Why can't my Direct Connect connection pass traffic or connect to my Cisco Catalyst?
My AWS Direct Connect connection uses MACsec disconnects. I can pass traffic only after I restart the connection port on my Cisco Catalyst (IOS XE Software, Version 17.x.x).
Short description
After you complete the Direct Connect connection, the connectivity fails and displays one of the following issues:
- The layer 1 is "Up" with good optical fiber signal strength (ConnectionLightLevelRx and ConnectionLightLevelTx).
- The customer gateway device receives, processes, and replies an ARP request from the Direct Connect endpoint.
- The customer gateway device's ARP table shows an entry for the Direct Connect endpoint's MAC address and IPv4 address.
- For a connection that's a member of a Link Aggregation Group (LAG), the 802.3ad Link Aggregation Control Protocol (LACP) packets are corrupted and negotiations fail.
- The MACSec MKA session negotiation shows a successful "Secured" session.
- There's no IPv4 connectivity between Border Gateway Protocol (BGP) peers, and the session fails to establish.
- When MACSec is turned off, the ARP resolution completes, IPv4 connectivity is restored, and the BGP session negotiation between peers resumes.
Resolution
Review the customer gateway device and Direct Connect configuration
Make sure that the encryption mode, cipher suites, and associated MACSec configured keys for the Direct Connect connection match the on-premises customer gateway configuration. Use the Direct Connect console or the AWS Command Line Interface (AWS CLI) to check the encryption mode on your Direct Connect connections and LAGs.
Direct Connect console
Complete the following steps:
- Open the Direct Connect console.
- In the navigation pane, choose either Connections or LAGs.
- Select either your connection (dxcon-11aa22bb) or LAG (dxlag-11aa22bb).
- On the General configuration tab, review the Encryption mode field. The encryption mode must match the customer gateway device configuration mode.
AWS CLI
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Run the describe-connections command, and review the value of the encryptionMode field in the output:
aws directconnect describe-connections
The supported encryption modes are: no_encrypt, should_encrypt, or must_encrypt. The customer gateway device configuration must match the encryption mode.
Update the encryption mode on your device
If the encryption mode doesn't match on the two endpoints, then use the Direct Connect console or AWS CLI to update the encryption mode.
Direct Connect console
Complete the following steps:
- Open the Direct Connect console.
- In the navigation pane, choose either Connections or LAGs.
- Select either your connection (dxcon-11aa22bb) or LAG (dxlag-11aa22bb).
- On the General configuration tab, choose Edit.
- On the Connection settings tab, under Encryption mode, expand the dropdown. Choose your encryption mode, and then choose Edit connection.
AWS CLI
To update the encryptionMode value, run the update-connection command:
aws directconnect update-connection --connection-id dxcon-11aa22bb --encryption-mode must_encrypt
Note: In the preceding example, replace dxcon-11aa22bb with your connection or LAG ID and must_encrypt with your encryption mode.
When you turn on MACsec, the Direct Connect endpoint is configured to be the key server. To configure the customer endpoint as the client, configure the key-server priority with a greater value than the Direct Connect endpoint. Don't set the customer gateway device MACsec key-server priority to zero (0).
When you configure MACsec encryption on your Cisco customer gateway device, turn on the ssci-based-on-sci option. This option allows the Cisco catalyst (IOS XE Software, Version 17.x.x) to work with non-Cisco and non-IOS XE devices. For information on MACsec encryption, see MACsec encryption on the Cisco website.
After you apply the configuration settings, perform an interface bounce with shutdown and no shutdown commands on the Catalyst interface with MACsec turned on. The commands reset the link and restore connectivity.
Related information
Adding MACsec security to AWS Direct Connect connections
Traffic encryption options in AWS Direct Connect
Prerequisites for MACsec encryption on the Cisco website
Contenuto pertinente
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata un anno fa