddrHashRef->{$mac}->{$ifIndex} } hold undef.

- What's your conf/switches.conf entry for this switch?
- Can you do a
snmpwalk -v 2c -c <read-community> <switch-ip> 1.3.6.1.4.1.45.1.6.5.3.10.1.4
and provide results here. This fetches the security table on your switch.
- Can you do a
snmpwalk -v 2c -c <read-community> <switch-ip> 1.3.6.1.4.1.2272.1.3.3.1.7
and provide results here. This fetches the VLAN per Port config on your switch.
- What firmware do you run?

Thanks!
(0001868)
ryacketta   
2011-02-15 14:11   
BayStack 470-48T : v3.7.4.15
snmpwalk -v 2c -c <RO> <IP> 1.3.6.1.4.1.45.1.6.5.3.10.1.4
SNMPv2-SMI::enterprises.45.1.6.5.3.10.1.4 = No Such Instance currently exists at this OID

snmpwalk -v 2c -c <RO> <IP> 1.3.6.1.4.1.2272.1.3.3.1.7
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.1 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.2 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.3 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.4 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.5 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.6 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.7 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.8 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.9 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.10 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.11 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.12 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.13 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.14 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.15 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.16 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.17 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.18 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.19 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.20 = INTEGER: 11
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.21 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.22 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.23 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.24 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.25 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.26 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.27 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.28 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.29 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.30 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.31 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.32 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.33 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.34 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.35 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.36 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.37 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.38 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.39 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.40 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.41 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.42 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.43 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.44 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.45 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.46 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.47 = INTEGER: 102
SNMPv2-SMI::enterprises.2272.1.3.3.1.7.48 = INTEGER: 102

[default]
vlans = 3,11,102
normalVlan = 11
registrationVlan = 102
isolationVlan = 3
macDetectionVlan = 102
guestVlan = 102
customVlan1 =
customVlan2 =
customVlan3 =
customVlan4 =
customVlan5 =
VoIPEnabled = no
voiceVlan =

mode = testing
macSearchesMaxNb = 30
macSearchesSleepInterval = 2
uplink = dynamic

#
# SNMP section
#

# PacketFence -> Switch
SNMPVersion = 2c
SNMPCommunityRead = <RO>
SNMPCommunityWrite = <RW>

# Switch -> PacketFence
SNMPVersionTrap = 2c
SNMPCommunityTrap = public

[127.0.0.1]
type = PacketFence
mode = production
uplink = dynamic

[<IP>]
type = Nortel::BayStack470
mode = production
uplink = 1
(0001869)
obilodeau   
2011-02-16 10:10   
Given the results of the first walk "No Such Instance currently exists at this OID" I can't see how you can get the error you have in this bug report.

Is port-security appropriately configured? Was it messed with between the time you first reported the error and the snmpwalk above?
(0001891)
ryacketta   
2011-03-02 13:51   
(edited on: 2011-03-02 14:46)
Sorry for the delay in response, just getting back from vacation.

I went ahead 'ctrl-c i'ed the 470 then configured it per PacketFence_Network_Devices_Configuration_Guide-2.0.1.pdf

Nothing has changed in the pf confs (pf.conf, networks.con, switches.conf etc), connecting a mac laptop results in

Mar 02 13:45:55 pfsetvlan(11) INFO: up trap received on <IP> ifIndex 18 (main::handleTrap)
Mar 02 13:45:55 pfsetvlan(11) INFO: setting <IP> port 18 to MAC detection VLAN (main::handleTrap)
Argument "noSuchInstance" isn't numeric in numeric ge (>=) at
        /usr/local/pf/lib/pf/SNMP/Nortel.pm line 533 (0000001)
    (W numeric) The indicated string was fed as an argument to an operator
    that expected a numeric value instead. If you're fortunate the message
    will identify which operator was so unfortunate.
    
Mar 02 13:45:56 pfsetvlan(11) INFO: MAC: 00:16:cb:89:6b:50 is of status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Mar 02 13:45:56 pfsetvlan(11) INFO: finished (main::cleanupAfterThread)
Mar 02 13:45:57 pfsetvlan(21) INFO: secureMacAddrViolation trap on <IP> ifIndex 18. Port Security is no longer configured on the port. Flush the trap (main::signalHandlerTrapListQueued)

I am not a network admin, just a system engineer doing some R&D with PF to see how it can / will fit into our network setup. My knowledge of installing, configuring and setting up a switch is very limited.

