There are 2 bugs in the macsec module when the interface status changes.
Configuration:
VyOS1
```
set interfaces macsec macsec1 address '192.168.2.1/24'
set interfaces macsec macsec1 disable
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak 'ff9b7c30ddbc37f4c6bc9dc26ce65b42'
set interfaces macsec macsec1 security mka ckn '547ec2be513bfa4b1b14b6c1b45eae14eb73bc985aa93407895791e035d3b00d'
set interfaces macsec macsec1 source-interface 'eth0'
```
VyOS2
```
set interfaces macsec macsec1 address '192.168.2.2/24'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak 'ff9b7c30ddbc37f4c6bc9dc26ce65b42'
set interfaces macsec macsec1 security mka ckn '547ec2be513bfa4b1b14b6c1b45eae14eb73bc985aa93407895791e035d3b00d'
set interfaces macsec macsec1 source-interface 'eth0'
```
Normal macsec interface status
```
vyos@vyos:~$ show interfaces macsec
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 0cae540700000001 on SA 2
2: PN 7, state on, key c0bce5907d67938c5e6348ca0b000000
RXSC: 0c66f88900000001, state on
2: PN 7, state on, key c0bce5907d67938c5e6348ca0b000000
```
1. If we change the status of the macsec interface, traffic can flow.
```
vyos@vyos# set interfaces macsec macsec1 disable
```
Interface macsec status does not change. We can ping other side.
```
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 - u/u
eth1 192.168.17.142/24 u/u
eth2 - u/D
eth3 - u/D
lo 127.0.0.1/8 u/u
::1/128
macsec1 192.168.2.2/24 u/u
vyos@vyos:~$ sudo ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff
6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
```
2. If we change physical interface down and then up by VyOS CLI, interface macsec status does not change but we can not ping other side.
```
yos@vyos# set interfaces ethernet eth0 disable
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 - A/D
eth1 192.168.17.142/24 u/u
eth2 - u/D
eth3 - u/D
lo 127.0.0.1/8 u/u
::1/128
macsec1 192.168.2.2/24 u/u
vyos@vyos:~$ sudo ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff
6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
vyos@vyos:~$ show interfaces macsec
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 0cae540700000001 on SA 2
vyos@vyos:~$ sudo ip macsec show
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 0cae540700000001 on SA 2
vyos@vyos# delete interfaces ethernet eth0 disable
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 - u/u
eth1 192.168.17.142/24 u/u
eth2 - u/D
eth3 - u/D
lo 127.0.0.1/8 u/u
::1/128
macsec1 192.168.2.2/24 u/u
vyos@vyos:~$ sudo ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff
6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
vyos@vyos:~$ show interfaces macsec
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 0cae540700000001 on SA 2
vyos@vyos:~$ sudo ip macsec show
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 0cae540700000001 on SA 2
```
If we change it by Linux commands everything works fine.
```
sudo ip link set eth0 up
sudo ip link set eth0 down
```