MACSec Ingress miss Packets

Patrick McHenry · ‎02-18-2015

Hi -

Posted this in the Security Community, but thought it might fit better here...

I've been labbing macsec and I keep getting these ingress miss packets. I can't be certain, but I believe each time I get the log messages that I pasted below, the ingress packets increment. Almost like when they re-establish the encryption every 30 minutes a few packets don't get encrypted - not sure though. Any idea what is going on here?

Thank you, Pat

SWitch2#sh macsec int g1/0/1
MACsec is enabled
Replay protect : enabled
Replay window : 0
Include SCI : yes
Cipher : GCM-AES-128
Confidentiality Offset : 0
Capabilities
Max. Rx SA : 16
Max. Tx SA : 16
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128
Transmit Secure Channels
SCI : 6C416A7B95810000
   Elapsed time : 2w0d
   Current AN: 1   Previous AN: 0
   SC Statistics
    Auth-only (0 / 0)
    Encrypt (183507 / 0)
Receive Secure Channels
SCI : 5057A8F7C8810000
   Elapsed time : 2w0d
   Current AN: 1   Previous AN: 0
   SC Statistics
    Notvalid pkts 0      Invalid pkts 0
    Valid pkts 1406154         Late pkts 0
    Uncheck pkts 0       Delay pkts 0
Port Statistics
   Ingress untag pkts 0        Ingress notag pkts 1375
   Ingress badtag pkts 0        Ingress unknownSCI pkts 0
   Ingress noSCI pkts 0         Unused pkts 0
   Notusing pkts 0              Decrypt bytes 96600186
   Ingress miss pkts 1375

SWitch2#sh log

Apr 13 05:49:17.910: CTS-SAP ev: cts_sap_sync_sap_info: incr sync msg sent for Gi1/0/1
Apr 13 05:49:17.910: CTS SAP ev (Gi1/0/1): Old state: [waiting to program message #3],
event: [data path programmed], action: [send message #4] succeeded.
New state: [established].
Apr 13 06:17:51.862: CTS SAP ev (Gi1/0/1): EAPOL-Key message from 5057.A8F7.C881.
Apr 13 06:17:51.862: CTS-SAP ev: (Gi1/0/1): msg 1 saved for MIC calculation later.
Apr 13 06:17:51.862: CTS SAP ev (Gi1/0/1): EAPOL-Key message #1 parsed and validated.
Apr 13 06:17:51.862: CTS-SAP ev: cts_sap_pak_handler Starting SAP setup_period on Interface (Gi1/0/1)
Apr 13 06:17:51.862: cts_sap_generate_pmkid_and_sci auth:5057.a8f7.c881 supp:6c41.6a7b.9581, 0000000000000000000000000000000000000000000000000000000000ABC123
Apr 13 06:17:51.862: CTS SAP ev (Gi1/0/1): Cipher suite selected: gcm-encrypt.
Apr 13 06:17:51.862: CTS-SAP ev: cts_sap_action_program_msg_1: GCM is allowed.
Apr 13 06:17:51.871: CTS SAP ev (Gi1/0/1): New keys derived:
KCK = 91C234BB 4FDE2C76 309FA191 9E937BF9,
KEK = 9D289A4A 6F166CDF AB373AB4 2845D0BE,
TK = 2AA9E5D4 156426A7 81E4130A EEC78A60,
Apr 13 06:17:51.871: CTS SAP ev (Gi1/0/1): Old state: [established],
event: [received message #1], action: [program message #1] succeeded.
New state: [waiting to program message #1].
Apr 13 06:17:51.871: CTS SAP ev (Gi1/0/1): Old state: [waiting to program message #1],
event: [data path programmed], action: [send message #2] succeeded.
New state: [waiting to receive message #3].
Apr 13 06:17:51.888: CTS SAP ev (Gi1/0/1): EAPOL-Key message from 5057.A8F7.C881.
Apr 13 06:17:51.888: CTS SAP ev (Gi1/0/1): EAPOL-Key message #3 parsed and validated.
Apr 13 06:17:51.904: CTS SAP ev (Gi1/0/1): Old state: [waiting to receive message #3],
event: [received message #3], action: [program message #3] succeeded.
New state: [waiting to program message #3].
Apr 13 06:17:51.904: CTS-SAP ev: cts_sap_sync_sap_info: incr sync msg sent for Gi1/0/1
Apr 13 06:17:51.904: CTS SAP ev (Gi1/0/1): Old state: [waiting to program message #3],
event: [data path programmed], action: [send message #4] succeeded.
New state: [established].
Apr 13 06:48:46.869: CTS SAP ev (Gi1/0/1): EAPOL-Key message from 5057.A8F7.C881.
Apr 13 06:48:46.869: CTS-SAP ev: (Gi1/0/1): msg 1 saved for MIC calculation later.
Apr 13 06:48:46.869: CTS SAP ev (Gi1/0/1): EAPOL-Key message #1 parsed and validated.
Apr 13 06:48:46.869: CTS-SAP ev: cts_sap_pak_handler Starting SAP setup_period on Interface (Gi1/0/1)
Apr 13 06:48:46.869: cts_sap_generate_pmkid_and_sci auth:5057.a8f7.c881 supp:6c41.6a7b.9581, 0000000000000000000000000000000000000000000000000000000000ABC123
Apr 13 06:48:46.869: CTS SAP ev (Gi1/0/1): Cipher suite selected: gcm-encrypt.
Apr 13 06:48:46.869: CTS-SAP ev: cts_sap_action_program_msg_1: GCM is allowed.
Apr 13 06:48:46.869: CTS SAP ev (Gi1/0/1): New keys derived:
KCK = 241E1E5F 446E11EF 719B479C 68D0FE03,
KEK = 3A407846 C722EEBF 50030B3B 534888FA,
TK = 3F7B12F8 25CA0AD0 5AE1426F E30A2C0B,
Apr 13 06:48:46.877: CTS SAP ev (Gi1/0/1): Old state: [established],
event: [received message #1], action: [program message #1] succeeded.
New state: [waiting to program message #1].
Apr 13 06:48:46.877: CTS SAP ev (Gi1/0/1): Old state: [waiting to program message #1],
event: [data path programmed], action: [send message #2] succeeded.
New state: [waiting to receive message #3].
Apr 13 06:48:46.894: CTS SAP ev (Gi1/0/1): EAPOL-Key message from 5057.A8F7.C881.
Apr 13 06:48:46.894: CTS SAP ev (Gi1/0/1): EAPOL-Key message #3 parsed and validated.
Apr 13 06:48:46.911: CTS SAP ev (Gi1/0/1): Old state: [waiting to receive message #3],
event: [received message #3], action: [program message #3] succeeded.
New state: [waiting to program message #3].
Apr 13 06:48:46.911: CTS-SAP ev: cts_sap_sync_sap_info: incr sync msg sent for Gi1/0/1
Apr 13 06:48:46.911: CTS SAP ev (Gi1/0/1): Old state: [waiting to program message #3],
event: [data path programmed], action: [send message #4] succeeded.
New state: [established].

kerstin-534 · ‎06-22-2015

Hi,

which platform/version do you have ?

I noticed with IOS 15.0 increasing missed packets, in 15.2 there are none of them. The increasing missed packets are EAPOL packets itself, they are not tagged.

br Fritz