Brocade Fibre Channel Networking Community

Expand all | Collapse all

(SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)

  • 1.  (SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)

    Posted 04-13-2019 06:17 AM

    Forum members,

     

    we try to merge fabrics, and got the following error:

     

    (SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)

     

    We have checked the security policy settings, but it's looking good:

     

    SAN1:FID128:tbene> fddcfg --showall
    Local Switch Configuration for all Databases:-
    DATABASE - Accept/Reject
    ---------------------------------
    SCC - accept
    DCC - accept
    PWD - accept
    FCS - accept
    AUTH - accept
    IPFILTER - accept

    Fabric Wide Consistency Policy:- "SCC:S"

     

    SAN2:gistem_func> fddcfg --showall
    Local Switch Configuration for all Databases:-
    DATABASE - Accept/Reject
    ---------------------------------
    SCC - accept
    DCC - accept
    PWD - accept
    FCS - accept
    AUTH - accept
    IPFILTER - accept

    Fabric Wide Consistency Policy:- "SCC:S"

    SAN1:FID128:tbene> secpolicyshow


    ____________________________________________________
    ACTIVE POLICY SET
    SCC_POLICY
    WWN DId swName
    --------------------------------------------------
    10:00:00:05:1e:47:14:00 - Unknown
    10:00:00:05:1e:94:e1:00 - Unknown
    10:00:00:27:f8:1f:7a:b0 - Unknown
    10:00:88:94:71:92:ab:e9 113 scpdcxeqw1

     

     

    SAN2:tbene> secpolicyshow


    ____________________________________________________
    ACTIVE POLICY SET
    SCC_POLICY
    WWN DId swName
    --------------------------------------------------
    10:00:00:05:1e:45:ec:00 - Unknown
    10:00:00:05:1e:47:14:00 117 EA3_SW0
    10:00:00:05:1e:94:e1:00 120 EA3_SW1
    10:00:00:05:1e:96:61:00 - Unknown
    10:00:00:05:1e:ad:12:00 - Unknown
    10:00:00:27:f8:1f:7a:b0 133 dcxeqw0
    10:00:88:94:71:92:ab:e9 - Unknown

     

     

    We see some switches as unknown and they doesn't even have DId ( which is domain ID I guess) . What is strange, that in case we'd dislable port which hosts the ISL, it is working for a short time period, but right after it, it goes offline with error:
    "Disabled (SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)"

     

    As you can see the wwn-s are added, but the missing domain I think is not that healthyer...

    Menioned switches are:

     

    SAN1: X6-8 (IBM OEM) Fabric OS: v7.4.2d

    SAN2: 2499-384 ( Broadcom OEM ) Fabric OS: v8.1.2a

    Can anybody help me out with this?

     

    Regards, Tamas.


    #BrocadeFibreChannelNetworkingCommunity


  • 2.  Re: (SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)

    Posted 04-13-2019 10:19 AM

    @Tamas Bene 

     

    is probable not all permission are set correct in "tbene" account.

     

    login to the switch with the default "admin" account and try again

     

     


    #BrocadeFibreChannelNetworkingCommunity


  • 3.  Re: (SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)

    Posted 04-13-2019 02:33 PM
      |   view attached

    Hi Antonio,

     

    my ID has the same rights as the admin:

     

    SAN1: X6-8

     

    Account name: tbene
    Description:
    Enabled: Yes
    Password Last Change Date: Tue Mar 12 2019 (UTC)
    Password Expiration Date: Mon Jun 10 2019 (UTC)
    Locked: No
    Home LF Role: admin
    Role-LF List: admin: 1-128
    Chassis Role: admin
    Home LF: 128
    Day Time Access: N/A

     

    Account name: admin
    Description: Administrator
    Enabled: Yes
    Password Last Change Date: Tue Mar 12 2019 (UTC)
    Password Expiration Date: Mon Jun 10 2019 (UTC)
    Locked: No
    Home LF Role: admin
    Role-LF List: admin: 1-128
    Chassis Role: admin
    Home LF: 128
    Day Time Access: N/A

     

    ===================================================

     

    SAN2: 2499-384

     

    Account name: tbene
    Description: Remote Account
    Enabled: Yes
    Password Last Change Date: Unknown (UTC)
    Password Expiration Date: Not Applicable (UTC)
    Locked: No
    Role: admin
    AD membership: 0-255
    Home AD: 0

     

    Account name: admin
    Description: Administrator
    Enabled: Yes
    Password Last Change Date: Mon May 9 2016 (UTC)
    Password Expiration Date: expired (UTC)
    Locked: No
    Role: admin
    AD membership: 0-255
    Home AD: 0
    =====================================================

     

    Also tried to distribute SCC policy across fabric, but it's not allowed due to strict settings ( SCC:S)

     

    SAN1:FID128:tbene> distribute -p SCC -d "*"
    Error: SCC policy cannot be distributed when configured as strict fabric wide. ( see attachment )

     

    So it's quite clear that we have to do something with the SCC:S policy, but since it's allowed to have all database to be accepted, I don't know what can be the issue. Also it's very strange that in secpolicyshow output, there is no DId and switchname of other SAN switches. ( see attachment )

     

     

    How should be able to distibute the policyes to make sure we have consistent state on all switches?

     

    Any idea would be highly appreciated.

     

    Regards, Tamas.

     

    Let me remark that I mixed the FOS level in my original post, so the correct FOS lvls are:

     

    SAN1: X6-8 (Broadcom) Fabric Fabric OS: v8.1.2a

    SAN2: 2499-384 ( IBM ) OS: v7.4.2d


    #BrocadeFibreChannelNetworkingCommunity


  • 4.  Re: (SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)

    Posted 04-15-2019 07:42 AM

    Let me share our lesson learned here:

     

    Even though the switch is in unknown status in the SCC_POLICY, it must contain them on all switches in the fabric. In our case the issue was that on the new switch, there were missing switches from WWN list, even though they are not part of the fabric anymore. 

     

    SAN1:FID128:tbene> secpolicyshow


    ____________________________________________________
    ACTIVE POLICY SET
    SCC_POLICY
    WWN DId swName
    --------------------------------------------------
    10:00:00:05:1e:47:14:00 - Unknown
    10:00:00:05:1e:94:e1:00 - Unknown
    10:00:00:27:f8:1f:7a:b0 - Unknown
    10:00:88:94:71:92:ab:e9 113 scpdcxeqw1

     

    SAN2:tbene> secpolicyshow


    ____________________________________________________
    ACTIVE POLICY SET
    SCC_POLICY
    WWN DId swName
    --------------------------------------------------
    10:00:00:05:1e:45:ec:00 - Unknown
    10:00:00:05:1e:47:14:00 117 EA3_SW0
    10:00:00:05:1e:94:e1:00 120 EA3_SW1
    10:00:00:05:1e:96:61:00 - Unknown
    10:00:00:05:1e:ad:12:00 - Unknown
    10:00:00:27:f8:1f:7a:b0 133 dcxeqw0
    10:00:88:94:71:92:ab:e9 - Unknown

     

    so we added 10:00:00:05:1e:45:ec:00 ; 10:00:00:05:1e:96:61:00; 10:00:00:05:1e:ad:12:00 ( wouldn't like to delete it, but will be removed soon ) and after portdisable/enabl, the ISL came alive. 

     

    SSC_POLICY must be consistent on all switches in the fabric, even if there is a "hanging" WWN in the list.

     

    Regads, Tamas.

     


    #BrocadeFibreChannelNetworkingCommunity