(0001892)
ryacketta   
2011-03-02 14:09   
(edited on: 2011-03-02 14:25)
After the re-configure I still get the following

snmpwalk -v 2c -c <RO> <IP> 1.3.6.1.4.1.45.1.6.5.3.10.1.4
SNMPv2-SMI::enterprises.45.1.6.5.3.10.1.4 = No Such Instance currently exists at this OID

(0001893)
ryacketta   
2011-03-02 14:20   
(edited on: 2011-03-02 14:44)
Looks like 45.1.6.5.3.10 is missing on this 470

snmpwalk -v 2c -c<BLAH> <IP> enterprise
...
SNMPv2-SMI::enterprises.45.1.6.5.3.7.0 = INTEGER: 448
SNMPv2-SMI::enterprises.45.1.6.5.3.8.0 = INTEGER: 0
SNMPv2-SMI::enterprises.45.1.6.5.3.9.0 = INTEGER: 0
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.1.1.1.0.0.0.0.0.0 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.2.1.1.0.0.0.0.0.0 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.3.1.1.0.0.0.0.0.0 = Hex-STRING: 00 00 00 00 00 00
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.4.1.1.0.0.0.0.0.0 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.5.1.1.0.0.0.0.0.0 = INTEGER: 5
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.6.1.1.0.0.0.0.0.0 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.12.1.1.1.1 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.12.1.1.1.2 = INTEGER: 1
...


Switch info:

sysDescr: Ethernet Switch 470-48T
                  HW:10 FW:3.6.0.7 SW:v3.7.5.13 ISVN:2
                  Mfg Date:11102005 HW Dev:
sysObjectID: 1.3.6.1.4.1.45.3.46.1

(0001894)
ryacketta   
2011-03-02 14:44   
The same is seen on a

sysDescr: Ethernet Routing Switch 5510-48T
                  HW:34 FW:5.0.0.4 SW:v5.1.0.014


snmpwalk -v 2c -c<BLAH> <IP> enterprise |
...
SNMPv2-SMI::enterprises.45.1.6.5.3.1.0 = INTEGER: 3
SNMPv2-SMI::enterprises.45.1.6.5.3.2.0 = INTEGER: 0
SNMPv2-SMI::enterprises.45.1.6.5.3.3.0 = INTEGER: 2
SNMPv2-SMI::enterprises.45.1.6.5.3.4.0 = INTEGER: 2
SNMPv2-SMI::enterprises.45.1.6.5.3.5.0 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.6.0 = INTEGER: 0
SNMPv2-SMI::enterprises.45.1.6.5.3.7.0 = INTEGER: 448
SNMPv2-SMI::enterprises.45.1.6.5.3.8.0 = INTEGER: 0
SNMPv2-SMI::enterprises.45.1.6.5.3.9.0 = INTEGER: 0
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.1.1.1.0.0.0.0.0.0 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.1.1.2.0.0.0.0.0.0 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.1.1.3.0.0.0.0.0.0 = INTEGER: 1
...

(0001895)
ryacketta   
2011-03-02 17:36   
Here is the mac-security settings on the 470

pfence-rtr(config)#show mac-security config
MAC Address Security: Enabled
MAC Address Security SNMP-Locked: Disabled
Partition Port on Intrusion Detected: Disabled
DA Filtering on Intrusion Detected: Enabled
Generate SNMP Trap on Intrusion: Enabled
MAC Auto-Learning Age-Time: 60 minutes
Current Learning Mode: Disabled
Learn by Ports: NONE


port 18 mac-security (the random port I have been testing with)

pfence-rtr(config)#show mac-security port 18
Port Trunk Security Auto-Learning MAC Number
---- ----- -------- ------------- ----------
  18 Enabled Disabled 2


mac-securtity table

pfence-rtr(config)#show mac-security mac-address-table
Port Allowed MAC Address Automatic
---- ------------------- ---------

Security List Allowed MAC Address Automatic
------------- ------------------- ---------
(0001896)
ryacketta   
2011-03-03 09:38   
Did some wireshark playing this morning, the following OID is used when I check 'Security->AuthStatus' via ESM6.3

1.3.6.1.4.1.45.1.6.5.3.11

a snmpwalk shows
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.1.1.1.0.0.0.0.0.0 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.2.1.1.0.0.0.0.0.0 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.3.1.1.0.0.0.0.0.0 = Hex-STRING: 00 00 00 00 00 00
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.4.1.1.0.0.0.0.0.0 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.5.1.1.0.0.0.0.0.0 = INTEGER: 5
SNMPv2-SMI::enterprises.45.1.6.5.3.11.1.6.1.1.0.0.0.0.0.0 = INTEGER: 1


Looking at http://www.oidview.com/mibs/45/S5-SWITCH-BAYSECURE-MIB.html [^] it seems that one could use s5SbsAuthStatusTable as a posisble replacement for s5SbsAuthCfgTable?
(0001897)
ryacketta   
2011-03-03 10:29   
(edited on: 2011-03-03 10:32)
some more dabbling..

