Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[chassis] Macsec sessions on the multi asic chassis linecard not working #11302

Closed
arlakshm opened this issue Jun 30, 2022 · 0 comments
Closed

[chassis] Macsec sessions on the multi asic chassis linecard not working #11302

arlakshm opened this issue Jun 30, 2022 · 0 comments
Labels
Chassis 🤖 Modular chassis support

Comments

@arlakshm
Copy link
Contributor

Description

In the PR #11141 the feature table was changed to enable mac-sec based on conditions in the jinja2 template.
This change however is not working for multi-asic linecards as hostcfgd is not update the config_db in the asic namespaces
So the feature state in the config_db in namespaces is j2 template iso of enabled or disabled
Example
feature state in asic0 config_db

 1) "has_timer"
 2) "False"
 3) "state"
 4) "{% if 'type' in DEVICE_METADATA['localhost'] and DEVICE_METADATA['localhost']['type'] == 'SpineRouter' %}enabled{% else %}disabled{% endif %}"
 5) "set_owner"
 6) "local"
 7) "auto_restart"
 8) "enabled"
 9) "check_up_status"
10) "False"
11) "has_global_scope"
12) "False"
13) "high_mem_alert"
14) "disabled"
15) "has_per_asic_scope"
16) "True"

Feature state in the host config_db

admin@str2-sonic-lc5-1:~$ redis-cli -n 4 hgetall "FEATURE|macsec"
 1) "auto_restart"
 2) "enabled"
 3) "check_up_status"
 4) "False"
 5) "has_global_scope"
 6) "False"
 7) "has_per_asic_scope"
 8) "True"
 9) "has_timer"
10) "False"
11) "high_mem_alert"
12) "disabled"
13) "set_owner"
14) "local"
15) "state"
16) "enabled"
admin@str2-sonic-lc5-1:~$

coppmgr in swss is checking the feature state is enabled before install trap rules.
Since macsec feature is not enabled in the namespace the trap rules to punt eapol packets to CPU is never installed ASIC.
Therefore macsec sessions is not working multi asic linecards

Steps to reproduce the issue:

  1. Enable macsec feature on multi asic linecard
  2. check the macsec sessions is up.

Describe the results you received:

eapol packets are not reaching the CPU on the multi asic linecard

Describe the results you expected:

Output of show version:

SONiC Software Version: SONiC.master.114766-9d5ca72b8
Distribution: Debian 11.3
Kernel: 5.10.0-12-2-amd64
Build commit: 9d5ca72b8
Build date: Sun Jun 26 15:39:21 UTC 2022
Built by: AzDevOps@sonic-build-workers-001OOY

Output of show techsupport:

(paste your output here or download and attach the file here )

Additional information you deem important (e.g. issue happens only occasionally):
@arlakshm arlakshm added the Chassis 🤖 Modular chassis support label Jun 30, 2022
@arlakshm arlakshm moved this to Todo in SONiC Chassis Jun 30, 2022
@judyjoseph judyjoseph mentioned this issue Jul 1, 2022
Merged
7 tasks
@arlakshm arlakshm closed this as completed Jul 1, 2022
Repository owner moved this from Todo to Done in SONiC Chassis Jul 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Chassis 🤖 Modular chassis support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arlakshm