• November 26, 2020, 04:15:53 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: MACSEC bug in SW 4.2 for VSP  (Read 3088 times)

0 Members and 1 Guest are viewing this topic.

Offline Dominik

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1564
    • Networkautobahn
MACSEC bug in SW 4.2 for VSP
« on: June 02, 2015, 07:52:34 AM »
On the VSP platform I found an interesting  bug in the SW release 4.2.

On interfaces that have MACSEC encryption enabled the links will show 100% FCS errors when they
reach the limit of ~ 4 billion packets.

It looks like the key exchange is not working correctly. The Avaya support has promised to
provide a bugfix release next week.
The only workaround at the moment is to remove macsec and the securoty association from the link
and reconfigure everything before the link is reaching the 4 billion packtes limit.


Cheers
Itīs always the networks fault!
networkautobahn.com


Offline Telair

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 965
Re: MACSEC bug in SW 4.2 for VSP
« Reply #1 on: June 02, 2015, 02:50:17 PM »
So the MACSEC encryption works up until the point it hits 4 billion packets passed and then it stop working?  That's kind a strange kind of error...  Sounds like a 32-bit counter overflowing.
« Last Edit: June 02, 2015, 05:48:50 PM by Telair »

Offline Dominik

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1564
    • Networkautobahn
Re: MACSEC bug in SW 4.2 for VSP
« Reply #2 on: June 03, 2015, 02:29:11 AM »
@Telair
That is exactly what I have seen. I did some upgrades to SW 4.2 on VSP 4k switches. After the update from 4.1 to
4.2 everything worked fine, MACSEC was working without any issues for 14 days and than we hit the 4 billion packet
counter. Looks like Avaya has overseen that in there tests for the 4.2 release.
Thinks can be learned here, if you have a faulty key on a MACSEC enabled link you will see 100% FCS errors.

Cheers
Itīs always the networks fault!
networkautobahn.com

Offline Dominik

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1564
    • Networkautobahn
Re: MACSEC bug in SW 4.2 for VSP
« Reply #3 on: June 24, 2015, 05:38:31 AM »
Avaya has released the bugfix for the MACSEC Problem.

The fixed SW release is 4.2.0.2.

Here are the release notes:
https://downloads.avaya.com/css/P8/documents/101011591

In VOSS releases 4.2.0.0 and 4.2.0.1 the handling of the MACSEC key expiry event is broken.
This problem is only applicable to the VSP4450GSX platforms. Other platforms are not affected.
The problem condition will be triggered once a MACSEC key expiry event occurs on a MACSEC enabled link after reaching approximately 4 billion packets in either transmit or receive direction.
The link will start showing FCS errors and traffic forwarding over the link will stop. Issue is fixed
in VOSS release 4.2.0.2 or later.
The problem scenario can be recovered from by following the below steps after issue happens.
Problem occurrence can also be avoided by following the below steps before the packet count
in either the Tx or Rx direction at either end of the link reaches 4 billion. The counters get reset
after the below steps are taken. The preventive steps would need to be repeated each time
before the said counts reach 4 billion again.
Workaround
1. Admin-disable both endpoints
2. Disable macsec on both endpoints
3. Remove both endpoints from configured macsec connectivity association
4. Re -add both endpoints to the connectivity-association
5. Re-enable macsec on both endpoints
6. Admin-enable both endpoints


I have already updated some VSP4k to SW 4.2.02 that worked without any issues and have solved the problem as expected.

Cheers
« Last Edit: June 24, 2015, 05:40:03 AM by Dominik »
Itīs always the networks fault!
networkautobahn.com