[c-nsp] Port-security and high-availability issue on Cat 4K

[Rubens Kuhl Jr.]

I'm having issues with port-security on Cat 4K in a high-availability scenario. 
All servers have two NICs, configured to fail-over teaming, active-standby; a virtual MAC is created by the NIC driver.
All servers are connected to two Catalyst 4506 switches; the switch where standby NICs are connected is identically configured to the one where active NICs are connected. There is a port-channel of multiple ports linking both switches.

Port-security is configured on learning mode, with 1 maximum MAC-address. 

On normal situation, a server's MAC-address appears on the #1 switch as an static entry directed to the connected port. On switch #2, it appears as a dynamic entry pointed to the port-channel. So far, so good. 

If NIC #1 fails, the static entry on switch #1 is quickly removed, but the dynamic entry on switch #2 keeps up preventing another entry with that MAC to be created on switch #2. After some time (5 minutes, in most tests), Switch #2 shows a static entry to the connected port, switch #1 shows a dynamic entry pointed to the trunk, and traffic resumes flowing. 

If NIC #1 becomes operational again, fail-back on switch #1 goes ok: a static entry is recreated to the connected port. On switch #2, the static entry keeps up, but the port no longer responds. All traffic that come thru this switch to the server is droped. 

A similar scenario with Cat 6K switches runs fine, failing-over and failing-back just fine. 
Anything that can be tuned on Cat 4K to better perform on such a scenario ?


 
Rubens