Cisco IOS – Interface is up, line protocol is down (monitoring)

KB ID 0001027 

Problem

I had an ASA Active/Standby problem last week, each time I tried to make the primary firewall active, it would fail straight straight back. A look on the ASA told me the problem was one of the clients DMZ connections, (it was stuck in a ‘waiting’ state). A no monitor-interface DMZ command let me bring the primary ASA up active, but I had to visit the site to investigate the problem.

switches

The firewall showed that its interface was up/up, the other end of the cable (a Cisco 3560-X) said;

GigabitEthernet0/23 is up, line protocol is down (monitoring)
  Hardware is Gigabit Ethernet, address is 5087.89ed.4917 (bia 5087.89ed.4917)
  Description: Uplink-To-Firewall
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 1d01h, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 3000 bits/sec, 2 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected

Solution

I thought only I had ever worked on this switch, so I was confused, why could I not bring the interface up? The switch could not ping the firewall and vice versa.

Every Google I did for people with a similar problem said, ‘This port is part of a SPAN config’, but as far as I knew only I had ever configured this switch and I certainly never enabled SPAN, and if i had, it would not have been on the firewall uplink port! But just to be on the safe side I did a ‘show monitor session all’ and guess what? Someone had, so let’s turn it off;

DMZ-Switch(config)#no monitor session all

Problem solved!

Related Articles, References, Credits, or External Links

NA

Author: Migrated

Share This Post On