Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] The 'No-SCI' counter increments in MACSec statistics

0

0

Article ID: KB35574 KB Last Updated: 18 Mar 2020Version: 1.0
Summary:

When MACSec is enabled, the 'No-SCI' counter increments in the MACSec statistics detail output.

Symptoms:

The following output shows incrementing 'No-SCI' counter:

Router> show security macsec statistics interface xe-0/1/9:2 detail  
    Secure Channel transmitted
        Encrypted packets: 29654
        Encrypted bytes:   1423392
        Protected packets: 0
        Protected bytes:   0
    Secure Association transmitted
        Encrypted packets: 10250
        Protected packets: 0
    Secure Channel received
        Accepted packets:  0
        Validated bytes:   0
        Decrypted bytes:   0
    Secure Association received
        Accepted packets:  0
        Validated bytes:   0
        Decrypted bytes:   0
    Error and debug
    Secure Channel transmitted packets
        Untagged: 0, Too long: 0
    Secure Channel received packets
        Control: 223887, Tagged miss: 0
        Untagged hit: 0, Untagged: 0
        No tag: 0, Bad tag: 0
        Unknown SCI: 0, No SCI: 101792
        Control pass: 0, Control drop: 0
        Uncontrol pass: 0, Uncontrol drop: 0
        Hit dropped: 0, Invalid accept: 0
        Late drop: 0, Delayed accept: 0
        Unchecked: 0, Not valid drop: 0
        Not using SA drop: 0, Unused SA accept: 0
Cause:

When enabling MACSec, each packet on the wire gets a security tag. This security tag is 8 bytes. If you enable 'include-sci', an additional 8 byte Secure Channel Identifier (SCI) tag is also included in every packet. On MX devices, this tag is not enabled by default but on some older EX and Cisco devices, this tag is always enabled. Therefore, if the MX device receives a packet with an SCI, it discards the packet and increments the 'No-SCI' counter.

Solution:

To interoperate with a device having SCI tag enabled, this tag must be enabled on your device as well. Configuring the 'include-sci' tag on both ends if you are bringing up a MACSec link between two different hardware devices such as EX Series vs. MX Series, or a Juniper device and a another vendor’s device.

Router# set security macsec connectivity-association <association name> include-sci
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search