Guest

Preview Tool

Cisco Bug: CSCvv48305 - Route not fully programmed in the hardware for macsec enabled end-point

Last Modified

Oct 28, 2020

Products (1)

  • Cisco 2600 Series Multiservice Platforms

Known Affected Releases

16.12.4 16.6.8

Description (partial)

Symptom:
Communication to MACSEC host does not work between edge-node and end-point in environment even when MKA session is up and running. 

Hardware programming for the end-point shows missing adjacency entry (OCE chain not found)

show platform software fed switch active ip route vrf-name <VRF> <END_POINT_IP>/32
<SNIP>
 ========== OCE chain =====
  LENTRY:obj_id:52 not found...

Conditions:
MACSEC enabled between edge switch and end-point

The observation from the logs is that rewrite index programming failed. 
During MACSEC programming, if there is already a rewrite index present, it needs to be converted to a MACSEC rewrite index. 
The conversion is failing which is causing "Program Macsec rw failed"
This rewrite index program failure results in packet destined to client getting dropped that’s when Client's Anyconnect stucks in "Acquiring IP" state. The authentication process does not move to user authentication phase. 

Issue will be seen only when SVI is present. 

From trace logs : 

[macsec] [23590]: UUID: 0, ra: 0, TID: 0 (ERR): Program Macsec rw failed!!
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.