Troubleshooting MAC Security

If you find that a connection that you have set up MAC Security (MACsec) on is not secure, use the following information to troubleshoot the issue.
  1. Verify that the port is enabled.
    show ports {port_list | tag tag} {no-refresh | refresh}

    E = Enabled.

  2. Verify that the link is up before MACsec is enabled.
    show ports {port_list | tag tag} {no-refresh | refresh}

    A = Active.

  3. Verify MACsec license is installed.
    show licenses {[slot slot |all]} {detail}
    # show license
    Enabled License Level:
            Advanced Edge
    Enabled Feature Packs:
            MACsec
  4. Verify that MACsec is enabled.
    show macsec ports port-list usage
  5. Verify that pre-shared-keys (PSKs) are identical by looking for the event: PortCKNMisMatch.
    To have PortCKNMisMatch logged by default, change the severity of logged MACsec events from "error" to "notice":
    configure log filter DefaultFilter add events macsec severity notice
    Look for the following event.
    <Noti:MACsec.MKA.PortCKNMisMatch> On port 50, Secure Connectivity Association Key Name (CKN) is not included in local Secure Connectivity Association (CA). A possible CKN mismatch.
    show log {messages [memory-buffer | nvram]} {events {event-condition | event-component]} {severity severity {only}} {starting [date date time time | date date | time time]} {ending [date date time time | date date | time time]} {match regex} {chronological}
  6. Verify MACsec Key Agreement PDUs (MKPDUs) are being transmitted and received.
    show macsec ports port-list usage

    Verify that local and peer message numbers are incrementing.

Note

Note

If a warning message in the log indicates that LRM/MACsec adapter port firmware is out-of-date:
<Warn:HAL.Port.Warning> LRM/MACsec Adapter port firmware on port 2:16 is out of date, do 'install firmware lrm-macsec-adapter' to update.
use the following command to update the firmware:

install firmware {{force} {slot slot_number} | lrm-macsec-adapter ports [port_list | all]}

Note

Note

If MACsec link flap periodically occurs, try to increase "mka life-time". This solution works best with lower-end switches.