Preview Tool

Cisco Bug: CSCvu75014 - [Active fallback] MACsec primary session in Rekeying state during correction of Fallback key

Last Modified

Sep 02, 2020

Products (1)

  • Cisco ASR 9000 Series Aggregation Services Routers

Known Affected Releases


Description (partial)

With valid configurations of both primary and fallback keychains, Primary MKA session is expected to be in Secured state while fallback continue to be in Active State.
However, with a sequence of steps which involves misconfiguration of same keys for both primary and fallback keychains, would result the primary MKA session state to be changed to "Rekeying" while fallback remains in Active state.

Caused by a particular sequence of misconfiguration of MACsec primary and fallback keychains

1. Bring up both primary and fallback MKA Session 
     - wait for primary to be Secured and fallback to be in Active state
2. Delete both Primary & Fallback keychains.
3. Add both Primary & Fallback keychain with same PSK keys (i/e same CKN & CAK for both keychains)
4. Only primary MKA session would be up and be Secured and fallback Session wont be initiated as expected because of the same CKN as the primary
5. Delete the Fallback keychain and add it back with different PSK from primary keychain (CKN & CAK).
6. MKA would try to rekey from primary to fallback because of the previous misconfiguration(fallback keychain has the same PSK as primary), resulting primary session to display the session state as rekeying and fallback as Active state
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.