MACsec.MKA.DupSCI

Description

A duplicate secure channel identifier is reported by the MAC Security Key Agreement Entity (KaY). The most likely scenario is that the remote peer was initialized and chose a new MI. MKA protocol will recover and accept the new MI. If message persists there may be an attacker trying to spoof remote peer's SCI (Secure Channel Identifier).

Remedy

This condition should be monitored and countermeasures should be made if spoofing is suspected. If the condition persists for more than a minute, verify that the remote system is stable (e.g. not in a reboot loop) and the remote port is stable (i.e. the remote port is not being periodically reinitialized). If the remote is stable, then verify no unauthorized devices are attached to the LAN.

Severity

Notice

Message Text

On port %slotPort%, a duplicate Secure Channel Identifier (SCI) was detected, this may be an active attacker or the peer changed member identifier(MI).

Message Parameters

Name Type
slotPort SlotPort

Applicable Platforms