For more details, please see ourCookie Policy.


Fibre Channel (SAN)

Reply
Contributor
Posts: 36
Registered: ‎02-28-2018

(SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)

Forum members,

 

we try to merge fabrics, and got the following error:

 

(SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)

 

We have checked the security policy settings, but it's looking good:

 

SAN1:FID128:tbene> fddcfg --showall
Local Switch Configuration for all Databases:-
DATABASE - Accept/Reject
---------------------------------
SCC - accept
DCC - accept
PWD - accept
FCS - accept
AUTH - accept
IPFILTER - accept

Fabric Wide Consistency Policy:- "SCC:S"

 

SAN2:gistem_func> fddcfg --showall
Local Switch Configuration for all Databases:-
DATABASE - Accept/Reject
---------------------------------
SCC - accept
DCC - accept
PWD - accept
FCS - accept
AUTH - accept
IPFILTER - accept

Fabric Wide Consistency Policy:- "SCC:S"

SAN1:FID128:tbene> secpolicyshow


____________________________________________________
ACTIVE POLICY SET
SCC_POLICY
WWN DId swName
--------------------------------------------------
10:00:00:05:1e:47:14:00 - Unknown
10:00:00:05:1e:94:e1:00 - Unknown
10:00:00:27:f8:1f:7a:b0 - Unknown
10:00:88:94:71:92:ab:e9 113 scpdcxeqw1

 

 

SAN2:tbene> secpolicyshow


____________________________________________________
ACTIVE POLICY SET
SCC_POLICY
WWN DId swName
--------------------------------------------------
10:00:00:05:1e:45:ec:00 - Unknown
10:00:00:05:1e:47:14:00 117 EA3_SW0
10:00:00:05:1e:94:e1:00 120 EA3_SW1
10:00:00:05:1e:96:61:00 - Unknown
10:00:00:05:1e:ad:12:00 - Unknown
10:00:00:27:f8:1f:7a:b0 133 dcxeqw0
10:00:88:94:71:92:ab:e9 - Unknown

 

 

We see some switches as unknown and they doesn't even have DId ( which is domain ID I guess) . What is strange, that in case we'd dislable port which hosts the ISL, it is working for a short time period, but right after it, it goes offline with error:
"Disabled (SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)"

 

As you can see the wwn-s are added, but the missing domain I think is not that healthyer...

Menioned switches are:

 

SAN1: X6-8 (IBM OEM) Fabric OS: v7.4.2d

SAN2: 2499-384 ( Broadcom OEM ) Fabric OS: v8.1.2a

Can anybody help me out with this?

 

Regards, Tamas.

External Moderator
Posts: 5,647
Registered: ‎02-23-2004

Re: (SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)

@tbene 

 

is probable not all permission are set correct in "tbene" account.

 

login to the switch with the default "admin" account and try again

 

 

TechHelp24
Highlighted
Contributor
Posts: 36
Registered: ‎02-28-2018

Re: (SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)

[ Edited ]

Hi Antonio,

 

my ID has the same rights as the admin:

 

SAN1: X6-8

 

Account name: tbene
Description:
Enabled: Yes
Password Last Change Date: Tue Mar 12 2019 (UTC)
Password Expiration Date: Mon Jun 10 2019 (UTC)
Locked: No
Home LF Role: admin
Role-LF List: admin: 1-128
Chassis Role: admin
Home LF: 128
Day Time Access: N/A

 

Account name: admin
Description: Administrator
Enabled: Yes
Password Last Change Date: Tue Mar 12 2019 (UTC)
Password Expiration Date: Mon Jun 10 2019 (UTC)
Locked: No
Home LF Role: admin
Role-LF List: admin: 1-128
Chassis Role: admin
Home LF: 128
Day Time Access: N/A

 

===================================================

 

SAN2: 2499-384

 

Account name: tbene
Description: Remote Account
Enabled: Yes
Password Last Change Date: Unknown (UTC)
Password Expiration Date: Not Applicable (UTC)
Locked: No
Role: admin
AD membership: 0-255
Home AD: 0

 

Account name: admin
Description: Administrator
Enabled: Yes
Password Last Change Date: Mon May 9 2016 (UTC)
Password Expiration Date: expired (UTC)
Locked: No
Role: admin
AD membership: 0-255
Home AD: 0
=====================================================

 

Also tried to distribute SCC policy across fabric, but it's not allowed due to strict settings ( SCC:S)

 

SAN1:FID128:tbene> distribute -p SCC -d "*"
Error: SCC policy cannot be distributed when configured as strict fabric wide. ( see attachment )

 

So it's quite clear that we have to do something with the SCC:S policy, but since it's allowed to have all database to be accepted, I don't know what can be the issue. Also it's very strange that in secpolicyshow output, there is no DId and switchname of other SAN switches. ( see attachment )

 

 

How should be able to distibute the policyes to make sure we have consistent state on all switches?

 

Any idea would be highly appreciated.

 

Regards, Tamas.

 

Let me remark that I mixed the FOS level in my original post, so the correct FOS lvls are:

 

SAN1: X6-8 (Broadcom) Fabric Fabric OS: v8.1.2a

SAN2: 2499-384 ( IBM ) OS: v7.4.2d

Contributor
Posts: 36
Registered: ‎02-28-2018

Re: (SW Security Violation - SCC Policy Violation, Peer WWN not in ACL list)

Let me share our lesson learned here:

 

Even though the switch is in unknown status in the SCC_POLICY, it must contain them on all switches in the fabric. In our case the issue was that on the new switch, there were missing switches from WWN list, even though they are not part of the fabric anymore. 

 

SAN1:FID128:tbene> secpolicyshow


____________________________________________________
ACTIVE POLICY SET
SCC_POLICY
WWN DId swName
--------------------------------------------------
10:00:00:05:1e:47:14:00 - Unknown
10:00:00:05:1e:94:e1:00 - Unknown
10:00:00:27:f8:1f:7a:b0 - Unknown
10:00:88:94:71:92:ab:e9 113 scpdcxeqw1

 

SAN2:tbene> secpolicyshow


____________________________________________________
ACTIVE POLICY SET
SCC_POLICY
WWN DId swName
--------------------------------------------------
10:00:00:05:1e:45:ec:00 - Unknown
10:00:00:05:1e:47:14:00 117 EA3_SW0
10:00:00:05:1e:94:e1:00 120 EA3_SW1
10:00:00:05:1e:96:61:00 - Unknown
10:00:00:05:1e:ad:12:00 - Unknown
10:00:00:27:f8:1f:7a:b0 133 dcxeqw0
10:00:88:94:71:92:ab:e9 - Unknown

 

so we added 10:00:00:05:1e:45:ec:00 ; 10:00:00:05:1e:96:61:00; 10:00:00:05:1e:ad:12:00 ( wouldn't like to delete it, but will be removed soon ) and after portdisable/enabl, the ISL came alive. 

 

SSC_POLICY must be consistent on all switches in the fabric, even if there is a "hanging" WWN in the list.

 

Regads, Tamas.

 

Join the Broadcom Support Community

Get quick and easy access to valuable resources across the Broadcom Community Network.