Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] Framing errors increase on MACsec enabled interface

0

0

Article ID: KB32264 KB Last Updated: 08 Nov 2017Version: 1.0
Summary:

When Media Access Control Security (MACsec)‚Äč is enabled, framing errors of the WAN interface keeps increasing.

Topology:

EX4300-32F-------------WAN-------------EX4300-32F

 

Symptoms:
 Physical interface: ge-0/0/1, Enabled, Physical link is Up
  Interface index: 659, SNMP ifIndex: 511, Generation: 151
  Description: fn=WAN dd=cswj-beno-0801 di=ge-0/0/1 od=CM 250M CID#GE0017KA/NP/P
  Link-level type: Ethernet, MTU: 1600, LAN-PHY mode, Speed: 1000mbps, Duplex: Full-Duplex, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled,
  Auto-negotiation: Enabled, Remote fault: Online, Media type: Fiber
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 12 supported, 12 maximum usable queues
  Hold-times     : Up 5000 ms, Down 0 ms
  Current address: 7c:e2:ca:9d:f3:44, Hardware address: 7c:e2:ca:9d:f3:44
  Last flapped   : 2017-09-16 03:03:59 UTC (00:24:33 ago)
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :       20933168130533                 1432 bps
   Output bytes  :        2261169686869                  696 bps
   Input  packets:          18217708714                    1 pps
   Output packets:           4543237619                    1 pps
   IPv6 transit statistics:
    Input  bytes  :                   0
    Output bytes  :                   0
    Input  packets:                   0
    Output packets:                   0
  Input errors:
    Errors: 6366807, Drops: 0, Framing errors: 6366807, Runts: 0, Policed discards: 0, L3 incompletes: 0,
    L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0
  Output errors:
    Carrier transitions: 9, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0,
    HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
  Egress queues: 12 supported, 8 in use
  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0                                0           4534120695             0
    1                                0                    0                    0
    2                                0                    0                    0
    3                                0              3318234    0
    8                                0              5798689                    0
    9                                0                    0                    0
    10                               0                    0                    0
  11                               0                    0                    0

 

Solution:

According to Broadcom, there is a chip limitation wrt key renewal which may encounter certain race conditions and result in the errors seen here.

Juniper recommends enabling flow control on MACsec-enabled interfaces to reduce the number of framing errors.

{master:0}[edit]
root# show interfaces ge-0/0/0
ether-options {
    flow-control;
}

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search