Updating macsec key on two Linux hosts using 'ip macsec' commands

I'm trying to do a simple task with no luck so far. I have two linux hosts communicating using macsec interfaces: Host1: [Expert@jaguar_macsec-s01-01:0]# ip macsec show 11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0050569ed33d0001 on SA 0 0: PN 123787, state on, key 00000000000000000000000000000000 RXSC: 0050569e00d00001, state on 0: PN 19308, state on, key 00000000000000000000000000000000 Host 2: [Expert@jaguar_macsec-s01-02:0]# ip macsec show 11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0050569e00d00001 on SA 0 0: PN 35356, state on, key 00000000000000000000000000000000 RXSC: 0050569ed33d0001, state on 0: PN 148262, state on, key 00000000000000000000000000000000 In order to change the key, I create a new tx channel and a new rx channel on both ends, then turn off the old ones: Host 1: ip macsec add Sync tx sa 1 pn 1 key 01 81818181818181818181818181818181 ip macsec add Sync rx sci 0050569e00d00001 sa 1 pn 1 key 01 81818181818181818181818181818181 ip macsec set Sync tx sa 1 on ip macsec set Sync rx sci 0050569e00d00001 sa 1 on ip macsec set Sync tx sa 0 off ip macsec set Sync rx sci 0050569e00d00001 sa 0 off [Expert@jaguar_macsec-s01-01:0]# ip macsec show 11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0050569ed33d0001 on SA 0 0: PN 155609, state off, key 00000000000000000000000000000000 1: PN 1, state on, key 01000000000000000000000000000000 RXSC: 0050569e00d00001, state on 0: PN 39777, state off, key 00000000000000000000000000000000 1: PN 1, state on, key 01000000000000000000000000000000 Host 2: ip macsec add Sync tx sa 1 pn 1 key 01 81818181818181818181818181818181 ip macsec add Sync rx sci 0050569ed33d0001 sa 1 pn 1 key 01 81818181818181818181818181818181 ip macsec set Sync tx sa 1 on ip macsec set Sync rx sci 0050569ed33d0001 sa 1 on ip macsec set Sync tx sa 0 off ip macsec set Sync rx sci 0050569ed33d0001 sa 0 off [Expert@jaguar_macsec-s01-02:0]# ip macsec show 11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0050569e00d00001 on SA 0 0: PN 36370, state off, key 00000000000000000000000000000000 1: PN 1, state on, key 01000000000000000000000000000000 RXSC: 0050569ed33d0001, state on 0: PN 149509, state off, key 00000000000000000000000000000000 1: PN 1, state on, key 01000000000000000000000000000000 As can be seen, even though I turned off the old channels, I still can't get the new ones to work - the PN (packet number) stays at 1, means no packets have been sent or received using these channels. Deleting the old channels completely didn't help either. I couldn't find any documentation that explains how this procedure can be done correctly. Any advice would be greatly appreciated.