show security mka sessions (MX Series)
Syntax
show security mka sessions <interface interface-name> <summary | brief | detail>
Description
Display MACsec Key Agreement (MKA) session information for all interfaces. The MKA protocol is responsible for maintaining MACsec on the link, and decides which router on the point-to-point link becomes the key server.
Options
interface interface-name—Display the MKA session information for the specified interface only.summary | brief | detail—Display the specified level of output.none (same as
brief)—Display the MKA session information for all interfaces.
Required Privilege Level
view
Output Fields
Table 1 lists the output
fields for the show security mka sessions command. Output
fields are listed in the approximate order in which they appear.
Field Name |
Field Description |
|---|---|
|
|
Name of the interface. |
|
|
State of the interface:
If the interface is in secured or secured-suspended state, the CAK type is also displayed. |
|
|
Name of the member identifier. |
|
|
Name of the connectivity association key (CAK). The CAK is configured
using the |
|
|
The CAK type: primary, fallback, or preceding. |
|
|
The number of seconds the MACsec session can be suspended during GRES. This count decrements until the remote node comes out of suspension. |
|
|
The transmit interval. Both ends of the point-to-point link should be configured to the same value. Default value is 2000 seconds. Possible values: 2000 through 6000 milliseconds. |
|
|
The timer-based refresh interval for the secure association key (SAK). Default value is 0 seconds. Possible values: 60 through 86,400 seconds. |
|
|
Shows whether preceding key is enabled or not. |
|
|
Shows whether bounded delay is enabled or not. |
|
|
Name of the outbound secure channel identifier. |
|
|
Number of the last data message. |
|
|
Key number. |
|
|
Key server status. The router is the key server when this output is |
|
|
Displays the priority of the key server. Lower value indicates higher
priority. Use the |
|
|
Name of the latest secure association key (SAK) association number. |
|
|
Name of the latest secure association key (SAK) key identifier. |
|
|
Shows whether MKA session suspensions are enabled or disabled. Configure
the |
|
|
Shows whether the key server is enabled to accept MKA session suspension
requests from the peer server. Configure the
|
| Fields for Peer list | |
|
|
Name of the member identifier. |
|
|
Hold time, in seconds. |
|
|
Number of the last data message |
|
|
Name of the secure channel identifier. |
|
|
Number of the lowest acceptable packet number (PN). |
| Fields for CAK list (detail only) | |
|
|
Name of the connectivity association key (CAK). |
|
|
The CAK type: primary, fallback, or preceding. |
|
|
The CAK status: live, active, or in-progress. |
|
|
Name of the member identifier. |
|
|
Number of the last data message |
Sample Output
show security mka sessions
user@host> show security mka sessions
Interface name: xe-0/2/0
Interface State: Secured-Suspended
Member identifier: 9D8976C83B8DCB101430AC8B
CAK name: 3333
CAK type: primary
MKA suspended: 99(s)
Transmit interval: 2000(ms)
SAK rekey interval: 0(s)
Preceding Key: enabled
Outbound SCI: 88:E0:F3:1F:40:64/1
Message number: 236 Key number: 3
Key server: yes Key server priority: 16
Latest SAK AN: 2 Latest SAK KI: 9D8976C83B8DCB101430AC8B/3
Previous SAK AN: 1 Previous SAK KI: 9D8976C83B8DCB101430AC8B/2
MKA Suspend For: enabled MKA Suspend On Request: enabledshow security mka sessions interface ge-0/0/2 detail
user@host> show security mka sessions interface ge-0/0/2 detail
Interface state: Secured - Primary
Member identifier: 20E8DB2EA6A09291E497BA41
CAK name: 1111
CAK type: primary
MKA suspended: 0(s)
Transmit interval: 6000(ms)
SAK rekey interval: 0(s)
Preceding Key: enabled
Bounded Delay: disabled
Outbound SCI: 30:B6:4F:6A:C8:02/1
Message number: 42265 Key number: 1
Key server: yes Key server priority: 16
Latest SAK AN: 1 Latest SAK KI: 20E8DB2EA6A09291E497BA41/1
Previous SAK AN: 0 Previous SAK KI: 000000000000000000000000/0
MKA Suspend For: enabled MKA Suspend On Request: enabled
CAK list: (2)
1. CAK name: 1111
CAK type: primary Status: live
Member identifier: 20E8DB2EA6A09291E497BA41 Message number: 42265
Peer list: (1)
1. Member identifier: 053303E64A2B6207EF54CF12 (live)
Message number: 51887 Hold time: 13000 (ms)
SCI: B0:A8:6E:A1:B8:5A/1
Lowest acceptable PN: 0
2. CAK name: FFF1
CAK type: fallback Status: active
Member identifier: 15CCDF84E92E90FFA1541A87 Message number: 42261
Peer list: (1)
1. Member identifier: 24007B2D31E69974AD3E8416 (live)
Message number: 51870 Hold time: 16000 (ms)
SCI: B0:A8:6E:A1:B8:5A/1
Lowest acceptable PN: 0Release Information
Command introduced in Junos OS Release 15.1.