topic Re: FTD and OSPF MD5 authentication in Network Security

FTD and OSPF MD5 authentication

Moon1998 — Fri, 21 Feb 2020 15:54:34 GMT

Hi all,

I am trying to get OSPF authentication working beween Catalyst 3650 and ASA 5506-X with FTD image, managed by FMC.

Connectivity works and also OSPF adjacency is up, when plaintext authentication is used. So it's not any of the usual issues like MTU etc. When I switch to MD5, adjacency is stuck at INIT.

LAB#sho ip ospf nei | i 201
10.1.39.194 0 INIT/DROTHER 00:00:37 10.1.39.194 Vlan201

As far as I can tell from the debugging, both-way communication is at place and keys are correctly exchanged:

Jun 22 16:09:49.664: OSPF-100 PAK : Vl201: IN: 10.1.39.194->224.0.0.5: ver:2 type:1 len:44 rid:10.1.39.194 area:0.0.0.100 chksum:0 auth:2 keyid:1 seq:0x5B2C
*Jun 22 16:09:50.392: OSPF-100 PAK : Vl201: OUT: 10.1.39.193->224.0.0.5: ver:2 type:1 len:48 rid:10.8.103.5 area:0.0.0.100 chksum:0 auth:2 keyid:1 seq:0x5B2C

However, the adjacency never comes up. The config is basic:

Switch:

interface Vlan201
ip address 10.1.39.193 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ***

FTD:

interface GigabitEthernet1/1
nameif WAN
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.1.39.194 255.255.255.252
ospf priority 0
ospf message-digest-key 1 md5 *****
ospf authentication message-digest
!

I was not able to get anything useful from ASA logs.

Now, this may be some issue on the switch as well... but I had that many issues with FTD and FMC over past weeks, that I would bet my monthly wage on the FTD...

FTD/FMC is running 6.2.3.2 and Catalyst 16.6.3.

Anyone had similar problem?

Thanks.

Re: FTD and OSPF MD5 authentication

jai_chandra2001 — Fri, 05 Apr 2019 03:12:56 GMT

I had the exact same problem, ended up using password authentication (no MD5) to make it work. Would like to know if someone found the solution to this.

Re: FTD and OSPF MD5 authentication

thomas.clupp@l3t.com — Fri, 05 Apr 2019 03:54:33 GMT

To make it work with md5, disable lls on the ospf interface that connects to the firepower. Firepower doesn't support lls.

Re: FTD and OSPF MD5 authentication

tkitzky — Thu, 25 Jul 2019 22:40:43 GMT

Yes. This solved my problem. I had two FTD devices affected by this. One was a ASA5555 w FTD 6.2.3 and the other a FP4110 FTD 6.2.3.

Re: FTD and OSPF MD5 authentication

ShirleyGaray1580 — Thu, 10 Aug 2023 15:57:28 GMT

Hello Thomas

I am in the same situation with md5 authentication, in which part is that lls option disabled in the ftd (firepower) interface? I have several headaches for that

Re: FTD and OSPF MD5 authentication

thomas.clupp@l3t.com — Thu, 10 Aug 2023 16:19:33 GMT

It's not in the Firepower interface, you disable lls on the device that connects to the Firepower (router, switch, etc...).