Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    MACsec Session Drop During Key Rollover

    Problem

    Description: For every successful key rollover, a message similar to the following is logged :

    DOT1XD_MKA_SA_KEY_ROLLOVER: Macsec secure association key rolled over on interface ge-0/0/1

    For every unsuccessful key rollover and when old key is being used, a message similar to the following is logged :

    DOT1XD_MACSEC_SC_EXPIRED_KEY_IN_USE: ifd: ge-0/0/1 using expired cak:

    Solution

    If there is a keychain mismatch due to wrong time specified in the keys, network time synchronization issue or wrong keys, the keychain rollover does not happen and the old key is used to retain the MKA session. A log similar to the following is recorded to indicate that the old keychain is being used:

    DOT1XD_MACSEC_SC_EXPIRED_KEY_IN_USE: ifd: ge-0/0/1 using expired cak:

    The old key is used only until the time specified in the MKA session expire timer.

    Sample Output

    user@host> show log messages | match DOT1XD_MKA_SA_KEY_ROLLOVER
    Feb 23 14:26:01.990297 macsec_update_keychain() active key presents. Kick key change to 2000000000000000000000000000
    Feb 23 14:26:02.195293 DOT1XD_MKA_SECURE_CHANNEL_CREATED: Macsec receive secure channel created for 64:87:88:f6:b0:a4 on interface ge-0/2/0
    Feb 23 14:26:05.586742 DOT1XD_MKA_SECURE_ASSOCIATION_ESTABLISHED: Macsec secure association established with an:0 on interface ge-0/2/0
    Feb 23 14:28:02.004648 macsec_update_keychain() active key presents. Kick key change to 2000000000000000000000000001
    Feb 23 14:28:04.625660 DOT1XD_MKA_SA_KEY_ROLLOVER: Macsec secure association key rolled over on interface ge-0/2/0
    Feb 23 14:30:01.012548 macsec_update_keychain() active key presents. Kick key change to 2000000000000000000000000002
    Feb 23 14:31:11.012951 DOT1XD_MACSEC_SC_PRE_SHARED_KEY_NOT_ACTIVATED: ifd: ge-0/2/0 cak: 100000000002 not activated
    Feb 23 14:31:11.013155 macsec_update_keychain() active key presents. Kick key change to 2000000000000000000000000002
    

    Modified: 2018-02-28