Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  MACSec not working on QFX 5120

    Posted 03-11-2023 07:41

    I'm trying to get MACSec running on a QFX 5120, but not having any luck.  Logs just show the following messages.

    Mar 10 16:18:36  ARDCCore_A fpc0 opus_macsec_get_stats: MACSec stats get failed for ifd xe-0/0/0
    Mar 10 16:18:36  ARDCCore_A fpc0 eth_macsec_stats_get: Failed to fetch MACSec stats for xe-0/0/0
    Mar 10 16:18:41  ARDCCore_A fpc0 PFE_SCI_INFO_MISSNG: macsec_ms_sc_info_get MACsec: Cannot find information for sci 0x0
    Mar 10 16:18:41  ARDCCore_A fpc0 tvp_drv_bcm_macsec_tx_stats_get: [TVP-PIC-BCM] MACSEC Error in sc_info for ifd xe-0/0/0
    Mar 10 16:18:41  ARDCCore_A fpc0 opus_macsec_get_stats: MACSec stats get failed for ifd xe-0/0/0

    Traceoptions show nothing useful, just show the following:

    Mar 10 16:19:51.949124 macsec_if_stats_by_index
    Mar 10 16:19:51.949149 macsec_if_get_next_pn_info: macsec_if: xe-0/0/0 (ifdx:652:enable:0:iflx:0)PFE cur AN & PN [ an_tx:0 an_rx:0 next_pn:  0/0x0000000000000000 ]
    Mar 10 16:19:54.470977 macsec_async_recv_cb if:xe-0/0/0 (idx:652 enable:0 iflx:0) received async stats from pfe
    Mar 10 16:20:04.464035 macsec_async_recv_cb if:xe-0/0/0 (idx:652 enable:0 iflx:0) received async stats from pfe

    I've verified CAK and CKN match on both peers.   License is installed. i've increased MTU to to account for best practice. Config is pretty straight forward.

    dridge@LabCore_A# show security
    macsec {
        traceoptions {
            file MACSec;
            flag debug;
        }
        connectivity-association macseclab {
            security-mode static-cak;
            pre-shared-key {
                ckn 291125842d3587b02f2b5d9540f9ccba6eb67463d7b61b26b003381189f13c83;
                cak "$9$xGTNs2GUH.fTdb5Qn6AtBIESvWdbs2gJsYoGiHmpFn/90BcSeL7-2AxNdV4oJGHjHmFn/CuOTQylevLXNdbsaZk.PAz6bs"; ## SECRET-DATA
            }
            exclude-protocol lldp;
        }
        interfaces {
            xe-0/0/0 {
                connectivity-association macseclab;
            }
        }
    }

    dridge@LabCore_A# run show security macsec connections
        Interface name: xe-0/0/0
            CA name: HSC
            Cipher suite: GCM-AES-128   Encryption: on
            Key server offset: 0        Include SCI: no
            Replay protect: off         Replay window: 0

    Has anyone experienced this issue before?



    ------------------------------
    MARK EVANS
    ------------------------------


  • 2.  RE: MACSec not working on QFX 5120

    Posted 03-11-2023 11:35

    Which QFX5120 model are you trying this config on?

    Can you please share the output of "show system information"?



    ------------------------------
    Ridha Hamidi
    ------------------------------



  • 3.  RE: MACSec not working on QFX 5120

    Posted 03-11-2023 13:59

    Sure.

    Model: qfx5120-48ym-8c
    Family: junos-qfx
    Junos: 21.4R3-S2.3
    Hostname: ARDCCore_A

    {master:0}



    ------------------------------
    MARK EVANS
    ------------------------------



  • 4.  RE: MACSec not working on QFX 5120

    Posted 03-11-2023 15:19

    That's the right platform.

    Do you have a MACsec license installed on this switch?



    ------------------------------
    Ridha Hamidi
    ------------------------------



  • 5.  RE: MACSec not working on QFX 5120

    Posted 03-17-2023 14:31

    Hi

    Try adding

    set security macsec connectivity-association macseclab include-sci

    Kind Regards



    ------------------------------
    PETER WILSON
    ------------------------------



  • 6.  RE: MACSec not working on QFX 5120

    Posted 04-07-2023 22:54

    So the MACSec peers are connected over an L2Circuit.  Turns out the original MX240 didn't consume the EAPOL packets(uplink/WAN device), but the new ACX 7100 seems to consume the EAPOL.   We had to change the address the EAPOL packets were getting sent to.  

    Thanks for your assistance all.



    ------------------------------
    MARK EVANS
    ------------------------------