Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
143
Views
0
Helpful
1
Replies

Port Doesn't Continuously Broadcast MACSEC Announcements on Reboot

ldnelson16
Level 1
Level 1

‎05-13-2024 06:13 AM

My Cisco Catalyst 9300 is configured to initiate a MACSEC connectivity association with other devices using a Pre-shared key (PSK). All parameters are correct in the sense that an association can be made and the encryption is done correctly when done so. However, I expect that when the connection is interrupted, the Cisco Catalyst will attempt to re-initiate the MACSEC connection, however it does not at all, by sending out frames advertising its MKA ability. It only sends out these 'advertisement frames' when you reboot the port (using shutdown; no shutdown;). How do I fix this behavior? Is it possible? I have another switch which continuously tries to connect it seems, but I can't get this behavior on the Catalyst. 

Here are parameters of my MKA :

mka_v2 112 FALSE 0 TRUE TRUE GCM-AES-128 Tw1/0/1 Tw1/0/2
Gi1/1/1 Gi1/1/2, which shows that DP (delay protect) is FALSE, CO (confidentiality offset) is 0, KS (key server priotity) is 112, ICVIND (include icv indicator) is TRUE, SAKR OLPL (SAK-Rekey On-Live-Peer-Loss) is TRUE, Cipher suite is GCM-AES-128, and It is applied on two interfaces. 

... and MACSEC :

MACsec is enabled
Replay protect : enabled
Replay window : 0
Include SCI : yes
Use ES Enable : no
Use SCB Enable : no
Admin Pt2Pt MAC : forceTrue(1)
Pt2Pt MAC Operational : no
Cipher : GCM-AES-128
Confidentiality Offset : 0

Capabilities
ICV length : 16
Data length change supported: yes
Max. Rx SA : 32
Max. Tx SA : 32
Max. Rx SC : 16
Max. Tx SC : 16
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128
GCM-AES-256
GCM-AES-XPN-128
GCM-AES-XPN-256

Access control : should secure

No Transmit Secure Channels
No Receive Secure Channels

Labels:
0 Helpful
1 Reply 1

marce1000
VIP
VIP

‎05-13-2024 09:37 AM

 

 - Always useful to verify such issues against the latest advisory software version for the 9300 , if applicable , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card