MACsec is an Ethernet packet and, as with any Ethernet packet, can be forwarded through multiple switches using Layer 2 forwarding. The encryption and decryption of the packets is done using the 802.1x (MKA) capable ports.
To ensure that the MKA is not terminated on an intermediate switch or router, enable 802.1x tunneling on the corresponding port.
Verify if tunneling is enabled using the following command.
*A:SwSim28>config>port>ethernet>dot1x# info
----------------------------------------------
tunneling
By enabling tunneling, the 802.1x MKA packets transit that port without being terminated, because such MKA negotiation does not occur on a port that has 802.1x tunneling enabled.