Troubleshooting MAC Security

If you find that a connection that you have set up MAC Security (MACsec) on is not secure, use the following information to troubleshoot the issue.

Verify that the port is enabled.
show ports {port_list | tag tag} {no-refresh | refresh}
E = Enabled.
Verify that the link is up before MACsec is enabled.
show ports {port_list | tag tag} {no-refresh | refresh}
A = Active.

Verify MACsec license is installed.

show licenses {[slot slot |all]} {detail}

# show license
Enabled License Level:
        Advanced Edge
Enabled Feature Packs:
        MACsec

Verify that MACsec is enabled.
show macsec ports port-list usage
Verify that pre-shared-keys (PSKs) are identical by looking for the event: PortCKNMisMatch.
To have PortCKNMisMatch logged by default, change the severity of logged MACsec events from "error" to "notice":
```
configure log filter DefaultFilter add events macsec severity notice
```
Look for the following event.
```
<Noti:MACsec.MKA.PortCKNMisMatch> On port 50, Secure Connectivity Association Key Name (CKN) is not included in local Secure Connectivity Association (CA). A possible CKN mismatch.
```
show log {messages [memory-buffer | nvram]} {events {event-condition | event-component]} {severity severity {only}} {starting [date date time time | date date | time time]} {ending [date date time time | date date | time time]} {match regex} {chronological}
Verify MACsec Key Agreement PDUs (MKPDUs) are being transmitted and received.
show macsec ports port-list usage
Verify that local and peer message numbers are incrementing.

Note

If a warning message in the log indicates that LRM/MACsec adapter port firmware is out-of-date:

<Warn:HAL.Port.Warning> LRM/MACsec Adapter port firmware on port 2:16 is out of date, do 'install firmware lrm-macsec-adapter' to update.

use the following command to update the firmware:

install firmware {{force} {slot slot_number} | lrm-macsec-adapter ports [port_list | all]}

Note

If MACsec link flap periodically occurs, try to increase "mka life-time". This solution works best with lower-end switches.