As mentioned before, snmpwalking 1.3.6.1.4.1.45.1.6.5.3.10 returned an error (No Such Instance currently exists at this OID). After some playing around, I decided to manually add an entry to 'Security->AuthConfig' via ESM6.3 and miraculously OID 1.3.6.1.4.1.45.1.6.5.3.10 now works.

snmpwalk -v 2c -c<RO> <IP> 1.3.6.1.4.1.45.1.6.5.3.10
SNMPv2-SMI::enterprises.45.1.6.5.3.10.1.1.1.18.0.22.203.137.107.80 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.10.1.2.1.18.0.22.203.137.107.80 = INTEGER: 18
SNMPv2-SMI::enterprises.45.1.6.5.3.10.1.3.1.18.0.22.203.137.107.80 = Hex-STRING: 00 16 CB 89 6B 50
SNMPv2-SMI::enterprises.45.1.6.5.3.10.1.4.1.18.0.22.203.137.107.80 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.10.1.5.1.18.0.22.203.137.107.80 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.10.1.6.1.18.0.22.203.137.107.80 = INTEGER: 0
SNMPv2-SMI::enterprises.45.1.6.5.3.10.1.7.1.18.0.22.203.137.107.80 = INTEGER: 1
SNMPv2-SMI::enterprises.45.1.6.5.3.10.1.8.1.18.0.22.203.137.107.80 = INTEGER: 0

After looking at Nortel.pm it appears that the actual error is around line 523, if the table is empty then the get_request FAILS.

To verify, I just deleted the entry via ESM6.3 and now get 'No Such Object available on this agent at this OID' when I snmpwalk that OID. Adding the entry back results in the above snmpwalk.

(0001898)
ryacketta   
2011-03-03 14:12   
I got Port-Security to work by updating the return in isPortSecurityEnabled to

    return (
               defined($s5SbsSecurityStatus)
            && $s5SbsSecurityStatus == 1
            && defined($s5SbsSecurityAction)
            && ( $s5SbsSecurityAction == 6 || $s5SbsSecurityAction == 2 )
            && ( ( !defined($s5SbsCurrentPortSecurStatus) )
            || ( $s5SbsCurrentPortSecurStatus eq "noSuchInstance")
            || ( $s5SbsCurrentPortSecurStatus >= 2 ) )
    );
(0001905)
ryacketta   
2011-03-09 08:58   
Gents,

Just checking in to see how things are going, know your caught up with paying support etc.

Also noticed another issue with VoIP and the 470's, tossed info to the mailing list will gen another ticket for tracking.

-Ron
(0001922)
obilodeau   
2011-03-14 17:31   
Hi Ron,

I'm a bit confused by this long trail of attempts. Also, the isPortSecurityEnabled fix isn't going to cut it because doing an OR on "noSuchInstance" would just make the call return true no matter if port-security is enabled or not.

- The Nortel code changed between 2.0.x and 2.1.0, did you upgrade?
- Does the 'Security->AuthConfig' trick you did to make the OID appear an acceptable fix? Do you think its a problem with our documentation, with Nortel's switches or with our code?
- Why are you working with trunk ports? PacketFence usually tries to avoid touching trunk ports so it could have been the issue in the first place.

If it's not fixed, can we start over with 2.1.0 and provide me the concise log of a fresh connection.

Thanks for your patience!
(0001925)
ryacketta   
2011-03-15 08:28   
(edited on: 2011-03-15 08:41)
- The Nortel code changed between 2.0.x and 2.1.0, did you upgrade?
Yes, upgraded : packetfence-2.1.0-1.el5

- Does the 'Security->AuthConfig' trick you did to make the OID appear an acceptable fix? Do you think its a problem with our documentation, with Nortel's switches or with our code?

The AAuthConfig trick still works, without an entry I get the no OID response. Currently thinking it is a Nortel issue, but I am n Network Engineer.

