Guest

Preview Tool

Cisco Bug: CSCuw43417 - With should-secure,if macsec sessn fails on sub intf, traffic is dropped

Last Modified

Jul 29, 2018

Products (1)

  • Cisco ASR 9000 Series Aggregation Services Routers

Known Affected Releases

6.0.0.BASE

Description (partial)

Symptom:
Packets are dropped with should-secure, when the config with APM fails. That is if sub interface is trying to configure SA's and if there is a failure, then the traffic seem to be dropped

Conditions:
traffic drop.
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#macsec psk-keychain script_key_chain1 pol$
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#commit
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#show run macsec-policy test123
	macsec-policy test123
	 conf-offset CONF-OFFSET-30
	 security-policy should-secure
	 window-size 100
	 cipher-suite GCM-AES-256
	 vlan-tags-in-clear 1
	 key-server-priority 0
	!
	
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#end
	RP/0/RSP0/CPU0:macsec-CE1#
	RP/0/RSP0/CPU0:macsec-CE1#show macsec mka ses
	
	NODE: node0_0_CPU0
	=======================================================================
	      Interface         Local-TxSCI       # Peers   Status  Key-Server
	=======================================================================
	  Fo0/0/0/1/1.4      d46d.5023.36fb/0004      0        Init    YES
	  Fo0/0/0/1/1.8      d46d.5023.36fb/0008      0        Init    YES
	      Hu0/0/0/5      d46d.5023.3722/0001      0        Init    YES
	  Fo0/0/0/1/1.1      d46d.5023.36fb/0001      0        Init    YES
	  Fo0/0/0/1/1.5      d46d.5023.36fb/0005      0        Init    YES
	  Fo0/0/0/1/1.9      d46d.5023.36fb/0009      0        Init    YES
	  Fo0/0/0/1/1.2      d46d.5023.36fb/0002      0        Init    YES
	  Fo0/0/0/1/1.6      d46d.5023.36fb/0006      0        Init    YES
	 Fo0/0/0/1/1.10      d46d.5023.36fb/000a      0        Init    YES
	  Fo0/0/0/1/1.3      d46d.5023.36fb/0003      0        Init    YES
	  Fo0/0/0/1/1.7      d46d.5023.36fb/0007      0        Init    YES
	
	RP/0/RSP0/CPU0:macsec-CE1#ping 37.1.1.1
	Type escape sequence to abort.
	Sending 5, 100-byte ICMP Echos to 37.1.1.1, timeout is 2 seconds:
	!!!!!
	Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
	RP/0/RSP0/CPU0:macsec-CE1#ping 37.1.1.2
	Type escape sequence to abort.
	Sending 5, 100-byte ICMP Echos to 37.1.1.2, timeout is 2 seconds:
	!!!!!
	Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
	RP/0/RSP0/CPU0:macsec-CE1#conf t
	RP/0/RSP0/CPU0:macsec-CE1(config)#
	RP/0/RSP0/CPU0:macsec-CE1(config)#
	RP/0/RSP0/CPU0:macsec-CE1(config)#macsec-policy test124
	RP/0/RSP0/CPU0:macsec-CE1(config-macsec-policy)# conf-offset CONF-OFFSET-30
	RP/0/RSP0/CPU0:macsec-CE1(config-macsec-policy)# security-policy must-secure
	RP/0/RSP0/CPU0:macsec-CE1(config-macsec-policy)# window-size 100
	RP/0/RSP0/CPU0:macsec-CE1(config-macsec-policy)# cipher-suite GCM-AES-256
	RP/0/RSP0/CPU0:macsec-CE1(config-macsec-policy)# vlan-tags-in-clear 1
	RP/0/RSP0/CPU0:macsec-CE1(config-macsec-policy)# key-server-priority 0
	RP/0/RSP0/CPU0:macsec-CE1(config-macsec-policy)#commit
	RP/0/RSP0/CPU0:macsec-CE1(config-macsec-policy)#exit
	RP/0/RSP0/CPU0:macsec-CE1(config)#
	RP/0/RSP0/CPU0:macsec-CE1(config)#interface HundredGigE0/0/0/5
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#no macsec
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#commit
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#mac
	mac-accounting  mac-address  macsec
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#macsec psk-keychain script_key_chain1 pol$
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#commit
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#end
	RP/0/RSP0/CPU0:macsec-CE1#
	RP/0/RSP0/CPU0:macsec-CE1#ping 37.1.1.1
	Type escape sequence to abort.
	Sending 5, 100-byte ICMP Echos to 37.1.1.1, timeout is 2 seconds:
	.!!!!
	Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
	RP/0/RSP0/CPU0:macsec-CE1#ping 37.1.1.2
	Type escape sequence to abort.
	Sending 5, 100-byte ICMP Echos to 37.1.1.2, timeout is 2 seconds:
	....
	Success rate is 0 percent (0/4)
	RP/0/RSP0/CPU0:macsec-CE1#conf t
	RP/0/RSP0/CPU0:macsec-CE1(config)#interface HundredGigE0/0/0/5
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#no macsec
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#commit
	RP/0/RSP0/CPU0:macsec-CE1(config-if)#end
	RP/0/RSP0/CPU0:macsec-CE1#
	RP/0/RSP0/CPU0:macsec-CE1#show run interface HundredGigE0/0/0/5
	interface HundredGigE0/0/0/5
	 ipv4 address 37.1.1.1 255.255.255.0
	!
	
