Solved: Expressroute Direct and Macsec

trondaker · ‎03-16-2020

Hi,

Anyone ever get Macsec towards Azure up and running? We have a IOS-XE-switch, and followed the configuration guide for Macsec with PSK here: https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/62x/b-system-security-cg-ncs5500-62x/b-system-security-cg-ncs5500-62x_chapter_0101.html#concept_gjz_ysl_vcb

The second we enable "macsec network-link" toward azure, the line-protocol goes down, and show mka summary says the link is in Init-mode. Nothing happens after that, and can see no packets from the other end with debugs. Problem is Microsoft Azure-guys have had a look, and everything looks good on their end. Ideas?

ssaeger · ‎02-22-2021

Azure uses Juniper box - had to enable sci on Juniper
Cause:

In this situation, the 'include-sci' is 'yes' by default on the Cisco switch, while it is optional for Juniper.
Solution:

Add 'include-sci' on the Juniper Router MACSEC configuration as follows:

#set security macsec connectivity-association connectivity-association-name include-sci

View solution in original post

Jason Leschnik · ‎03-19-2020

I'm a bit of a novice at cloud connectivity but who/how are you getting connectivity into Azure? Are you peering with them directly or via. some third party like Megaport?

Regards,

Jason.

trondaker · ‎03-19-2020

Microsoft offers a direct connection called Expressroute Direct, and on that type of connection you can get macsec. Just not quite sure how to troubleshoot this when i dont have control of the other end. Cant see anything in the logs relating to wrong PSK or anything like that, what else can i do on my end to troubleshoot?

Jason Leschnik · ‎03-19-2020

So with this you get a direct circuit to Azure like they physically give you a cable/handoff? So it's L1 all the way to their service?

trondaker · ‎03-19-2020

Yup

mdshohel.dewan · ‎04-05-2020

Hey,

Did anyone find any resolution with this?

trondaker · ‎04-05-2020

Not yet, still an ongoing case with ms-support. They seem to have found some issues on their end, but were not rocking macsec yet :( Ill update as soon as we get a cause.

mdshohel.dewan · ‎04-06-2020

Well, I am trying run MACSEC TO AZURE Express Router. Connection overview is AZURE CIRCUIT---> Nexus 9K ---> ASR1000 Router. Cisco ASR1000 Router running MACSEC however appear that having issue as Init Stage.

trondaker · ‎04-07-2020

So this is a WAN Macsec implementation then? Is that supported in MS with the 802.1Q header in the clear, or have i misunderstood your setup?

jrenaudi · ‎02-02-2021

Hello. I'm interested to have a status on this topic. Is it finally working?

trondaker · ‎02-02-2021

No, we have the session up, but not actually forwarding traffic. This is just a weird issue, but hopefully we are having a maintenance window this week, will update at that point.

ssaeger · ‎02-22-2021

Azure uses Juniper box - had to enable sci on Juniper
Cause:

In this situation, the 'include-sci' is 'yes' by default on the Cisco switch, while it is optional for Juniper.
Solution:

Add 'include-sci' on the Juniper Router MACSEC configuration as follows:

#set security macsec connectivity-association connectivity-association-name include-sci

trondaker · ‎02-22-2021

Thanks for your suggestion, have fired it off to Microsoft now, and we will try in the next maintenance window (has taken forever this )

leon.teheux · ‎07-19-2021

Hi @trondaker. I was wondering if this was resolved for you. Were the Microsoft guys able to configure this and did it solve your problem?

trondaker · ‎07-19-2021

Hi @leon.teheux - yea, MS engineering enabled SCI on their end and everything worked as expected. Cisco confirmed that they do not have an option to disable on their end.