- Why are you working with trunk ports? PacketFence usually tries to avoid touching trunk ports so it could have been the issue in the first place.

My assumption was to have two devices on a single port with the port being trunked. Currently trying to setup a lab as such laptop -> VoIP-phone -> switch port. Normal vlan is 11 and VoIP lan is 5.

(0001926)
ryacketta   
2011-03-15 08:41   
Did a re-install of PF as well as a re-configure of the switch.

Mar 15 08:38:09 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers)
Mar 15 08:38:10 pfsetvlan(1) INFO: down trap received on <IP> ifIndex 12 (main::handleTrap)
Mar 15 08:38:10 pfsetvlan(1) WARN: unable to fetch first board index. Will assume it's 1 (pf::SNMP::Nortel::getFirstBoardIndex)
Mar 15 08:38:10 pfsetvlan(1) INFO: setting <IP> port 12 to MAC detection VLAN (main::handleTrap)
Mar 15 08:38:10 pfsetvlan(1) INFO: Should set <IP> ifIndex 12 to VLAN 102 but it is already in this VLAN -> Do nothing (pf::SNMP::setVlan)
Mar 15 08:38:10 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
Mar 15 08:38:11 pfsetvlan(21) WARN: unable to fetch first board index. Will assume it's 1 (pf::SNMP::Nortel::getFirstBoardIndex)
Mar 15 08:38:11 pfsetvlan(21) WARN: unable to fetch first board index. Will assume it's 1 (pf::SNMP::Nortel::getFirstBoardIndex)
Mar 15 08:38:11 pfsetvlan(21) INFO: secureMacAddrViolation trap on <IP> ifIndex 12. Port Security is no longer configured on the port. Flush the trap (main::signalHandlerTrapListQueued)
Mar 15 08:38:13 pfsetvlan(3) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers)
Mar 15 08:38:13 pfsetvlan(3) INFO: up trap received on <IP> ifIndex 12 (main::handleTrap)
Mar 15 08:38:13 pfsetvlan(3) WARN: unable to fetch first board index. Will assume it's 1 (pf::SNMP::Nortel::getFirstBoardIndex)
Mar 15 08:38:13 pfsetvlan(3) INFO: setting <IP> port 12 to MAC detection VLAN (main::handleTrap)
Mar 15 08:38:13 pfsetvlan(3) INFO: Should set <IP> ifIndex 12 to VLAN 102 but it is already in this VLAN -> Do nothing (pf::SNMP::setVlan)
Argument "noSuchInstance" isn't numeric in numeric ge (>=) at
        /usr/local/pf/lib/pf/SNMP/Nortel.pm line 568 (0000001)
    (W numeric) The indicated string was fed as an argument to an operator
    that expected a numeric value instead. If you're fortunate the message
    will identify which operator was so unfortunate.
    
Mar 15 08:38:14 pfsetvlan(3) INFO: MAC: 00:16:cb:89:6b:50 is of status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Mar 15 08:38:14 pfsetvlan(3) INFO: Should set <IP> ifIndex 12 to VLAN 102 but it is already in this VLAN -> Do nothing (pf::SNMP::setVlan)
Mar 15 08:38:14 pfsetvlan(3) INFO: finished (main::cleanupAfterThread)
Mar 15 08:38:21 pfsetvlan(23) INFO: ignoring unknown trap: 2011-03-15|12:38:19|UDP: [<IP>]:1024|<IP>|BEGIN TYPE 6 END TYPE BEGIN SUBTYPE .1 END SUBTYPE BEGIN VARIABLEBINDINGS END VARIABLEBINDINGS (main::parseTrap)
(0001949)
obilodeau   
2011-03-18 11:08   
I think I've fixed the problem. There was a problem with the firstBoardIndex detection code (always returning 1 instead of doing its job) and improved error validation in isPortSecurityEnabled() which should get rid of the 'noSuchInstance' problems.

Can you replace your /usr/local/pf/lib/pf/SNMP/Nortel.pm module with the one attached to this bug?