	RP/0/RSP0/CPU0:macsec-CE1#show run interface HundredGigE0/0/0/5.1
	% No such configuration item(s)
	
	RP/0/RSP0/CPU0:macsec-CE1#conf t
	RP/0/RSP0/CPU0:macsec-CE1(config)#interface HundredGigE0/0/0/5.1
	RP/0/RSP0/CPU0:macsec-CE1(config-subif)#ip add 37.1.2.1/24
	RP/0/RSP0/CPU0:macsec-CE1(config-subif)#encapsulation dot1q 1
	RP/0/RSP0/CPU0:macsec-CE1(config-subif)#commit
	RP/0/RSP0/CPU0:macsec-CE1(config-subif)#do ping 37.1.2.1
	Type escape sequence to abort.
	Sending 5, 100-byte ICMP Echos to 37.1.2.1, timeout is 2 seconds:
	!!!!!
	Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
	RP/0/RSP0/CPU0:macsec-CE1(config-subif)#do ping 37.1.2.2
	Type escape sequence to abort.
	Sending 5, 100-byte ICMP Echos to 37.1.2.2, timeout is 2 seconds:
	!!!!!
	Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/5 ms
	RP/0/RSP0/CPU0:macsec-CE1(config-subif)#macsec psk-keychain script_key_chain1 $
	RP/0/RSP0/CPU0:macsec-CE1(config-subif)#commit
	RP/0/RSP0/CPU0:macsec-CE1(config-subif)#end
	RP/0/RSP0/CPU0:macsec-CE1#
	RP/0/RSP0/CPU0:macsec-CE1#ping 37.1.2.1
	Type escape sequence to abort.
	Sending 5, 100-byte ICMP Echos to 37.1.2.1, timeout is 2 seconds:
	!!!!!
	Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
	RP/0/RSP0/CPU0:macsec-CE1#ping 37.1.2.2
	Type escape sequence to abort.
	Sending 5, 100-byte ICMP Echos to 37.1.2.2, timeout is 2 seconds:
	.....
	Success rate is 0 percent (0/5)
	RP/0/RSP0/CPU0:macsec-CE1#show macsec mka ses
	
	NODE: node0_0_CPU0
	=======================================================================
	      Interface         Local-TxSCI       # Peers   Status  Key-Server
	=======================================================================
	  Fo0/0/0/1/1.4      d46d.5023.36fb/0004      0        Init    YES
	  Fo0/0/0/1/1.8      d46d.5023.36fb/0008      0        Init    YES
	  Fo0/0/0/1/1.1      d46d.5023.36fb/0001      0        Init    YES
	  Fo0/0/0/1/1.5      d46d.5023.36fb/0005      0        Init    YES
	  Fo0/0/0/1/1.9      d46d.5023.36fb/0009      0        Init    YES
	    Hu0/0/0/5.1      d46d.5023.3722/0001      0        Init    YES
	  Fo0/0/0/1/1.2      d46d.5023.36fb/0002      0        Init    YES
	  Fo0/0/0/1/1.6      d46d.5023.36fb/0006      0        Init    YES
	 Fo0/0/0/1/1.10      d46d.5023.36fb/000a      0        Init    YES
	  Fo0/0/0/1/1.3      d46d.5023.36fb/0003      0        Init    YES
	  Fo0/0/0/1/1.7      d46d.5023.36fb/0007      0        Init    YES
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.