05-10-2024 08:43 AM
My Cisco Catalyst 9300 is configured to initiate a MACSEC connectivity association with other devices using a Pre-shared key (PSK). All parameters are correct in the sense that an association can be made and the encryption is done correctly when done so. However, I expect that when the connection is interrupted, the Cisco Catalyst will attempt to re-initiate the MACSEC connection, however it does not at all, by sending out frames advertising its MKA ability. It only sends out these 'advertisement frames' when you reboot the port (using shutdown; no shutdown;). How do I fix this behavior?
05-10-2024 08:54 AM
Here is my Mka Policy:
mka_v2 112 FALSE 0 TRUE TRUE GCM-AES-128 Tw1/0/1 Tw1/0/2
Gi1/1/1 Gi1/1/2, which shows that DP (delay protect) is FALSE, CO (confidentiality offset) is 0, KS (key server priotity) is 112, ICVIND (include icv indicator) is TRUE, SAKR OLPL (SAK-Rekey On-Live-Peer-Loss) is TRUE, Cipher suite is GCM-AES-128, and It is applied on two interfaces.
05-10-2024 08:55 AM
MACSEC on each interface is enabled with these parameters:
MACsec is enabled
Replay protect : enabled
Replay window : 0
Include SCI : yes
Use ES Enable : no
Use SCB Enable : no
Admin Pt2Pt MAC : forceTrue(1)
Pt2Pt MAC Operational : no
Cipher : GCM-AES-128
Confidentiality Offset : 0
Capabilities
ICV length : 16
Data length change supported: yes
Max. Rx SA : 32
Max. Tx SA : 32
Max. Rx SC : 16
Max. Tx SC : 16
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128
GCM-AES-256
GCM-AES-XPN-128
GCM-AES-XPN-256
Access control : should secure
No Transmit Secure Channels
No Receive Secure Channels
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide