MACSEC - Link Disconnection after Key change

Othacon · ‎06-15-2024

Hi all,

hope you can help me.

I have several sites configured with MACSEC running MKA on Ciscos 9300 and 9200, everything was working correctly but had a situation where on June 12 at 10AM the links with MACSEC dropped and reconnected again after some minutes.

Checking the configuration I have the following:

MacSEC key chain
key 01 -- text "(Encrypted keystring)"
cryptographic-algorithm: aes-256-cmac
lifetime (10:00:00 GMT+1 Dec 11 2023) - (10:00:00 GMT+1 Jun 13 2024)
key 02 -- text "(Encrypted keystring)"
cryptographic-algorithm: aes-256-cmac
lifetime (10:00:00 GMT+1 Jun 12 2024) - (10:00:00 GMT+1 Dec 12 2024) [valid now]
key 03 -- text "(Encrypted keystring)"
cryptographic-algorithm: aes-256-cmac
lifetime (10:00:00 GMT+1 Dec 11 2024) - (10:00:00 GMT+1 Jun 13 2025)
key 04 -- text "(Encrypted keystring)"
cryptographic-algorithm: aes-256-cmac
lifetime (10:00:00 GMT+1 Jun 12 2025) - (10:00:00 GMT+1 Dec 12 2025)
key 05 -- text "(Encrypted keystring)"
cryptographic-algorithm: aes-256-cmac
lifetime (10:00:00 GMT+1 Dec 11 2025) - (10:00:00 GMT+1 Jun 13 2026)
key 06 -- text "(Encrypted keystring)"
cryptographic-algorithm: aes-256-cmac
lifetime (10:00:00 GMT+1 Jun 12 2026) - (10:00:00 GMT+1 Dec 12 2026)

We can see that at 10AM on the 12 of June at the time the new key became valied at 10AM, I got the following where the link dropped and then reconnected again after +- 10 minutes:

Jun 12 10:01:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/1/2, changed state to down
Jun 12 10:01:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/1/2, changed state to down
Jun 12 10:01:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel2, changed state to down
Jun 12 10:01:51: %LINK-3-UPDOWN: Interface Port-channel2, changed state to down
Jun 12 10:01:55: %ETC-5-L3DONTBNDL2: Te1/1/2 suspended: LACP currently not enabled on the remote port.
Jun 12 10:03:14: %PIM-5-NBRCHG: neighbor 10.0.150.3 DOWN on interface Vlan150 DR
Jun 12 10:03:14: %PIM-5-DRCHG: DR change from neighbor 10.0.150.3 to 10.0.150.2 on interface Vlan150
Jun 12 10:03:27: %ETC-5-L3DONTBNDL2: Te2/1/2 suspended: LACP currently not enabled on the remote port.
Jun 12 10:03:30: %ETC-5-L3DONTBNDL2: Te1/1/2 suspended: LACP currently not enabled on the remote port.
Jun 12 10:14:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/1/2, changed state to up
Jun 12 10:14:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/1/2, changed state to up
Jun 12 10:14:03: %LINK-3-UPDOWN: Interface Port-channel2, changed state to up
Jun 12 10:14:03: %PIM-5-NBRCHG: neighbor 10.0.150.3 UP on interface Vlan150
Jun 12 10:14:03: %PIM-5-DRCHG: DR change from neighbor 10.0.150.2 to 10.0.150.3 on interface Vlan150
Jun 12 10:14:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel2, changed state to up

The clocks in both switches are syncked to the milisecond from a stratum 1 source, and I though everything was getting overlapped since Key 01 had until the 13 of June and Key 02 started on the 12 of June.

the MKA policy config is the follwing:

mka policy MKA-POLICY
key-server priority 20
sak-rekey interval 30

Please can anyone shed some light please?

Thank you

marce1000 · ‎06-15-2024

- Initially it looks like a physical link connectivity problem (only) ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Georg Pauwen · ‎06-16-2024

Hello,

just to verify, since MacSec is not supported on PortChannels, I assume you have it configured on the member interfaces only ?

Othacon · ‎06-16-2024

Thank you for your replies @Georg Pauwen and @marce1000 .

Unfortunately I have a discriminator removing the MKA logs from the buffer and I'm still waiting for approval to install a proper syslogger like Kiwi, s I don't have the logs from the MKA, but this is the config I have in the switch (two stacked where one port is connected on Switch 1 and the second is connected on switch 2 as per below) where the ports are configured independently for MacSec:

interface Port-channel2
description Cisco (9200)
switchport trunk native vlan 150
switchport trunk allowed vlan 50,150
switchport mode trunk
switchport nonegotiate

interface TenGigabitEthernet1/1/2
description LINK TO (9200)
switchport trunk native vlan 150
switchport trunk allowed vlan 50,150
switchport mode trunk
switchport nonegotiate
macsec network-link
mka policy MKA-POLICY
mka pre-shared-key key-chain MKA-KC
channel-group 2 mode active
spanning-tree guard loop
!
interface TenGigabitEthernet2/1/2
description LINK TO (9200)
switchport trunk native vlan 150
switchport trunk allowed vlan 50,150
switchport mode trunk
switchport nonegotiate
macsec network-link
mka policy MKA-POLICY
mka pre-shared-key key-chain MKA-KC
channel-group 2 mode active
spanning-tree guard loop

The weird is I have other sites where the config is identical and I also had issues, where there was disconnections when the keys "changed" (I say changed but the previous key was still valid for another day) and in this case the links are 10Gbps. In the switches of the config above, the links are 1Gbps and with LAG.

In the other 9300 switches from the other sites, where I also have them running OSPF and also running a keychain for OSPF authentication, I had the switches also doing similar to the above where the links momentarily went down but recovered after some time (some took almost an hour), but in some switches of the network (3 in a 18 switch site) where after the keys changed, the BFD was continuously breaking the link saying ECHO FAILURE even after 3 days and flapping the links. I was only able to solve the issues by rebooting the affected switches.

In this site I have the following config for the key chains (changing keys around every 6 months) and interfaces:

