Hello, I am struggling to use MACSEC to transmit encrypted ethernet frames using the PSK strategy. 

My configuration is that I would like to send information from Device A through a Cisco Catalyst 9300 enabled with MACSEC to Device B, by creating a pairwise connection between Devices A and b and the switch.

What I am able to do is complete the MKA process (or so I think) between each pair, indicated by one device being successfully selected as Key Server, and both devices sending packets which Wireshark labels as having a "MACSEC SAK Use" and defining an SAK. Then, I am able to send MACSEC traffic which has no confidentiality offset (no offset, not 0 offset), which to my knowledge just means it is not confidential / i.e. not encrypted. This sends correctly, and the switch is able to forward it to the proper destination (just by looking at the MAC address as expected). However, when I try to send MACSEC traffic with a confidentiality offset of 0 (meaning that the payload of the frame will be traditionally encrypted), it doesn't get received on the other device, and I don't know why.

Can someone with knowledge (or who has done it before in any way) give me the exact parameters which need to be setup to enable this? Is there some obscure setting to enable the MACSEC decryption/encryption ability?

In addition, is my understanding of this scenario wrong at all: Device A will send an encrypted MACSEC frame to the Cisco Catalyst, the Catalyst will decrypt this according to the SAK with Device A, then the switch will forward this frame to Device B, but will encrypt according to the SAK with Device B so that B can receive it and decrypt with its own SAK.