Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All
MACsec Session Drop Due to Mismatch in Key Start Time
Problem
Description: If there is a mismatch in key start time, NTP synchronization issue or wrong secret, the old key is used to retain the MKA session.
Solution
This session would expire once the MKA session expire timer threshold is reached. A log similar to the following is recorded to indicate that the old key is being used:
DOT1XD_MACSEC_SC_PRE_SHARED_KEY_NOT_ACTIVATED:
The old key is used only until the time specified in the MKA session expire timer.
Sample Output
user@host> show log messages | match DOT1XD_MACSEC_SC_PRE_SHARED_KEY_NOT_ACTIVATED: Feb 23 14:26:01.990297 macsec_update_keychain() active key presents. Kick key change to 2000000000000000000000000000 Feb 23 14:26:02.195293 DOT1XD_MKA_SECURE_CHANNEL_CREATED: Macsec receive secure channel created for 64:87:88:f6:b0:a4 on interface ge-0/2/0 Feb 23 14:26:05.586742 DOT1XD_MKA_SECURE_ASSOCIATION_ESTABLISHED: Macsec secure association established with an:0 on interface ge-0/2/0 Feb 23 14:28:02.004648 macsec_update_keychain() active key presents. Kick key change to 2000000000000000000000000001 Feb 23 14:28:04.625660 DOT1XD_MKA_SA_KEY_ROLLOVER: Macsec secure association key rolled over on interface ge-0/2/0 Feb 23 14:30:01.012548 macsec_update_keychain() active key presents. Kick key change to 2000000000000000000000000002 Feb 23 14:31:11.012951 DOT1XD_MACSEC_SC_PRE_SHARED_KEY_NOT_ACTIVATED: ifd: ge-0/2/0 cak: 100000000002 not activated Feb 23 14:31:11.013155 macsec_update_keychain() active key presents. Kick key change to 2000000000000000000000000002
