Macsec between OS6860 and OS6560

[sitig]

We are trying to configure macsec between a 6860 and 6560 but the operation is still down. Below is the configuration on both switches:

! Security:
security key 1 algorithm aes-cmac-128 encrypt-key 7a67552a3599018672f22d3d3db929d8 keyed-name 0x0000000000000000000000000000000038782f413f4428472b4b625065536856
security key-chain 1 name "MACsec1"
security key-chain 1 key 1

! Zero Configuration:
! MAC Security:
interfaces port 1/1/27 macsec mode dynamic key-chain 1 server-priority 20 encryption
interfaces port 1/1/27 macsec admin-state enable

Below is the status:

TLTB_CORE-> show interfaces macsec dynamic
Server Transmit Key Operation
Chas/Slot/Port Admin-State Mode Keychain Encryption Priority Interval(Sec) Server Status
----------------+-------------+----------+----------+------------+----------+---------------+--------+--------------
1/1/27 Enabled keychain 1 Enabled 20 2 YES DOWN


TLTB_CORE-> show interfaces macsec dynamic
Server Transmit Key Operation
Chas/Slot/Port Admin-State Mode Keychain Encryption Priority Interval(Sec) Server Status
----------------+-------------+----------+----------+------------+----------+---------------+--------+--------------
1/1/27 Enabled keychain 1 Enabled 20 2 YES DOWN

The following are the logs:

2022 Jun 2 15:41:53.102 TLTB_CORE swlogd intfNi Mka INFO: CP: CP entering state INIT - gport=26
2022 Jun 2 15:41:53.124 TLTB_CORE swlogd intfNi Mka INFO: CP: CP entering state CHANGE - gport=26
2022 Jun 2 15:41:53.161 TLTB_CORE swlogd intfNi Drv INFO: niEsmCreateMkaInstance:780 : Created MKA - gport=26
2022 Jun 2 15:41:54.350 TLTB_CORE swlogd intfNi Mka INFO: CP: CP entering state SECURED - gport=26
2022 Jun 2 15:41:56.065 TLTB_CORE swlogd intfNi Mka INFO: CP: CP entering state RECEIVE - gport=26
2022 Jun 2 15:41:56.126 TLTB_CORE swlogd intfNi Mka INFO: CP: CP entering state RECEIVING - gport=26
2022 Jun 2 15:41:56.138 TLTB_CORE swlogd intfNi Mka INFO: CP: CP entering state TRANSMIT - gport=26
2022 Jun 2 15:41:56.336 TLTB_CORE swlogd intfNi Mka INFO: CP: CP entering state TRANSMITTING - gport=26
2022 Jun 2 15:41:56.357 TLTB_CORE swlogd intfNi Mka INFO: CP: CP entering state RETIRE - gport=26
2022 Jun 2 15:42:04.163 TLTB_CORE swlogd intfNi Mka INFO: CP: CP entering state CHANGE - gport=26

Grateful for any assistance.

[silvio]

your config is okey. Only at one site no server prio (keep default 10 - this will be the key Server).
I assume the link/traffic between the two ports where working successfull before activating macsec.
Also you have installed the license at both sites (check with show license-info).
Also you use ports that are capable for macsec (check with show interfaces capability).

If all is okey - at one site (the NOT-Server-site) the log-output after the RECEIVING is this one:
intfNi Mka INFO: CP: CP entering state RECEIVING - gport=26
intfNi Mka INFO: CP: CP entering state READY - gport=26
intfNi Mka WARN: KaY:The Key has installed - gport=26

Use the following commands (at both sites):
show interfaces macsec dynamic
show interfaces macsec dynamic details
show interfaces macsec statistics 1/1/27

BR Silvio

[sitig]

Hi Silvio

Thanks a lot for your response.

Everything checked out alright but the link is still down when macsec is enabled. I will try an issue proper licenses as I was using the training licenses, but I don't see any issue with it.

Cheers.