03-16-2020 05:53 AM
Hi,
Anyone ever get Macsec towards Azure up and running? We have a IOS-XE-switch, and followed the configuration guide for Macsec with PSK here: https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/62x/b-system-security-cg-ncs5500-62x/b-system-security-cg-ncs5500-62x_chapter_0101.html#concept_gjz_ysl_vcb
The second we enable "macsec network-link" toward azure, the line-protocol goes down, and show mka summary says the link is in Init-mode. Nothing happens after that, and can see no packets from the other end with debugs. Problem is Microsoft Azure-guys have had a look, and everything looks good on their end. Ideas?
Solved! Go to Solution.
02-22-2021 09:22 AM
Azure uses Juniper box - had to enable sci on Juniper
Cause:
In this situation, the 'include-sci' is 'yes' by default on the Cisco switch, while it is optional for Juniper.
Solution:
Add 'include-sci' on the Juniper Router MACSEC configuration as follows:
#set security macsec connectivity-association connectivity-association-name include-sci
03-19-2020 07:55 AM
I'm a bit of a novice at cloud connectivity but who/how are you getting connectivity into Azure? Are you peering with them directly or via. some third party like Megaport?
Regards,
Jason.
03-19-2020 10:30 AM
Microsoft offers a direct connection called Expressroute Direct, and on that type of connection you can get macsec. Just not quite sure how to troubleshoot this when i dont have control of the other end. Cant see anything in the logs relating to wrong PSK or anything like that, what else can i do on my end to troubleshoot?
03-19-2020 05:35 PM
So with this you get a direct circuit to Azure like they physically give you a cable/handoff? So it's L1 all the way to their service?
03-19-2020 11:17 PM
Yup
04-05-2020 10:22 PM
Hey,
Did anyone find any resolution with this?
04-05-2020 10:44 PM
Not yet, still an ongoing case with ms-support. They seem to have found some issues on their end, but were not rocking macsec yet :( Ill update as soon as we get a cause.
04-06-2020 12:00 AM
04-07-2020 02:37 AM
So this is a WAN Macsec implementation then? Is that supported in MS with the 802.1Q header in the clear, or have i misunderstood your setup?
02-02-2021 12:42 AM
Hello. I'm interested to have a status on this topic. Is it finally working?
02-02-2021 12:46 AM
No, we have the session up, but not actually forwarding traffic. This is just a weird issue, but hopefully we are having a maintenance window this week, will update at that point.
02-22-2021 09:22 AM
Azure uses Juniper box - had to enable sci on Juniper
Cause:
In this situation, the 'include-sci' is 'yes' by default on the Cisco switch, while it is optional for Juniper.
Solution:
Add 'include-sci' on the Juniper Router MACSEC configuration as follows:
#set security macsec connectivity-association connectivity-association-name include-sci
02-22-2021 11:08 PM
Thanks for your suggestion, have fired it off to Microsoft now, and we will try in the next maintenance window (has taken forever this
07-19-2021 03:18 AM
Hi @trondaker. I was wondering if this was resolved for you. Were the Microsoft guys able to configure this and did it solve your problem?
07-19-2021 05:44 AM
Hi @leon.teheux - yea, MS engineering enabled SCI on their end and everything worked as expected. Cisco confirmed that they do not have an option to disable on their end.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: