Hi 

I have the following problem:

I have implemented MACsec for a customer of mine. The MACcec runs between two WS-C3560X-24 switches and connects two locations (carrier in between). But I receive input errors on both interfaces where MACsec is implemented. 

I replaced the SFP, the fiber optic cable and the port. Nothing helped. But when I disable MACsec (remove config from port) there are no input errors.

The effects of this input errors are that because one of these two switches is the root bridge for all vlans, the other switch doesn't receive some BPDUs and hence starts the SPA for electing the new root bridge. During the time which the SPA runs, some users notice network outage.

The next step I'm going to do is to upgrade the IOS to UNIVERSAL c3560e-universalk9-mz.150-2.SE11.bin.

Has anyone a idea how I could fix this input errors so the SPA doesn't lead to outages anymore?

Here some information:

Config on both Interfaces where MACsec is configured:

interface GigabitEthernet1/2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan <vlans>
 switchport mode trunk
 cts manual
  no propagate sgt
  sap pmk <pmk> mode-list gcm-encrypt

Actually installed IOS:

c3560e-universalk9-mz.152-1.E1

Used MACsec encrypton module:

C3KX-SM-10G

Best regards

Jimmy