Guest

Preview Tool

Cisco Bug: CSCvt33018 - MACsec 128/256 XPN on 40g/100g, stop passing traffic for one of AN and interface link flap seen

Last Modified

Oct 09, 2020

Products (20)

  • Cisco ASR 1000 Series Aggregation Services Routers
  • Cisco ASR 1000 Series IOS XE SD-WAN
  • Cisco 4221 Integrated Services Router
  • Cisco 1101 Industrial Integrated Services Router
  • Cisco 4331 Integrated Services Router
  • Cisco 4431 Integrated Services Router
  • Cisco 4321 Integrated Services Router
  • Cisco ASR 1002-X Router
  • Cisco ASR 1001-X Router
  • Cisco 4461 Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

16.12.1 16.12.2 16.12.2s 16.12.3 16.9.3 16.9.5

Description (partial)

Symptom:
It is observed that when a device with high-speed link capabilities (40g/100g) is configured using 128 or 256 xpn ciphers for MACsec keys, the link will flap during rekey sessions. This has affected routing and management protocol sessions when used on the same interfaces causing traffic loss when link flaps occur.

This issue is seen when the MACsec key is removed/added, the key name is changed, or if the cipher is changed from 128-xpn to 256-xpn. Once any of these configuration changes occur, the issue will present itself. After three (3) successful rekeys the link will go down for one full key cycle. Once the down cycle completes, the link comes back up for another three (3) rekeys, repeating indefinitely.

Conditions:
Found that the traffic passes through older (not in use) entries for the given AN value.  This happens if we are changing the key when the MKA session is in a secure state. During this, the existing MKA session will be torn down and the new session will get established. But the older AN entries which was previously in use for passing the traffic was never deleted/cleared. 

We have not seen the observed behavior occur on 10g links as xpn capabilities are not available for links speeds 10g and below.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.