Re: Macsec not working between 9500 L2 switches

salomidhogela · ‎09-19-2022

Good Day,

I am current having issue whereby the macsec is not working between 9500 cisco 17.x.x on Layer 2. I used the below configs

mka policy (name)
macsec-cipher-suite gcm-aes-256
exi
key chain (***) macsec
key 1000
cryptographic-algorithm aes-256-cmac
key-string 7 08031D6C5F40513346582A517308010B6561074B55435550707A7C70025E213D33000176000105715B7F555E0F7521315E507D58272A071D192A3B524E312F5C22
lifetime local 05:00:00 1 september 2022 duration 18000
exi
################
macsec network-link
mka policy (name)
mka pre-shared-key key-chain *******

Regards,

Salom

marce1000 · ‎09-19-2022

- Ref : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-3/configuration_guide/sec/b_173_sec_9500_cg/macsec_encryption.html#concept_gks_njs_nkb

>...GCM-AES-256 and XPN cipher suites (GCM-AES-XPN-128 and GCM-AES-XPN-256) are supported only with Network Advantage license.

- For the rest , or if not related , elaborate on how problems are observed such as logs, or errors related during configuration commands , post screenshot(s) or direct ascii output (preferred)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

salomidhogela · ‎09-19-2022

Please see below

License Usage:
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
network-advantage (C9500 Network Advantage) 2 IN USE
dna-advantage (C9500 48Y4C DNA Advantage) 2 IN USE

show macsec summary
%No Secure Channels

show mka sessions

Total MKA Sessions....... 0
Secured Sessions... 0
Pending Sessions... 0

====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
Port-ID Peer-RxSCI MACsec-Peers Status CKN
====================================================================================================

marce1000 · ‎09-19-2022

- Review https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-9/configuration_guide/sec/b_169_sec_9500_cg/macsec_encryption.html#concept_xby_bf3_l2b , check correctnes of your macsec setup ; adding configure a syslog server on both 9500 and check logs to it during or after configuration of macsec , review the logging from the 9500 devices on the syslog server and or check for trouble (e.g.)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

salomidhogela · ‎09-20-2022

Marce, since this is in a Prod environment I have decide to test it between the 9300 and host pc. It is give me the below error:

Error:

Sep 20 10:02:49.735 NAM: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (e454.e8a2.fb6e) with reason (No Response from Client) on Interface Gi1/0/13 AuditSessionID 000000000000000F59E984E2
Sep 20 10:02:49.737 NAM: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (e454.e8a2.fb6e) on Interface GigabitEthernet1/0/13 AuditSessionID 000000000000000F59E984E2. Failure reason: Authc fail. Authc failure reason: No Response from Client.
Sep 20 10:02:49.737 NAM: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (e454.e8a2.fb6e) on Interface GigabitEthernet1/0/13 AuditSessionID 000000000000000F59E984E2. Failure reason: Authc fail. Authc failure reason: Missing Config.

Configuration:

interface GigabitEthernet1/0/13

switchport access vlan X
switchport mode access
switchport port-security violation protect
switchport port-security
macsec
authentication event fail action next-method
authentication event server dead action authorize vlan X
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication linksec policy must-secure
authentication order dot1x mab
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 10
mka policy TEST
spanning-tree portfast
end

mka policy TEST
key-server priority 200
ssci-based-on-sci

marce1000 · ‎09-21-2022

- This test and or the messages '...Authorization failed or unapplied for client...' are totally unrelated to your initial post.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

salomidhogela · ‎09-21-2022

Hi Marce,

Unfortunately, I cannot make changes now on the Prod environment. I will share the logs again when they are available, when I make the changes.

Regards,

Salom

salomidhogela · ‎11-01-2022

Hi Marce,

I have managed to resolve this issue, and below are my configs applied. Macsec is working fine now

mka policy "Name"
macsec-cipher-suite gcm-aes-256
sak-rekey interval 1800

!
key chain "Name" macsec
key 1000
cryptographic-algorithm aes-256-cmac
key-string 7 11111155555555555555544444444444444448888888888888888444444444444444444442222222222222244 Not the real key
!
!
interface TwentyFiveGigE*********
switchport mode trunk
macsec network-link
mka policy "Name"
mka pre-shared-key key-chain "Name"
channel-group 5 mode active
!

Tx,

Salom

salomidhogela · ‎09-20-2022

I will share the logs