Solved: Re: Expressroute Direct and Macsec - Page 2

trondaker · ‎03-16-2020

Hi,

Anyone ever get Macsec towards Azure up and running? We have a IOS-XE-switch, and followed the configuration guide for Macsec with PSK here: https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/62x/b-system-security-cg-ncs5500-62x/b-system-security-cg-ncs5500-62x_chapter_0101.html#concept_gjz_ysl_vcb

The second we enable "macsec network-link" toward azure, the line-protocol goes down, and show mka summary says the link is in Init-mode. Nothing happens after that, and can see no packets from the other end with debugs. Problem is Microsoft Azure-guys have had a look, and everything looks good on their end. Ideas?

Amplify6326 · ‎07-28-2021

I am having a similar issue but upon having Microsoft enable SCI on their end the MKA is established and the status is showed as "secured"

sh macsec mka summary
Wed Jul 28 15:38:02.371 CDT

NODE: node0_4_CPU0
========================================================================================
Interface-Name Status Cipher-Suite KeyChain PSK/EAP CKN
========================================================================================
Te0/4/0/2 Secured GCM-AES-XPN-256 KC-MACSEC-AZURE PRIMARY 1234AB

However, even though MACsec appears to be "up" at this point we aren't able to send any traffic over the link. No ARP, ping, BGP or anything. Is there something else that needs to be configured or set up?

trondaker · ‎07-28-2021

What does

sh macsec interface x/x/x

say? Any invalid packets? We were seeing a lot under Receive SA stats.

Amplify6326 · ‎07-30-2021

Thanks for the reply trondaker. It turns out that while Microsoft Azure support had said that they had enabled SCI they actually had not. Getting them to admit to this was very difficult. Once SCI was enabled on their equipment everything started working perfectly.

Hopefully Cisco will update their software soon and SCI can be disabled on their equipment.

Amplify6326 · ‎08-27-2021

Also we were trying to use the cipher GCM-AES-XPN-256 for MACsec. We have tried to bring up Expressroute Direct in a second location and we were having the same trouble even after Microsoft Support has said that SCI is enabled. After further investigation with Microsoft Support they are saying that they don't support this cipher even though their MACsec documentation says that they do. Changing the cipher to GCM-AES-256 has made these circuits function properly. It's very strange though that MACsec in our first location is working properly with the XPN cipher.

We are using 10 Gigabit circuits and the documents from IEEE on MACsec indicate that the XPN algorithms are really only meant for circuits 40 Gigabits and higher. So maybe that's the issue? The Microsoft documents don't indicate any such caveats however.