CTS Manual Port Unauthorized

Ricky Sandhu · ‎10-23-2015

Good morning, we have a Layer 2 point-to-point high speed link between two of our branch offices. Each end connects to Cisco 3750E and a Cisco 3560E switch. I want to perform MACSec encryption between the two links. I am able to pass traffic over the links without any issues however when I configure MACSec, I start seeing errors about the port being unauthorized. I get the same error on both switches. I was wondering if anyone else has come across this before and how they fixed it. Thanks

interface GigabitEthernet1/0/24
switchport access vlan 200
switchport mode access
switchport nonegotiate
speed 1000
duplex full
cts manual
sap pmk 0000000000000000000000000000000000000000000000000000ABCD1234ABCD

!

8w6d: %CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Gi1/0/24)
8w6d: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/24, changed state to down
8w6d: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/24, changed state to up
8w6d: %CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Gi1/0/24)
8w6d: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/24, changed state to down
8w6d: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/24, changed state to up

Ganesh Hariharan · ‎10-23-2015

Good morning, we have a Layer 2 point-to-point high speed link between two of our branch offices.  Each end connects to Cisco 3750E and a Cisco 3560E switch.  I want to perform MACSec encryption between the two links.  I am able to pass traffic over the links without any issues however when I configure MACSec, I start seeing errors about the port being unauthorized.  I get the same error on both switches. I was wondering if anyone else has come across this before and how they fixed it.  Thanks


interface GigabitEthernet1/0/24
 switchport access vlan 200
 switchport mode access
 switchport nonegotiate
 speed 1000
 duplex full
 cts manual 
  sap pmk 0000000000000000000000000000000000000000000000000000ABCD1234ABCD

!

!

8w6d: %CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Gi1/0/24)
8w6d: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/24, changed state to down
8w6d: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/24, changed state to up
8w6d: %CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Gi1/0/24)
8w6d: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/24, changed state to down
8w6d: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/24, changed state to up

Hi Ricky,

I believe it seems to be bug CSCub34645.

Which is having the symptom "MACSec link goes down periodically with the message:CTS-6-PORT_UNAUTHORIZED"

Check out the below link for more information.

https://tools.cisco.com/bugsearch/bug/CSCub34645/?referring_site=bugquickviewredir

Hope it Helps.

-GI

Rate if it Helps..

Ricky Sandhu · ‎10-24-2015

Hi Ganesh, I don't think that bug applies as the issue is on both sides of the connection on Catalyst 3560E and Catalyst 3750E switches. Also 3560E is running the Version 15.0(2)SE8 of IOS which I believe is the latest. I am also not running RSPAN on either switches. I will try downgrading the IOS on the 3560 to one of the suggested versions.

Ganesh Hariharan · ‎10-24-2015

Hi Ganesh, I don't think that bug applies as the issue is on both sides of the connection on Catalyst 3560E and Catalyst 3750E switches.  Also 3560E is running the Version 15.0(2)SE8 of IOS which I believe is the latest.  I am also not running RSPAN on either switches.  I will try downgrading the IOS on the 3560 to one of the suggested versions.

Hi Ricky,

Ok , Try downloading the IOS version and share your feedback.

-GI

roor · ‎10-25-2015

Hi Ricky,

3750E and 3560E do not support CTS. It is however supported on the 3750X and 3560X with the C3KX-SM-10G module.

HTH,

Roopa

Ricky Sandhu · ‎10-26-2015

Hello Roopa, I have a 3750x switch however do not have the module. Can MACSec be configured on one of the copper ports?

roor · ‎10-26-2015

Hi Ricky,

The copper ports/downlink ports on 3750X do support CTS/switch-to-switch encryption and MKA MACSEC/ downlink encryption too. Please see the following link for details.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/trustsec.html

Regards,

Roopa

Ricky Sandhu · ‎11-06-2015

Hello Roopa, I checked the link you posted and at the bottom it says:

SGT/SGACL is supported on Cisco Catalyst 3750-X and 3650-X series switches with all network uplink modules: C3KX-NM-1G, C3KX-NM-10G, C3KX-NM-10GT and C3KX-SM-10G. The C3KX-SM-10G is only required for MACsec on the uplinks.

It has no mention of whether I can configure MACSec on the GigabitEthernet copper ports on the 3750X. It appears MACSec can't be configured on actual physical ports and the module is a must ?

roor · ‎11-06-2015

Hi Ricky,

You can configure MACSEC on copper Gi ports on 3750X.

Regards,

Roopa

Ricky Sandhu · ‎11-06-2015

Hi Roopa, I configured the switch as below but I"m getting port unauthorized error. Any ideas? There is nothing plugging ito Gi1/0/1 yet.

interface GigabitEthernet1/0/1
cts manual
sap pmk 000000000000000000000000000000000000000000000000000000001234ABCD mode-list gcm-encrypt

%CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Gi1/0/1)

Masoud Pourshabanian · ‎10-24-2015

Hello,

As far as I know, CTS only works on trunk interfaces. Check the both keys on the interfaces character by character to make sure they have been configured on both switches correctly.

Also apply this command "no propagate sgt" under both interfaces just in case if SGT is not supported.

Ricky Sandhu · ‎10-25-2015

I just came across this little footnote in one of the Cisco MACSec configuration guides:

Note:If the interface is not capable of data link encryption, no-encap is the default and the only available SAP operating mode. SGT is not supported.

This seems to be my problem as only option I have is no-encap

(config-if)#cts manual

(config-if-cts-manual)#sap pmk 1234abcd mode-list ?
no-encap No encapsulation

It appears I don't have any other options but to upgrade the hardware? Does anyone have any suggestions?