key chain TEST
key 1
key-string 6 IX[^RH]UeGDTAiUSMSYFEQ_KSC\WFGaBKQbQUFRZSeT]BDgOAIFeWcG]hfNfWPTPcHAAB
accept-lifetime local 15:30:00 Dec 16 2021 10:00:00 Jun 13 2022
send-lifetime local 15:30:00 Dec 16 2021 10:00:00 May 13 2022
cryptographic-algorithm hmac-sha-256
key 2
key-string 6 WafM`fTLE[f\IBacXiFhONDZaLJBGhGP\E_WC\WPZNMg`dBASDH`XOMa[ScPEcNI`EAAB
accept-lifetime local 10:00:00 Jun 12 2022 10:00:00 Dec 12 2022
send-lifetime local 09:59:59 May 13 2022 10:00:00 Nov 12 2022
cryptographic-algorithm hmac-sha-256
key 3
key-string 6 aRY\bFMJU[QSKFJMQVTWVQePICTfGMFXcZ]KSagNM\\RgfEJE_QSP^YXiDLLahebSfAAB
accept-lifetime local 10:00:00 Dec 11 2022 10:00:00 Jun 13 2023
send-lifetime local 09:59:59 Nov 12 2022 10:00:00 May 13 2023
cryptographic-algorithm hmac-sha-256
key 4
key-string 6 \LObRa[^f]`WYMQ_IJCRXOJZEFP[iU^Xe[JLPNMf[FVgK`JIbVc^iMTXWHdJ]cDcYIAAB
accept-lifetime local 10:00:00 Jun 12 2023 10:00:00 Dec 12 2023
send-lifetime local 09:59:59 May 13 2023 10:00:00 Nov 12 2023
cryptographic-algorithm hmac-sha-256
key 5
key-string 6 _RCLUfLFb_GfgDiBGOOKZ`\`ODaQY^ebIScVT\DBDXcgbVYYddbfMaSUKBQOfEOfBMAAB
accept-lifetime local 10:00:00 Dec 11 2023 10:00:00 Jun 13 2024
send-lifetime local 08:00:00 Dec 11 2023 12:00:00 Jun 13 2024
cryptographic-algorithm hmac-sha-256
key 6
key-string 6 HVCD\ZSA]`fBLDWJ`SKcJYWW^TKQKcHiFLc`DF^gRGMU[R_]d__Sg\O[cUfXH]dDGiAAB
accept-lifetime local 05:00:00 Jun 12 2024 10:00:00 Dec 12 2024
send-lifetime local 07:00:00 Jun 12 2024 12:00:00 Dec 12 2024
cryptographic-algorithm hmac-sha-256
key 7
key-string 6 OCIT[RZRO^AYYGh[MVPE^BXOdabB[NMeUPZ_H_TGaUPHI\VaXU`S[dIXL]OHKLNaddAAB
accept-lifetime local 05:00:00 Dec 11 2024 10:00:00 Jun 13 2025
send-lifetime local 07:00:00 Dec 11 2024 12:00:00 Jun 13 2025
cryptographic-algorithm hmac-sha-256
key 8
key-string 6 J_hOFGEZh`V^_\G]RBTK^NfbCFbahYOViBDIeJGFXZaKcfVGfaYJZaKYMAKcGMOSbhAAB
accept-lifetime local 05:00:00 Jun 12 2025 10:00:00 Dec 12 2025
send-lifetime local 07:00:00 Jun 12 2025 12:00:00 Dec 12 2025
cryptographic-algorithm hmac-sha-256
key 9
key-string 6 TeWaQOBEc\baPTAcRYJe][T^NINKV^KUYRbhcC^HN`a_bV`fXGacOKP^TIDeZGJeTDAAB
accept-lifetime local 05:00:00 Dec 11 2025 10:00:00 Jun 13 2026
send-lifetime local 07:00:00 Dec 11 2025 12:00:00 Jun 13 2026
cryptographic-algorithm hmac-sha-256
key 10
key-string 6 ^fSJ\MQDabXYBEiHEUgJOKhWgbASIORRSb]GLVX^FWGd\XGcfUge^Bf[bXe\aeUQLIAAB
accept-lifetime local 05:00:00 Jun 12 2026 10:00:00 Dec 12 2026
send-lifetime local 07:00:00 Jun 12 2026 12:00:00 Dec 12 2026
cryptographic-algorithm hmac-sha-256
key 11
key-string 6 a``X`RFEhIL[bMdCBZSh`OAaAKgQ`I`[BMUT_NTSYcQc_ZhZYJYdUY_INfOUFV\deQAAB
accept-lifetime local 05:00:00 Dec 11 2026 10:00:00 Jun 13 2027
send-lifetime local 07:00:00 Dec 11 2026 12:00:00 Jun 13 2027
cryptographic-algorithm hmac-sha-256
key 12
key-string 6 IVUAYefWgZe`EQPNTaSgQZhDLeRec]SgWVfBBICfYXEigVXa^RVRbgIfUPGe_BHWVNAAB
accept-lifetime local 05:00:00 Jun 12 2027 10:00:00 Dec 12 2027
send-lifetime local 07:00:00 Jun 12 2027 12:00:00 Dec 12 2027
cryptographic-algorithm hmac-sha-256
key 13
key-string 6 U[ODIKcWER[XRMgTdiLBETREDBAbODEWg`^fCNPFVSCgJF_i^E]LWOCK`_NKaaOcHQAAB
accept-lifetime local 05:00:00 Dec 11 2027 10:00:00 Jun 13 2028
send-lifetime local 07:00:00 Dec 11 2027 12:00:00 Jun 13 2028
cryptographic-algorithm hmac-sha-256
key 14
key-string 6 KD[Pi_INb[HhP\PM^\YRdfQOPXQW`XMhM\E\QNNDXJa_Y[RKKDcGief[LDb\`[ifgaAAB
accept-lifetime local 05:00:00 Jun 12 2028 10:00:00 Dec 12 2028
send-lifetime local 07:00:00 Jun 12 2028 12:00:00 Dec 12 2028
cryptographic-algorithm hmac-sha-256
key 15
key-string 6 ^`TeP\QbSERccO`YGVf[JLViEKSTTTAHJNMVXKVDdFcdXIfNL^_X[QR\SadEL\KThEAAB
accept-lifetime local 05:00:00 Dec 11 2028 10:00:00 Jun 13 2029
send-lifetime local 07:00:00 Dec 11 2028 12:00:00 Jun 13 2029
cryptographic-algorithm hmac-sha-256
key 16
key-string 6 JhfO\QRAh]gTNLSMf[ZA\I]XCIABKSSeTRCdPacIfcBJDWBUJiROhG`aYORafXSC[JAAB
accept-lifetime local 05:00:00 Jun 12 2029 10:00:00 Dec 12 2029
send-lifetime local 07:00:00 Jun 12 2029 12:00:00 Dec 12 2029
cryptographic-algorithm hmac-sha-256
key 17
key-string 6 O[HgU]L_VMEOGO_RKBWFJAKXQS\]ceKWgRdN\_NKYEUBNHQZX`V\Rf]aVVcXMYL_cUAAB
accept-lifetime local 05:00:00 Dec 11 2029 10:00:00 Jun 13 2030
send-lifetime local 07:00:00 Dec 11 2029 12:00:00 Jun 13 2030
cryptographic-algorithm hmac-sha-256
key 18
key-string 6 ^iTJWHaYKKYWDHODL[`WhfbMFCNRUVMdA`dNPKQKTigONZBIf^_^fIeOadChQHDFhDAAB
accept-lifetime local 05:00:00 Jun 12 2030 10:00:00 Dec 12 2030
send-lifetime local 07:00:00 Jun 12 2030 12:00:00 Dec 12 2030
cryptographic-algorithm hmac-sha-256
key 19
key-string 6 PB\CXbBSQ__KTOGQa[HL^LdUG_IMEXY_APMROMXUg\UZLXZL`PfYaAKVJIB_RQ\_hRAAB
accept-lifetime local 05:00:00 Dec 11 2030 10:00:00 Jun 13 2031
send-lifetime local 07:00:00 Dec 11 2030 12:00:00 Jun 13 2031
cryptographic-algorithm hmac-sha-256
key 20
key-string 6 WVRY\PTPFXJRCNJXcMJBiONAXI\IJ`cVQPfRCUTEIVXaJGO`AMV^beF^L\gd[HdYJGAAB
accept-lifetime local 05:00:00 Jun 12 2031 10:00:00 Dec 12 2031
send-lifetime local 07:00:00 Jun 12 2031 12:00:00 Dec 12 2031
cryptographic-algorithm hmac-sha-256
key 21
key-string 6 UBgGFCQVPKGJTW[cSgPNgSOXfSSOAAZZhMZGaQYcGDXYRNWUSWKadQGVOWEVGi`eFEAAB
accept-lifetime local 05:00:00 Dec 11 2031 10:00:00 Jun 13 2032
