I have RB2011UiAS-2HnD ether2 and cAP ax ether1 directly connected via Ethernet cable and MACsec properly setup on these interfaces. This seemed to work reliably for multiple days. The only differences in the MACsec setup was a different Ethernet port being used and that the MACsec interface on the RB2011UiAS-2HnD had a non-default MACsec profile with a server-priority of 100 (instead of the default 10). The CAK and CKN are identical, the MTU is the default 1468 on both devices.
About a week later (which might have involved some device restarts) I discovered that MACsec had not been working properly for the previous few days. No logs from when it started failing had survived due to log rotation, but something peculiar was that the MACsec status on one device was “open-encrypted”, but "negotiating” on the other. I don’t remember on which device had which, but if I recall correctly disabling and re-enabling MACsec it one one of the devices made it work again. Since I can't afford such instability, I switched to a non-MACsec setup.
Any idea what could be wrong? Could the different server-priority be to blame? The involved Ethernet interfaces were using default settings and were themselves only used by the respective MACsec interfaces (unless /tool sniffer set filter-interface=ether2 on the RB2011UiAS-2HnD counts). Both devices are using RouterOS v7.20.4 (stable).