Symptom
If we flap one of the members of Ethernet Port Channel, it will remain in not connected state
Conditions
- Macsec configured
- Cat9300 and N9K
- Tested on 16.12.4 and 16.9.4 and on 17.3.1
- native vlan configured ( different than vlan 1)
Issue observed only when the N9K device acts as Key server
Workaround
- Configure the Key Server priority in such a way that Cat 9K always acts as Key server.
- When Cat9K acts as key server no issue observed.
- Reapplying the config, recovers the interface
Further Problem Description
The issue observed only when N9K became key server and if we flap one of the members of the Ethernet port channel.
The issue observed when native vlan configured (other than vlan 1)
The root cause of the issue is that the Non-KS is not installing the TxSA when there is a flap on the port channel members.
Fix:- If the TxSA can be installed, even on the Non-KS, we will invoke the MKA FSM to enable the TxSA. Earlier this was limited only for the EAPTLS case.