send-lifetime local 07:00:00 Dec 11 2031 12:00:00 Jun 13 2032
cryptographic-algorithm hmac-sha-256
key 22
key-string 6 HWPBiHXIHH`CEVNYMdcXZ_iWX^_e[aDeTBNNSAK^]dVYC_K_VZYJ^I]fA^TebGNCVKAAB
accept-lifetime local 05:00:00 Jun 12 2032 10:00:00 Dec 12 2032
send-lifetime local 07:00:00 Jun 12 2032 12:00:00 Dec 12 2032
cryptographic-algorithm hmac-sha-256
key 23
key-string 6 ZcPMC_CPR_\UMBNbiSVJOMhFO`F]_YB\QHCBDRVJiLYQH`[[`TfFeO`baRDHP`^O^^AAB
accept-lifetime local 05:00:00 Dec 11 2032 10:00:00 Jun 13 2033
send-lifetime local 07:00:00 Dec 11 2032 12:00:00 Jun 13 2033
cryptographic-algorithm hmac-sha-256
key 24
key-string 6 Af]PKcL^ZDdGWRiN[UBffe]dSM[_[DShIBDZbfRLJN[J^SfcIdFSaVPWBBeLEf_^PWAAB
accept-lifetime local 05:00:00 Jun 12 2033 10:00:00 Dec 12 2033
send-lifetime local 07:00:00 Jun 12 2033 12:00:00 Dec 12 2033
cryptographic-algorithm hmac-sha-256
key 25
key-string 6 GWV`PD]QTaV`a[RVT]C\c\HGGOYWJTPQIUOSOYKZUgFSUKeVWWAJDff^TLTgNdULMIAAB
accept-lifetime local 05:00:00 Dec 11 2033 10:00:00 Jun 13 2034
send-lifetime local 07:00:00 Dec 11 2033 12:00:00 Jun 13 2034
cryptographic-algorithm hmac-sha-256
key 26
key-string 6 gfcUfBcBhOTAaWGSc_KYfHLaXd_AFiJXCTEEe^ETWHbQVXGOIUVbaKFdMHeWARDZEVAAB
accept-lifetime local 05:00:00 Jun 12 2034 10:00:00 Dec 12 2034
send-lifetime local 07:00:00 Jun 12 2034 12:00:00 Dec 12 2034
cryptographic-algorithm hmac-sha-256
key 27
key-string 6 UQURaGKcY\E`\J`P\^DgEDbY_Gd\LPJYM]HOIb`[eAHEMKVcJA^SFfHLhEYBdLCVRJAAB
accept-lifetime local 05:00:00 Dec 11 2034 10:00:00 Jun 13 2035
send-lifetime local 07:00:00 Dec 11 2034 12:00:00 Jun 13 2035
cryptographic-algorithm hmac-sha-256
key 28
key-string 6 dYRLi^ZY`XYVOfYaQcDHN]QBWcZYeIAHQLOTJ\YMUKQdVUNhPVhU^OGIJRTDO_\EDgAAB
accept-lifetime local 05:00:00 Jun 12 2035 infinite
send-lifetime local 07:00:00 Jun 12 2035 infinite
cryptographic-algorithm hmac-sha-256
key chain MKA-KC macsec
key 01
cryptographic-algorithm aes-256-cmac
key-string 6 ADM_UQU]hf`DKcYb]TeU`MNUcO_]h[f`M^L^bFdEbeIcbIeiG`dNaZMOcV`PfgX[QAOacMdYXDDWZTKICU]ADQ[SRANi[C_G_]gL[Pg[c]`daOaG]XAAB
lifetime local 10:00:00 Dec 11 2022 10:00:00 Jun 13 2023
key 02
cryptographic-algorithm aes-256-cmac
key-string 6 Fg_SAEJ^KVdK_ba^[Gc\QW_f_XSZ[JKgif]LOSGU_eTDJPGB`FPgBfdVefRHF_KOND`M^dFCFQBcFUDEVANZIgFUYURSeKHRI`Y]f[OiaDUQEZP\FYAAB
lifetime local 10:00:00 Jun 12 2023 10:00:00 Dec 12 2023
key 03
cryptographic-algorithm aes-256-cmac
key-string 6 XWfB\[aEVAVLQYXYMdSLLeV[LHKZbXS\UNZMXhTANGVRCGHeYVcOTGBAYJJWJ^EgBfD\TQBTcNeISBAd\NV\dgCAaBfRedCFEEhIFd\iXIc`faFSiPAAB
lifetime local 10:00:00 Dec 11 2023 10:00:00 Jun 13 2024
key 04
cryptographic-algorithm aes-256-cmac
