BugZero | Cisco BugID CSCvt33018 - MACsec 128/256 XPN on 40g/100g, stop passing traff...

Loading...

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

©2025 BugZero. All Rights Reserved.

Privacy Policy Terms of Service

BugZero | Cisco BugID CSCvt33018 - MACsec 128/256 XPN on 40g/100g, stop passing traff...

ODD
Cisco
CSCvt33018

Cisco - Defect ID: CSCvt33018

MACsec 128/256 XPN on 40g/100g, stop passing traffic for one of AN and interface link flap seen

ODD
Cisco
CSCvt33018

Cisco - Defect ID: CSCvt33018

MACsec 128/256 XPN on 40g/100g, stop passing traffic for one of AN and interface link flap seen

Last updated on April 28th, 2025

BugZero Risk Score
9.5 High

Overall: 9.5

Severity: 10.0

Lifecycle: 9.1

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Bug Details

Description

Symptom

It is observed that when a device with high-speed link capabilities (40g/100g) is configured using 128 or 256 xpn ciphers for MACsec keys, the link will flap during rekey sessions. This has affected routing and management protocol sessions when used on the same interfaces causing traffic loss when link flaps occur. This issue is seen when the MACsec key is removed/added, the key name is changed, or if the cipher is changed from 128-xpn to 256-xpn. Once any of these configuration changes occur, the issue will present itself. After three (3) successful rekeys the link will go down for one full key cycle. Once the down cycle completes, the link comes back up for another three (3) rekeys, repeating indefinitely.

Conditions

Found that the traffic passes through older (not in use) entries for the given AN value. This happens if we are changing the key when the MKA session is in a secure state. During this, the existing MKA session will be torn down and the new session will get established. But the older AN entries which was previously in use for passing the traffic was never deleted/cleared. We have not seen the observed behavior occur on 10g links as xpn capabilities are not available for links speeds 10g and below.

Workaround

There is no known workaround.

Further Problem Description

It is recommended that if changes to a current MACsec session need to be made, both interfaces must be shut down and the secure session must be terminated prior to making configuration changes. After this is completed, bring both of the interfaces back up.

Change history

2025-04-28 Added: 16.12.1, 16.12.2, 16.12.2s, 16.12.3, 16.9.3, 16.9.5

Relevant Products

Click on a version to see all relevant bugs

Affected versions:16.12.1, 16.12.2, 16.12.2s, 16.12.3, 16.9.3, 16.9.5

Fixed versions: 16.12.4, 16.12.4a, 16.12.5, 16.12.5a, 16.12.5b, 16.12.6, 16.12.6a, 16.12.7, 16.12.8, 16.12.9, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 17.10.1, 17.10.1a, 17.10.1b, 17.2.2, 17.2.3, 17.3.1, 17.3.1a, 17.3.1w, 17.3.1x, 17.3.1z, 17.3.2, 17.3.2a, 17.3.3, 17.3.3a, 17.3.4, 17.3.4a, 17.3.4b, 17.3.4c, 17.3.5, 17.3.5a, 17.3.5b, 17.3.6, 17.4.1, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, 17.6.1, 17.6.1a, 17.6.1w, 17.6.1x, 17.6.1y, 17.6.1z, 17.6.1z1, 17.6.2, 17.6.3, 17.6.3a, 17.6.4, 17.6.5, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.8.1, 17.8.1a, 17.9.1, 17.9.1a, 17.9.1w, 17.9.1x, 17.9.1x1, 17.9.2, 17.9.2a, Amsterdam-17.3.1, Fuji-16.9.6, Gibraltar-16.12.4

Relevant Products

Click on a version to see all relevant bugs

Affected versions:16.12.1, 16.12.2, 16.12.2s, 16.12.3, 16.9.3, 16.9.5

Fixed versions: 16.12.4, 16.12.4a, 16.12.5, 16.12.5a, 16.12.5b, 16.12.6, 16.12.6a, 16.12.7, 16.12.8, 16.12.9, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 17.10.1, 17.10.1a, 17.10.1b, 17.2.2, 17.2.3, 17.3.1, 17.3.1a, 17.3.1w, 17.3.1x, 17.3.1z, 17.3.2, 17.3.2a, 17.3.3, 17.3.3a, 17.3.4, 17.3.4a, 17.3.4b, 17.3.4c, 17.3.5, 17.3.5a, 17.3.5b, 17.3.6, 17.4.1, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, 17.6.1, 17.6.1a, 17.6.1w, 17.6.1x, 17.6.1y, 17.6.1z, 17.6.1z1, 17.6.2, 17.6.3, 17.6.3a, 17.6.4, 17.6.5, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.8.1, 17.8.1a, 17.9.1, 17.9.1a, 17.9.1w, 17.9.1x, 17.9.1x1, 17.9.2, 17.9.2a, Amsterdam-17.3.1, Fuji-16.9.6, Gibraltar-16.12.4

Top Cisco Defects

9.7Defect ID: CSCwa70008
Expired certs cause Security Intelligence updates to fail
9.7Defect ID: CSCwc94466
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability
9.7Defect ID: CSCvq12070
Not able to establish more than 2 simultaneous ASDM sessions
9.7Defect ID: CSCwf80292
ISE cannot retrieve a peer certificate during EAP-TLS authentication
9.7Defect ID: CSCvd48893
Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability

Ready to prevent the next vendor outage?

Links

Original Vendor Announcement

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise