Symptom
MACsec / MKA Session is in a continuous flapping state
LC/0/0/CPU0:May 11 10:29:21.917 UTC: macsec_mka[135]: %L2-MKA-5-SESSION_STOP : (Hu0/0/0/0) MKA session stopped, CKN:1234
LC/0/0/CPU0:May 11 10:29:21.917 UTC: macsec_mka[135]: %L2-MKA-4-SESSION_UNSECURED : (Hu0/0/0/0) MKA Session was stopped and is not secured, CKN:1234
LC/0/0/CPU0:May 11 10:29:55.933 UTC: macsec_mka[135]: %L2-MKA-5-SESSION_STOP : (Hu0/0/0/0) MKA session stopped, CKN:1234
LC/0/0/CPU0:May 11 10:29:55.933 UTC: macsec_mka[135]: %L2-MKA-4-SESSION_UNSECURED : (Hu0/0/0/0) MKA Session was stopped and is not secured, CKN:1234
LC/0/0/CPU0:May 11 10:30:31.952 UTC: macsec_mka[135]: %L2-MKA-5-SESSION_STOP : (Hu0/0/0/0) MKA session stopped, CKN:1234
Conditions
The problem is introduced during the re initialization of a MACsec / MKA session. There is a transient issue where packets are improperly leaked into the MACsec Block of a given interface during the initialization. These packets become permanently stuck in the MACsec Block buffers, causing unexpected behavior.
Examples of what triggers a MACsec reinit:
- Link Flap.
- Commit Replace.
- Remove and Re-Add MACsec configuration.
- Line Protocol being brought Down/Up by EFD/OAM.
Workaround
To temporarily fix the issue, a successful reinitialization has to be triggered. This clears the unexpected packets from the MACsec Block. To attempt a successful reinitialization, remove and re-add MACsec configuration to the affected interface. The issue may present itself again, so multiple attempts could be needed.
- Remove MACsec configuration on affected interface.
- Re-Add MACsec configuration to the affected interface.
- Observe if the MKA session establishes successfully.
Further Problem Description
