Troubleshooting MAC Security
If you find that a connection that you have set up MAC Security (MACsec) on is not
secure, use the following information to troubleshoot the issue.
-
Verify that the port is enabled.
show ports {port_list | tag
tag} {no-refresh | refresh}E = Enabled.
-
Verify that the link is up before MACsec is enabled.
show ports {port_list | tag
tag} {no-refresh | refresh}A = Active.
-
Verify MACsec license is installed.
show licenses [slot | all]# show license
Enabled License Level:
Advanced Edge
Enabled Feature Packs:
MACsec
-
Verify that MACsec is enabled.
show macsec
ports
port-list
-
Verify that pre-shared-keys
(PSKs) are identical by looking for the event:
PortCKNMisMatch.
To have PortCKNMisMatch logged by default, change the severity of logged
MACsec events from "error" to "notice":
configure log filter DefaultFilter add events macsec severity notice
Look for the following
event.
<Noti:MACsec.MKA.PortCKNMisMatch> On port 50, Secure Connectivity Association Key Name (CKN) is not included in local Secure Connectivity Association (CA). A possible CKN mismatch.
show log {messages [memory-buffer | nvram]} {events {event-condition | event-component]} {severity severity {only}} {starting [date date time time | date date | time time]} {ending [date date time time | date date | time time]} {match regex} {chronological}
-
Verify MACsec Key Agreement PDUs (MKPDUs) are being transmitted and
received.
show macsec
ports
port-listVerify that local and peer message numbers are incrementing.