Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Secret Mismatch between the Keys Used in the Nodes


    Description: The secret used in the keychain must be same in both the participating nodes. If it is not same, CAK mismatch entry is recorded in the config trace logs.


    Check whether IFD is up and running in both the nodes using the following command:

    user@host> show interfaces xe-0/0/0 terse

    If the IFD is up, then check the current active key being used in both the nodes, using the following command:

    user@host> show security authentication-key-chains

    Verify the keys being used. If the keys are not same, check the config trace logs (set/security/ and set security/interfacename) and search for the CAK mismatch entry. The presence of the CAK mismatch entry indicates that secrets do not match in the keychains. Set the same secrets following the procedure at Configuring MACsec Using PSK Hitless Rollover Keychain on MX2020 and MX2010 Routers (Recommended for Enabling MACsec on Router-to-Router Links).

    Sample Output

    user@host> show interfaces xe-4/0/8:0 terse
    Interface               Admin Link Proto    Local                 Remote
    xe-4/0/8:0              up    up
    xe-4/0/8:0.100          up    up   bridge
    xe-4/0/8:0.32767        up    up   multiservice
    user@host# show security authentication-key-chains
    key-chain test_key_chain {
        key 1 {
            secret "$8$aes256-gcm$hmac-sha2-256$100$k9da4zO9sG0$tHJe4kl3RVygIaWHmoHohQ$gW7pzH69/BbwDznGJN9jtw$40an5KZce1U"; ## SECRET-DATA  
            key-name 2398137739;  
            start-time "2022-4-28.07:20:00 -0700";

    Modified: 2018-02-28