Why can't my Direct Connect connection pass traffic or connect to my Cisco Catalyst?

4 minute read

My AWS Direct Connect connection uses MACsec disconnects. I can pass traffic only after I restart the connection port on my Cisco Catalyst (IOS XE Software, Version 17.x.x).

Short description

After you complete the Direct Connect connection, the connectivity fails and displays one of the following issues:

The layer 1 is "Up" with good optical fiber signal strength (ConnectionLightLevelRx and ConnectionLightLevelTx).
The customer gateway device receives, processes, and replies an ARP request from the Direct Connect endpoint.
The customer gateway device's ARP table shows an entry for the Direct Connect endpoint's MAC address and IPv4 address.
For a connection that's a member of a Link Aggregation Group (LAG), the 802.3ad Link Aggregation Control Protocol (LACP) packets are corrupted and negotiations fail.
The MACSec MKA session negotiation shows a successful "Secured" session.
There's no IPv4 connectivity between Border Gateway Protocol (BGP) peers, and the session fails to establish.
When MACSec is turned off, the ARP resolution completes, IPv4 connectivity is restored, and the BGP session negotiation between peers resumes.

Resolution

Review the customer gateway device and Direct Connect configuration

Make sure that the encryption mode, cipher suites, and associated MACSec configured keys for the Direct Connect connection match the on-premises customer gateway configuration. Use the Direct Connect console or the AWS Command Line Interface (AWS CLI) to check the encryption mode on your Direct Connect connections and LAGs.

Direct Connect console

Complete the following steps:

Open the Direct Connect console.
In the navigation pane, choose either Connections or LAGs.
Select either your connection (dxcon-11aa22bb) or LAG (dxlag-11aa22bb).
On the General configuration tab, review the Encryption mode field. The encryption mode must match the customer gateway device configuration mode.

AWS CLI

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Run the describe-connections command, and review the value of the encryptionMode field in the output:

aws directconnect describe-connections

The supported encryption modes are: no_encrypt, should_encrypt, or must_encrypt. The customer gateway device configuration must match the encryption mode.

Update the encryption mode on your device

If the encryption mode doesn't match on the two endpoints, then use the Direct Connect console or AWS CLI to update the encryption mode.

Direct Connect console

Complete the following steps:

Open the Direct Connect console.
In the navigation pane, choose either Connections or LAGs.
Select either your connection (dxcon-11aa22bb) or LAG (dxlag-11aa22bb).
On the General configuration tab, choose Edit.
On the Connection settings tab, under Encryption mode, expand the dropdown. Choose your encryption mode, and then choose Edit connection.

AWS CLI

To update the encryptionMode value, run the update-connection command:

aws directconnect update-connection --connection-id dxcon-11aa22bb --encryption-mode must_encrypt

Note: In the preceding example, replace dxcon-11aa22bb with your connection or LAG ID and must_encrypt with your encryption mode.

When you turn on MACsec, the Direct Connect endpoint is configured to be the key server. To configure the customer endpoint as the client, configure the key-server priority with a greater value than the Direct Connect endpoint. Don't set the customer gateway device MACsec key-server priority to zero (0).

When you configure MACsec encryption on your Cisco customer gateway device, turn on the ssci-based-on-sci option. This option allows the Cisco catalyst (IOS XE Software, Version 17.x.x) to work with non-Cisco and non-IOS XE devices. For information on MACsec encryption, see MACsec encryption on the Cisco website.

After you apply the configuration settings, perform an interface bounce with shutdown and no shutdown commands on the Catalyst interface with MACsec turned on. The commands reset the link and restore connectivity.

Related information

Adding MACsec security to AWS Direct Connect connections

Traffic encryption options in AWS Direct Connect

Prerequisites for MACsec encryption on the Cisco website

Topics

Networking & Content Delivery

Relevant content

Direct Connect Testing
Accepted Answer
AWS-User-5108973
asked 5 years ago
Traffic from direct connect gateway
Accepted Answer
JD
asked a month ago
Direct Connect Connection Ownership Transfer
Accepted Answer
AWS-User-1862948
asked 4 years ago
VPN over Direct Connect with Direct Connect Gateway
Accepted Answer
AWS-User-5823424
asked 3 years ago
Direct Connect Connection to S3
Suvekshya
asked 5 months ago
How can I test the resiliency of my Direct Connect connection?
AWS OFFICIALUpdated a year ago
How do I enable BFD for my Direct Connect connection?
AWS OFFICIALUpdated 2 years ago
How can I troubleshoot packet loss for my Direct Connect connection?
AWS OFFICIALUpdated a year ago
I have a primary connection Direct Connect gateway with a backup VPN connection. Why is traffic prioritizing the backup connection?
AWS OFFICIALUpdated 2 years ago
How to troubleshoot connectivity issues between AWS VPC and on-premises via AWS Direct Connect Transit VIF
EXPERT
Narinder Singh Kharbanda
published 8 months ago