key-string 6 _]]CSXEM[XPQSgcW_`eJ[J_ZEJFIhWDVWdA]Q\N[XPCWRAdKAVPEEUJgKOQ^QFbXYScfFaViAfANQ_GUPR_IdCHEADJ]QYNECeZD[LDXefMDALddPUAAB
lifetime local 10:00:00 Jun 12 2024 10:00:00 Dec 12 2024
key 05
cryptographic-algorithm aes-256-cmac
key-string 6 Ye`JcVdPZUERNXWWTaKTbP`eNQeAZTeM[IGdKBHT_eKWB]DKSgML]dOd_ORfTRTNHKPXigIMMIFbUHHK]Wh\AgbZKSBBHdRdFaSDhiKRR^SIBQh[DdAAB
lifetime local 10:00:00 Dec 11 2024 10:00:00 Jun 13 2025
key 06
cryptographic-algorithm aes-256-cmac
key-string 6 [ZgFUJ[U^DggD\RQfITbhPIE`_iO`JNDdCdQYd[eAN^DVAc[LeOFfR`D\RbHXIZTWa^Ecg^SJ\gXCh^TYe]bZ`IMRXREi]L^WSOWPAMYhXQcHT`DgOAAB
lifetime local 10:00:00 Jun 12 2025 10:00:00 Dec 12 2025
key 07
cryptographic-algorithm aes-256-cmac
key-string 6 eXHcHcaISQeVQL[H^^XO^FgHVbfB]CcBBNP]WUISPG_`TPi[cIPT_\dNFSbUdDB\]]^JgQBaVLLN`iV\^dcScCcMUddZJLROEOA_M[eNLZEFMNDCUBAAB
lifetime local 10:00:00 Dec 11 2025 10:00:00 Jun 13 2026
key 08
cryptographic-algorithm aes-256-cmac
key-string 6 PTdNHHdMbUdiFcHBedLGNYOQQWbZVMGHROcMVi``iAPIZ_TgSXV`QJEMedFNFQGb\\T\S^fN[N[dA_CbJbdCNJQUHUaDiVKJg]WcWeMKBVcIRiVPOIAAB
lifetime local 10:00:00 Jun 12 2026 10:00:00 Dec 12 2026
key 09
cryptographic-algorithm aes-256-cmac
key-string 6 GTKDeMJQRRJA`M[NF]YFETL^T\YF`EURd^gKPTSdYg`ShIBaVTQVTJ_dXM\AHRbEdXRQQNATP^MgUi]YANb^]MV]QUUY]d\iZiSQYOBDeXbYF^YS\DAAB
lifetime local 10:00:00 Dec 11 2026 10:00:00 Jun 13 2027
key 10
cryptographic-algorithm aes-256-cmac
key-string 6 AWifGdYaGLBcZ\eGaMLVUe^Ya]iYRZDVfFDNaS\OTVWUVXdaWdJX_ZTT]PWPSABPQAHU_PQZ[[NUagDBHQaKCFcNVcT]iBEH\TDF`bBc[DWLFO\ZOKAAB
lifetime local 10:00:00 Jun 12 2027 10:00:00 Dec 12 2027
key 11
cryptographic-algorithm aes-256-cmac
key-string 6 PVhROOEaXaNEd]UGK\GSdNAbUf^PSLDHHWZXIbXM\gDIG^DCRJPLbfbAG\\HNQPIa]VVdcLAaT\^fQGfdFidBZGIXNBdRV_e`P\NgMVC_aR[KNC[HLAAB
lifetime local 10:00:00 Dec 11 2027 10:00:00 Jun 13 2028
key 12
cryptographic-algorithm aes-256-cmac
key-string 6 ^CMIQXEEF]idSeFHK]JG_ZKMUdeFYDBQKgOF]CX[`iEK`LKDHEWfXiX[AIgSPENEPJdFbOUWRiT]eG[eMWH]XTPE`VAZKCAIUZ\KEU_fQgBiGGNAIgAAB
lifetime local 10:00:00 Jun 12 2028 10:00:00 Dec 12 2028
key 13
cryptographic-algorithm aes-256-cmac
key-string 6 [Ue]GSZaN^JPRigGKTgTTIOPKLQ_HYWa_]S`PiFVbaCAU[iGSe[XWBLTeeKaCZ[GhQB_MLIWIOKSIXQQbG[QPEGX`TLBTMO^RFcHNbOeEEIVADSZiJAAB
lifetime local 10:00:00 Dec 11 2028 10:00:00 Jun 13 2029
key 14
cryptographic-algorithm aes-256-cmac
key-string 6 ZH[eLaQAREZaJPB[V`aWWeaMVdGHNVRVQDGEWTiMVYeR\fF\fOQBdLPXgWEL^cWCLVYE`QcVWSKFAdXBXRLIKEJfIeUWO\OcKIEZa^XTJLZ_\_FEUDAAB
lifetime local 10:00:00 Jun 12 2029 10:00:00 Dec 12 2029
key 15
cryptographic-algorithm aes-256-cmac
key-string 6 DI`PhVCeTFQYLHIK[OaKPD__NMF]M_M\a^dhBR`W`ZATLVR[BIWWDgJLW\iWRETSZAAdLIePQdSQJSOPLcgKKf`f\i_OALO_[NBK\YeYRd[[O`WTXNAAB
lifetime local 10:00:00 Dec 11 2029 10:00:00 Jun 13 2030
key 16
cryptographic-algorithm aes-256-cmac
key-string 6 SId^AS^YNcITEE\TQZ]bN[\MSGXgScWWJ^fWIDa\YJKBd]_gI^[B_JMfFR`U[UeLcW_FDMD]dccK_[QMMXGRVgDgQQC\VLeDLXbXDNKMJNPLeM`H_bAAB
lifetime local 10:00:00 Jun 12 2030 10:00:00 Dec 12 2030
key 17
cryptographic-algorithm aes-256-cmac
key-string 6 U^QDG\IXZGPgBWG``JVYTcD_JbbI^hUNBZUGKWO\ZCM[NDMeefPIW_TD`A_H[X\CdYHZDTMHI^c\BAU[Tf`fggOeaaBP_[bZW_NVUCJ_K_DLHRHOdiAAB
lifetime local 10:00:00 Dec 11 2030 10:00:00 Jun 13 2031
key 18
cryptographic-algorithm aes-256-cmac
key-string 6 YfNIg^gBTIQZ_WWVcOGBFQfHXRF[_dEFYVWaMQBVVdHchB[ALFJNRY^GDcidKW`IaX]gc^]`_Ze`eRV]fQaN[KL_WcEUiE]JdV`Y_NH^EaDXZXWdYRAAB
lifetime local 10:00:00 Jun 12 2031 10:00:00 Dec 12 2031
key 19
cryptographic-algorithm aes-256-cmac
key-string 6 XMZD]P^IHVhVN`LLHZNOLeeRD\GbbDFEIPPBcIbAVW]VJdWOYiQfgIPd^fS\MWWRg\cefNSBDXfC]XPSTKcEQAAHcSgT`ZgfJf]TgePRLRDIcKD_dHAAB
lifetime local 10:00:00 Dec 11 2031 10:00:00 Jun 13 2032
key 20
cryptographic-algorithm aes-256-cmac
key-string 6 QCSeHRGFLKTFAPYfQh[FU[aAbhGggiCW`IeYJVARVJ]h]DgKWiYIRTTZZAP_EFPHCcLVJ\OiFQGBCSTZaZehNh`VAbKVK\QbSLS_WUD_]LLhFMiVhZAAB
lifetime local 10:00:00 Jun 12 2032 10:00:00 Dec 12 2032
key 21
cryptographic-algorithm aes-256-cmac
key-string 6 NCBIRfAZQBVXVH]ciI\bXKXhCfOT\XFiRagDLbKO_JVefLiYNUXJB[BNGKf^VGRSCGVZH\`MbIAUTNagO`NBWCF[WgaUiPdNPKaMU]TXFD`cK`KOaUAAB
lifetime local 10:00:00 Dec 11 2032 10:00:00 Jun 13 2033
key 22
cryptographic-algorithm aes-256-cmac
key-string 6 _XfOahdGQfWEVIJI]WgaCCPJ_WVNF]HFTbZfeJKcZ^BbCN[]fZb_UV]NZM^f`_ABBLdcRGaXDTf^]]S_RdOD_DSdOgBRC]\ZQg\RPdgDiLgCME\fLeAAB
lifetime local 10:00:00 Jun 12 2033 10:00:00 Dec 12 2033
key 23
cryptographic-algorithm aes-256-cmac
key-string 6 VUU\_g^WXf^RH]QKAhDW]S^_QgG`cCJTQIIKeM^_bFNXKgahc^NJ]XfDTO[_BZTKQFCfNB^\Y]ePY[CJfBGAQ`XLGOCVKNAfO`SOaIBDHDD\bhBPObAAB
lifetime local 10:00:00 Dec 11 2033 10:00:00 Jun 13 2034
key 24
cryptographic-algorithm aes-256-cmac
key-string 6 Fa^MOIZdcQ]\O`YA\_DRAcOFTJULBTQ\_gGeYaddQaah`XBYDdI[ZEMRfIEEDKcSRA]FRZUCFVJBSYdV_`LXUDCJef]ONeSEOAU`JGgYICVdA\`NeKAAB
lifetime local 10:00:00 Jun 12 2034 10:00:00 Dec 12 2034
key 25
cryptographic-algorithm aes-256-cmac
key-string 6 bbFOQBaPZNeSab^YCIBfSTIdGSLTKBVKNKcedB[KMZK_KeXPcL^fVSWK[JSbFiJYYfM_MBN_HRSK]KKXL]WQJRSN]QPE[]PFcISIEMee^ZXK`MfIXAAAB
lifetime local 10:00:00 Dec 11 2034 10:00:00 Jun 13 2035
key 26
cryptographic-algorithm aes-256-cmac
key-string 6 `C[]M]ULZMGaJUXXWLMWDEHIV[Lcd\RCGKVhMgAGCJVKbZCEcFgWX`KbTEE^cVJLJFbDC`CZHfERTKDAidJNbI_YTVdT\GFc`c]OY_fABPdeUTMOK_AAB
lifetime local 10:00:00 Jun 12 2035 infinite

