Why can't my Direct Connect connection pass traffic or connect to my Cisco Catalyst?
4 minute read
My AWS Direct Connect connection uses MACsec disconnects. I can pass traffic only after I restart the connection port on my Cisco Catalyst (IOS XE Software, Version 17.x.x).
After you complete the Direct Connect connection, the connectivity fails and displays one of the following issues:
The layer 1 is "Up" with good optical fiber signal strength (ConnectionLightLevelRx and ConnectionLightLevelTx).
The customer gateway device receives, processes, and replies an ARP request from the Direct Connect endpoint.
The customer gateway device's ARP table shows an entry for the Direct Connect endpoint's MAC address and IPv4 address.
For a connection that's a member of a Link Aggregation Group (LAG), the 802.3ad Link Aggregation Control Protocol (LACP) packets are corrupted and negotiations fail.
The MACSec MKA session negotiation shows a successful "Secured" session.
There's no IPv4 connectivity between Border Gateway Protocol (BGP) peers, and the session fails to establish.
When MACSec is turned off, the ARP resolution completes, IPv4 connectivity is restored, and the BGP session negotiation between peers resumes.
Review the customer gateway device and Direct Connect configuration
Make sure that the encryption mode, cipher suites, and associated MACSec configured keys for the Direct Connect connection match the on-premises customer gateway configuration. Use the Direct Connect console or the AWS Command Line Interface (AWS CLI) to check the encryption mode on your Direct Connect connections and LAGs.
Note: In the preceding example, replace dxcon-11aa22bb with your connection or LAG ID and must_encrypt with your encryption mode.
When you turn on MACsec, the Direct Connect endpoint is configured to be the key server. To configure the customer endpoint as the client, configure the key-server priority with a greater value than the Direct Connect endpoint. Don't set the customer gateway device MACsec key-server priority to zero (0).
When you configure MACsec encryption on your Cisco customer gateway device, turn on the ssci-based-on-sci option. This option allows the Cisco catalyst (IOS XE Software, Version 17.x.x) to work with non-Cisco and non-IOS XE devices. For information on MACsec encryption, see MACsec encryption on the Cisco website.
After you apply the configuration settings, perform an interface bounce with shutdown and no shutdown commands on the Catalyst interface with MACsec turned on. The commands reset the link and restore connectivity.