Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
3
Replies

MACsec packet-loss between C9300/17.9.5 and Nexus C93180YC-FX/10.2.6

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3

‎02-23-2024 02:58 AM

Hi

I have a 10Gb link between the two devices that is secured by MACsec/PSK. When I ping between the two devices after about 90KB of traffic I lose one ping in regular intervals. Due to the regularity I assume this is something process related but up to now I have not found out, what parameter might be the reason for this behaviour.

Config C9300:
------------

key chain MACSEC_KEYS_1 macsec
 key 02
  cryptographic-algorithm aes-256-cmac
  key-string <omitted>
 lifetime local 00:00:00 Jan 1 2024 infinite
!
!
license boot level network-advantage
mka policy MKA_POLICY_1
 key-server priority 90
 sak-rekey interval 3600
!
interface TenGigabitEthernet1/1/1
 switchport access vlan 22
 mtu 9100
 macsec network-link
 mka policy MKA_POLICY_1
 mka pre-shared-key key-chain MACSEC_KEYS_1
!

Config C93180YC-FX:
-------------------

key chain MACSEC_KEYS_1 macsec
 key 02
  key-octet-string 7 <omitted> cryptographic-algorithm AES_256_CMAC
 send-lifetime local 00:00:00 Jan 01 2024 infinite

macsec policy MACSEC_POLICY_1
 cipher-suite GCM-AES-256
 key-server-priority 100

interface Ethernet1/48
 macsec keychain MACSEC_KEYS_1 policy MACSEC_POLICY_1
 switchport
 switchport access vlan 22
 mtu 9100
 no shutdown

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3

‎02-26-2024 07:43 AM

Both answers did not really help but I retested the connection without MACsec and observed the same behaviour. I then attached a host to the Nexus device and repeated the pings from the C9300. With that setup I did not observe any failure (100k pings). The reason for the packet loss is probably the CPU of the Nexus that could not match the speed of the pings sourced from the C9300.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marce1000
VIP
VIP

‎02-23-2024 03:02 AM

 

 - Doubt if that is important ; but configure a syslog server on both devices and examine logs send to it ; watch for anomalies reported , if any ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Ruben Cocheno
Spotlight
Spotlight

‎02-23-2024 03:45 AM

@MATTHIAS SCHAERER 

Check any errors on the interfaces and Tx/Rx levels

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3

‎02-26-2024 07:43 AM

Both answers did not really help but I retested the connection without MACsec and observed the same behaviour. I then attached a host to the Nexus device and repeated the pings from the C9300. With that setup I did not observe any failure (100k pings). The reason for the packet loss is probably the CPU of the Nexus that could not match the speed of the pings sourced from the C9300.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card