Symptom
It is observed that when a device with high-speed link capabilities (40g/100g) is configured using 128 or 256 xpn ciphers for MACsec keys, the link will flap during rekey sessions. This has affected routing and management protocol sessions when used on the same interfaces causing traffic loss when link flaps occur.
This issue is seen when the MACsec key is removed/added, the key name is changed, or if the cipher is changed from 128-xpn to 256-xpn. Once any of these configuration changes occur, the issue will present itself. After three (3) successful rekeys the link will go down for one full key cycle. Once the down cycle completes, the link comes back up for another three (3) rekeys, repeating indefinitely.
Conditions
Found that the traffic passes through older (not in use) entries for the given AN value. This happens if we are changing the key when the MKA session is in a secure state. During this, the existing MKA session will be torn down and the new session will get established. But the older AN entries which was previously in use for passing the traffic was never deleted/cleared.
We have not seen the observed behavior occur on 10g links as xpn capabilities are not available for links speeds 10g and below.
Workaround
There is no known workaround.
Further Problem Description
It is recommended that if changes to a current MACsec session need to be made, both interfaces must be shut down and the secure session must be terminated prior to making configuration changes. After this is completed, bring both of the interfaces back up.