Thanks
(0001953)
ryacketta   
2011-03-18 11:34   
Fix has resolved the noSuchInstance error:

Mar 18 11:25:51 pfsetvlan(23) WARN: unable to fetch first board index. Will assume it's 1 (pf::SNMP::Nortel::getFirstBoardIndex)
Mar 18 11:25:51 pfsetvlan(1) INFO: nb of items in queue: 2; nb of threads running: 0 (main::startTrapHandlers)
Mar 18 11:25:51 pfsetvlan(2) INFO: nb of items in queue: 1; nb of threads running: 1 (main::startTrapHandlers)
Mar 18 11:25:51 pfsetvlan(1) INFO: up trap received on 137.143.212.20 ifIndex 14 (main::handleTrap)
Mar 18 11:25:51 pfsetvlan(1) INFO: security traps are configured on this switch port. Stopping UP trap handling here (main::handleTrap)
Mar 18 11:25:51 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
Mar 18 11:25:51 pfsetvlan(3) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers)
Mar 18 11:25:51 pfsetvlan(3) INFO: secureMacAddrViolation trap received on 137.143.212.20 ifIndex 14 for 00:16:cb:89:6b:50 (main::handleTrap)
Mar 18 11:25:51 pfsetvlan(3) INFO: node 00:16:cb:89:6b:50 does not yet exist in PF database. Adding it now (main::node_update_PF)
Mar 18 11:25:51 pfsetvlan(3) WARN: unable to fetch first board index. Will assume it's 1 (pf::SNMP::Nortel::getFirstBoardIndex)
Mar 18 11:25:51 pfsetvlan(3) WARN: unable to fetch first board index. Will assume it's 1 (pf::SNMP::Nortel::getFirstBoardIndex)
Mar 18 11:25:51 pfsetvlan(3) INFO: MAC: 00:16:cb:89:6b:50 is of status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Mar 18 11:25:51 pfsetvlan(3) INFO: authorizing 00:16:cb:89:6b:50 at new location 137.143.212.20 ifIndex 14 (main::handleTrap)
Mar 18 11:25:51 pfsetvlan(3) WARN: unable to fetch first board index. Will assume it's 1 (pf::SNMP::Nortel::getFirstBoardIndex)
Mar 18 11:25:52 pfsetvlan(3) INFO: setting VLAN at 137.143.212.20 ifIndex 14 from 1 to 102 (pf::SNMP::setVlan)
Mar 18 11:25:52 pfsetvlan(3) INFO: finished (main::cleanupAfterThread)
Mar 18 11:25:57 pfdhcplistener(5902) INFO: 00:16:cb:89:6b:50 requested an IP. DHCP Fingerprint: OS::200 (Mac OS X). Modifying node with last_dhcp = 2011-03-18 11:25:57,dhcp_fingerprint = 1,3,6,15,119,95,252,44,46,47 (main::listen_dhcp)
Mar 18 11:25:58 pfdhcplistener(5902) INFO: DHCPOFFER from 10.102.1.254 (52:54:00:cf:9a:c2) to host 00:16:cb:89:6b:50 (10.102.1.200) (main::listen_dhcp)
Mar 18 11:25:59 pfdhcplistener(5902) INFO: DHCPREQUEST from 00:16:cb:89:6b:50 (10.102.1.200) (main::listen_dhcp)
Mar 18 11:25:59 pfdhcplistener(5902) INFO: could not resolve 10.102.1.200 to mac in ARP table (pf::iplog::ip2macinarp)
Mar 18 11:26:01 pfdhcplistener(5902) INFO: resolved 10.102.1.200 to mac (00:16:cb:89:6b:50) in ARP table (pf::iplog::ip2macinarp)
Mar 18 11:26:01 pfdhcplistener(5902) INFO: 00:16:cb:89:6b:50 requested an IP. DHCP Fingerprint: OS::200 (Mac OS X). Modifying node with last_dhcp = 2011-03-18 11:26:01,dhcp_fingerprint = 1,3,6,15,119,95,252,44,46,47 (main::listen_dhcp)
Mar 18 11:26:01 pfdhcplistener(5902) INFO: DHCPACK from 10.102.1.254 (52:54:00:cf:9a:c2) to host 00:16:cb:89:6b:50 (10.102.1.200) (main::listen_dhcp)
Mar 18 11:26:33 pfsetvlan(22) INFO: ignoring unknown trap: 2011-03-18|15:26:30|UDP: [137.143.212.20]:1024|137.143.212.20|BEGIN TYPE 6 END TYPE BEGIN SUBTYPE .1 END SUBTYPE BEGIN VARIABLEBINDINGS END VARIABLEBINDINGS (main::parseTrap)
(0001954)
obilodeau   
2011-03-18 11:38   
the node has been added, authorized and the VLAN appropriately set, can I mark this bug as resolved?
(0001959)
ryacketta   
2011-03-18 13:14   
Yes, everything is working for non VoIP connections.