MACsec Event Logging

The MACsec logging application can provide useful debug information when a MACsec connection fails to reach the secure state. At the default logging level (6) messages will only be logged if an established connection is dropped due to an MKA Timeout:

<165>Jul 30 15:31:35 10.50.99.111 MACsec[1][ge.1.10] KaY: Live peer removed (no valid MKPDUs rcv'd in last 6.07 seconds) 

Increasing the logging level to (7) or (8) can help debug MKA issues. Here is what a successful MKA connection looks like:

<165>Jul 30 15:39:08 10.50.99.111 LinkTrap[1]Interface ge.1.10 is Down. <166>Jul 30 15:39:08 10.50.99.111 MACsec[1][ge.1.10] Connecting PENDING: auth(0) secure(0) fail(0), unauthallowed(never) unsecuredallowed(mkaServer) <167>Jul 30 15:39:10 10.50.99.111 MACsec[1][ge.1.10] KaY: potential peer created <167>Jul 30 15:39:14 10.50.99.111 MACsec[1][ge.1.10] KaY: move potential peer to live peer <166>Jul 30 15:39:14 10.50.99.111 MACsec[1][ge.1.10] KaY: Rx MKPDU DIST-SAK: peer is MKA Key Server and has chosen to use MACsec and provided new SAK <166>Jul 30 15:39:14 10.50.99.111 MACsec[1][ge.1.10] Connecting SECURE: auth(0) secure(1) fail(0), unauthallowed(never) unsecuredallowed(mkaServer) <165>Jul 30 15:39:14 10.50.99.111 LinkTrap[1]Interface geC.1.10 is Up. <165>Jul 30 15:39:14 10.50.99.111 LinkTrap[1]Interface ge.1.10 is Up

. The following message will be logged if the same CAK is not configured on each side of the connection:

<166>Jul 30 15:42:10 10.50.99.111 MACsec[1][ge.1.10] KaY: Rx MKPDU: Computed ICV is not equal to Received ICV (CAK mismatch?)