!
mka policy MKA-POLICY
key-server priority 10
sak-rekey interval 30

!

interface TenGigabitEthernet1/1/2
description LINK TO CISCO 9300
switchport trunk native vlan 4012
switchport trunk allowed vlan 4012
switchport mode trunk
switchport nonegotiate
mtu 1532
macsec network-link
mka policy MKA-POLICY
mka pre-shared-key key-chain MKA-KC
spanning-tree guard loop
service-policy output VIDEO_OUT

!

interface Vlan4012
description TO_CISCO_9300 (Transport VLAN)
ip address 10.12.254.2 255.255.255.252
ip pim sparse-mode
ip ospf authentication key-chain TEST
ip ospf network point-to-point
bfd interval 750 min_rx 750 multiplier 3

!

router ospf 1
auto-cost reference-bandwidth 10000
passive-interface Vlan30
passive-interface Vlan40
passive-interface Vlan41
passive-interface Vlan50
network 10.11.0.0 0.0.255.255 area 2
network 10.12.254.0 0.0.0.3 area 2
network 10.13.254.0 0.0.0.3 area 2
bfd all-interfaces

Please do you see anything wrong with my config in both sites? The MacSec config is pratically identical. The other site has the addition of the OSPF authentication and BFD. For what I can see the date are overlapping and the links should continue to run without issues?

Thank you for your help