Cisco Catalyst 9300 - Port Only Sends MACSEC Announcements on Reboot

ldnelson16 · ‎05-10-2024

My Cisco Catalyst 9300 is configured to initiate a MACSEC connectivity association with other devices using a Pre-shared key (PSK). All parameters are correct in the sense that an association can be made and the encryption is done correctly when done so. However, I expect that when the connection is interrupted, the Cisco Catalyst will attempt to re-initiate the MACSEC connection, however it does not at all, by sending out frames advertising its MKA ability. It only sends out these 'advertisement frames' when you reboot the port (using shutdown; no shutdown;). How do I fix this behavior?

ldnelson16 · ‎05-10-2024

Here is my Mka Policy:
mka_v2 112 FALSE 0 TRUE TRUE GCM-AES-128 Tw1/0/1 Tw1/0/2
Gi1/1/1 Gi1/1/2, which shows that DP (delay protect) is FALSE, CO (confidentiality offset) is 0, KS (key server priotity) is 112, ICVIND (include icv indicator) is TRUE, SAKR OLPL (SAK-Rekey On-Live-Peer-Loss) is TRUE, Cipher suite is GCM-AES-128, and It is applied on two interfaces.

ldnelson16 · ‎05-10-2024

MACSEC on each interface is enabled with these parameters:

MACsec is enabled
Replay protect : enabled
Replay window : 0
Include SCI : yes
Use ES Enable : no
Use SCB Enable : no
Admin Pt2Pt MAC : forceTrue(1)
Pt2Pt MAC Operational : no
Cipher : GCM-AES-128
Confidentiality Offset : 0

Capabilities
ICV length : 16
Data length change supported: yes
Max. Rx SA : 32
Max. Tx SA : 32
Max. Rx SC : 16
Max. Tx SC : 16
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128
GCM-AES-256
GCM-AES-XPN-128
GCM-AES-XPN-256

Access control : should secure

No Transmit Secure Channels
No Receive Secure Channels