Cisco Bug: CSCvv48305 - Route not fully programmed in the hardware for macsec enabled end-point
Oct 28, 2020
- Cisco 2600 Series Multiservice Platforms
Known Affected Releases
Symptom: Communication to MACSEC host does not work between edge-node and end-point in environment even when MKA session is up and running. Hardware programming for the end-point shows missing adjacency entry (OCE chain not found) show platform software fed switch active ip route vrf-name <VRF> <END_POINT_IP>/32 <SNIP> ========== OCE chain ===== LENTRY:obj_id:52 not found... Conditions: MACSEC enabled between edge switch and end-point The observation from the logs is that rewrite index programming failed. During MACSEC programming, if there is already a rewrite index present, it needs to be converted to a MACSEC rewrite index. The conversion is failing which is causing "Program Macsec rw failed" This rewrite index program failure results in packet destined to client getting dropped that’s when Client's Anyconnect stucks in "Acquiring IP" state. The authentication process does not move to user authentication phase. Issue will be seen only when SVI is present. From trace logs : [macsec] : UUID: 0, ra: 0, TID: 0 (ERR): Program Macsec rw failed!!
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases