AWS Direct Connect - MACSEC - C9500-24Y4C - Not working- Status: INIT

Nilay Patel · ‎11-16-2025

TEST-N-C9500-SW1#sh mka sessions

Total MKA Sessions....... 1
Secured Sessions... 0
Pending Sessions... 1

====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
Port-ID Peer-RxSCI MACsec-Peers Status CKN
====================================================================================================
Twe1/0/6 8054.8f2e.ac07/000d MACSEC-AWS NO YES
13 8054.8f2e.ac07/0000 0 Init 56B1B770EE773A0078F6BB10C4A761B6B3DDFC2D3EC6EB34577F473C4184DCCD

TEST-N-C9500-SW1#sh mka sessions detail

MKA Detailed Status for MKA Session
===================================
Status: INITIALIZING - Searching for Peer (Waiting to receive first Peer MKPDU)

Local Tx-SCI............. 8054.8f2e.ac07/000d
Interface MAC Address.... 8054.8f2e.ac07
MKA Port Identifier...... 13
Interface Name........... TwentyFiveGigE1/0/6
Audit Session ID.........
CAK Name (CKN)........... 56B1B770EE773A0078F6BB10C4A761B6B3DDFC2D3EC6EB34577F473C4184DCCD
Member Identifier (MI)... D78DE38F236C4C816D1A7453
Message Number (MN)...... 873
EAP Role................. NA
Key Server............... YES
MKA Cipher Suite......... AES-256-CMAC

Latest SAK Status........ No Rx, No Tx
Latest SAK AN............ 0
Latest SAK KI (KN)....... FIRST-SAK-INITIALIZING (0)
Old SAK Status........... FIRST-SAK
Old SAK AN............... 0
Old SAK KI (KN).......... FIRST-SAK (0)

SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)
SAK Retire Time.......... 0s (No Old SAK to retire)
SAK Rekey Time........... 0s (SAK Rekey interval not applicable)

MKA Policy Name.......... MACSEC-AWS
Key Server Priority...... 255
Delay Protection......... NO
Delay Protection Timer.......... 0s (Not enabled)

Confidentiality Offset... 0
Algorithm Agility........ 80C201
SAK Rekey On Live Peer Loss........ NO
Send Secure Announcement.. DISABLED
SCI Based SSCI Computation.... YES
SAK Cipher Suite......... (NULL)
MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired........... YES

# of MACsec Capable Live Peers............ 0
# of MACsec Capable Live Peers Responded.. 0

Live Peers List:
MI MN Rx-SCI (Peer) KS RxSA SSCI
Priority Installed
---------------------------------------------------------------------------------------

Potential Peers List:
MI MN Rx-SCI (Peer) KS RxSA SSCI
Priority Installed
---------------------------------------------------------------------------------------

balaji.bandi · ‎11-16-2025

What version of code and License do you have on this device?

Can you post the config on both sides or look below, the troubleshooting guide :

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/216849-troubleshoot-macsec-on-catalyst-9000.html

https://repost.aws/knowledge-center/direct-connect-connection-cisco-catalyst

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Nilay Patel · ‎11-16-2025

Thanks a lot. Here is the info.
Cisco C9500-24Y4C: Version 17.12.5 (license: network-advantage (C9500 Network Advantage) (I tired many combinations on c9500/nexus9k. Other side is AWS direct connect with MACSEC option. BGP already up and working.

int tw1/0/x
switchport trunk allowed vlan XX
switchport mode trunk
mtu 9216
speed 10000
macsec access-control should-secure
macsec network-link
eapol destination-address broadcast-address
eapol eth-type 876F
mka policy MACSEC-AWS
mka pre-shared-key key-chain MACSEC-KEYCHAIN-dxcon-xxxx
!

mka policy MACSEC-AWS
key-server priority 255
macsec-cipher-suite gcm-aes-256 gcm-aes-xpn-256
sak-rekey interval 30
no include-icv-in

!

!
key chain MACSEC-KEYCHAIN-dxcon-xxx

macsec
key xxxxx
cryptographic-algorithm aes-256-cmac
key-string xxxxxxxx

!

balaji.bandi · ‎11-16-2025

Buzzard on your output remote MAC shows as local on your production. (not sure if it is expected before it is established)

MTU 9216 <--other side MTU support the same?

Now, could you enable debug and monitor to determine the cause of the issue?

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Nilay Patel · ‎11-17-2025

Other side I cannot see due to AWS. but we need 8500. I see some issue which I know fragmentation work end to end. But with df-bit... MTU ping cant work with more the 1500. Debug just says "MKA Detailed Status for MKA Session
===================================
Status: INITIALIZING - Searching for Peer (Waiting to receive first Peer MKPDU)"

Also I am trying to find the other end MAC so I can manually add it.