Loading...
Loading...
Issue is that when MACsec should-secure session fails to clear text there is no notification in syslog, it is important for customer to know if traffic is going unencrypted. Asr1k does not triggers syslogs for failed MACSec sessions. In other words ? in should-secure mode it falls back to clear text without sending any notifications. Tested it following way: • Remove MACSec on remote site • Removing valid/matching key on remote site • Changing EAPOL on remote end (ether-type and/or MAC address to force asr1k to stop processing received MKA packets) In all above cases the output was the same: • the connections failed for few seconds before falling back to clear text • asr1k reported session as Secured, no peer and did not generate any MACSec related syslog notification: Te0/0/0 a093.516b.88c0/0008 MACSEC NO YES 8 c4b2.39ac.3137/0001 0 Secured, no peer 12 When the session is successfully established it shows following log message: *Jan 3 12:14:53.043: %MKA-5-SESSION_START: (Hu2/0/0 : 29) MKA Session started for RxSCI 2cd0.2d3d.1d40/0000, AuditSessionID , AuthMgr-Handle F6000002 *Jan 3 12:14:57.067: %MACSEC-6-INSTALL_TX_SA: (HundredGigE2/0/0 TX SCI 2CD02D3D1D40001D : vport 29 : an 0 : next_pn 0x1) *Jan 3 12:14:57.067: %MKA-5-SESSION_SECURED: (Hu2/0/0 : 29) MKA Session was secured for RxSCI 2cd0.2d3d.2240/000b, AuditSessionID , CKN 01 But no message is seen in ASR1K if session is not working or is not secure. Steady state: ASR1009-1#show mka sessions Total MKA Sessions....... 1 Secured Sessions... 1 Pending Sessions... 0 ==================================================================================================== Interface Local-TxSCI Policy-Name Inherited Key-Server Port-ID Peer-RxSCI MACsec-Peers Status CKN ==================================================================================================== Hu2/0/0 2cd0.2d3d.1d40/001d citi1 NO YES 29 2cd0.2d3d.2240/000b 1 Secured 01 ASR1009-2# show ver Cisco IOS XE Software, Version 16.12.05 Cisco IOS Software [Gibraltar], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.5, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2021 by Cisco Systems, Inc. Compiled Fri 29-Jan-21 12:08 by mcpre Same issue is on 17.6.3 Other platforms do show syslog message in case the session is not secure: NX9K: Issue detected (ANY of these): %CTS-5-CTS_SESSION_STOPPED: MKA Session was stopped and is not secured on Interface Ethernet1/16 CKN 17 %CTS-5-CTS_SESSION_PENDING: MACSec session is in pending: interface: Ethernet1/16 Reason: Waiting for Peer NCS5K: Issue detected: %L2-MKA-4-SESSION_UNSECURED : (Te0/0/0/34/1) MKA Session was stopped and is not secured, CKN:22
MACSec configured on ASR1K, versions tested: 16.12.5 17.6.3
none
Asr1k does not triggers syslogs for failed MACSec sessions. In other words, in should-secure mode it falls back to clear text without sending any notifications.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.