Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

show security mka sessions (MX Series)

Syntax

Description

Display MACsec Key Agreement (MKA) session information for all interfaces. The MKA protocol is responsible for maintaining MACsec on the link, and decides which router on the point-to-point link becomes the key server.

Options

  • interface interface-name—Display the MKA session information for the specified interface only.

  • summary | brief | detail—Display the specified level of output.

  • none (same as brief)—Display the MKA session information for all interfaces.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security mka sessions command. Output fields are listed in the approximate order in which they appear.

Table 1: show security mka sessions Output Fields

Field Name

Field Description

Interface name

Name of the interface.

Interface state

State of the interface:

  • Secured
  • Secured-Suspended (during GRES)
  • Unsecured

If the interface is in secured or secured-suspended state, the CAK type is also displayed.

Member identifier

Name of the member identifier.

CAK name

Name of the connectivity association key (CAK). The CAK is configured using the cak keyword when configuring the pre-shared key.

CAK type

The CAK type: primary, fallback, or preceding.

MKA suspended

The number of seconds the MACsec session can be suspended during GRES. This count decrements until the remote node comes out of suspension.

Transmit interval

The transmit interval. Both ends of the point-to-point link should be configured to the same value. Default value is 2000 seconds. Possible values: 2000 through 6000 milliseconds.

SAK rekey interval

The timer-based refresh interval for the secure association key (SAK). Default value is 0 seconds. Possible values: 60 through 86,400 seconds.

Preceding key

Shows whether preceding key is enabled or not.

Bounded delay

Shows whether bounded delay is enabled or not.

Outbound SCI

Name of the outbound secure channel identifier.

Message number

Number of the last data message.

Key number

Key number.

Key server

Key server status.

The router is the key server when this output is yes. The router is not the key server when this output is no.

Key server priority

Displays the priority of the key server. Lower value indicates higher priority. Use the key-server-priority statement to set the priority. Possible values: 0 through 255.

Latest SAK AN

Name of the latest secure association key (SAK) association number.

Latest SAK KI

Name of the latest secure association key (SAK) key identifier.

MKA Suspend For

Shows whether MKA session suspensions are enabled or disabled. Configure the suspend-for statement to enable suspensions during GRES.

MKA Suspend On Request

Shows whether the key server is enabled to accept MKA session suspension requests from the peer server. Configure the suspend-on-request statement to enable the key server to accept suspension requests for GRES.

Fields for Peer list

Member identifier

Name of the member identifier.

Hold time

Hold time, in seconds.

Message number

Number of the last data message

SCI

Name of the secure channel identifier.

Lowest acceptable PN

Number of the lowest acceptable packet number (PN).

Fields for CAK list (detail only)

CAK name

Name of the connectivity association key (CAK).

CAK type

The CAK type: primary, fallback, or preceding.

Status

The CAK status: live, active, or in-progress.

Member identifier

Name of the member identifier.

Message number

Number of the last data message

Sample Output

show security mka sessions

show security mka sessions interface ge-0/0/2 detail

Release Information

Command introduced in Junos OS Release 15.1.