11-01-2018 02:19 PM
Hi Community,
We've just purchased some ASR1001-HX devices and I'm facing a little issue while preparing the configuration
There is no ipv6 ospf authentication command:
Router(config)#int Gi0/0/0 Router(config-if)#ipv6 ospf ? <1-65535> Process ID adjacency Adjacency staggering bfd Enable BFD on this interface cost Route cost of this interface database-filter Filter OSPF LSA during synchronization and flooding dead-interval Interval after which a neighbor is declared dead demand-circuit OSPF demand circuit flood-reduction OSPF Flood Reduction hello-interval Time between HELLO packets manet Mobile Adhoc Networking options mtu-ignore Ignores the MTU in DBD packets neighbor OSPF neighbor network Network type prefix-suppression OSPF prefix suppression priority Router priority retransmit-interval Time between retransmitting lost link state advertisements shutdown Shut down the interface in OSPFv3 transmit-delay Link state transmit delay Router(config-if)#
The pre-installed software image is quite up2date and I normally a sufficient license:
Router#show ver Cisco IOS XE Software, Version 16.07.01 Cisco IOS Software [Fuji], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9_NPE_NOLI-M), Version 16.7.1, RELEASE SOFTWARE (fc6) [omitted] Router#show lic right Index 2 Feature: advipservices Period left: Life time License Type: Permanent License State: Active, In Use License Count: Non-Counted License Priority: Medium Router#
Any idea? Has the syntax being changed?
Regards
- Alex
11-01-2018 04:15 PM
I have not still tried on Fuji, but Everest works, for Fuji as below :
11-03-2018 04:03 PM - edited 11-03-2018 04:20 PM
Hey thanks for your answer.
I've "downgraded" to the current suggested Everest version.
But still no ipv6 ospf authentication interface-command.
I've played a bit with the licenses since I have advipservices active.
I've activated the adventservices and the ipsec license (right-to-use). but still the command isn't available.
I've noticed that instead a ospfv3 authentication interface-command is available though.
But not like it's described in the documentation following with a ipsec keyword. Only null and key-chain is available.
I tried to set up a key in a key chain and bind it on the interface for OSPFv3, and I think I got it finally working:
Router# Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ipv6 uni Router(config)#ipv6 unicast-routing Router(config)#router ospfv3 1 Router(config-router)#router-id 1.1.1.1 Router(config-router)#exit Router(config)# Router(config)# Router(config)#int Gi0/0/1 Router(config-if)#ipv6 ospf 1 area 0 % OSPFv3: IPV6 is not enabled on this interface Router(config-if)# Router(config-if)#ipv6 ena Router(config-if)#ipv6 ospf 1 area 0 Router(config-if)#ipv6 ospf ? <1-65535> Process ID adjacency Adjacency staggering bfd Enable BFD on this interface cost Route cost of this interface database-filter Filter OSPF LSA during synchronization and flooding dead-interval Interval after which a neighbor is declared dead demand-circuit OSPF demand circuit flood-reduction OSPF Flood Reduction hello-interval Time between HELLO packets manet Mobile Adhoc Networking options mtu-ignore Ignores the MTU in DBD packets neighbor OSPF neighbor network Network type prefix-suppression OSPF prefix suppression priority Router priority retransmit-interval Time between retransmitting lost link state advertisements shutdown Shut down the interface in OSPFv3 transmit-delay Link state transmit delay Router(config-if)#exit Router(config)# Router(config)# Router(config)#key chain OSPF-KEYS Router(config-keychain)#key 1 Router(config-keychain-key)#key-string ospf-key-1 Router(config-keychain-key)#cr Router(config-keychain-key)#cryptographic-algorithm md5 Router(config-keychain-key)#send-li Router(config-keychain-key)#send-lifetime 10:00:00 3 Nov 2018 inf Router(config-keychain-key)#exit Router(config-keychain)#exit Router(config)# Router(config)# Router(config)# Router(config)# Router(config)#int Gi0/0/1 Router(config-if)#ospfv3 authen ? key-chain Use a key-chain for cryptographic authentication keys null Use no authentication Router(config-if)#ospfv3 authen key-chain OSPF-KEYS Router(config-if)# *Nov 3 15:38:37.563: %OSPFv3-5-NOCRYPTOALG: Key ID 1 in key chain OSPF-KEYS does not have a valid cryptographic algorithm *Nov 3 15:38:37.563: %OSPFv3-4-NOVALIDKEY: No valid authentication key under key-chain OSPF-KEYS Router(config-if)# Router(config-if)#no ospfv3 authen key-chain Router(config-if)# Router(config-if)# Router(config-if)# Router(config-if)# Router(config-if)#exit Router(config)# Router(config)#key chain OSPF-KEYS Router(config-keychain)#key 1 Router(config-keychain-key)#cry Router(config-keychain-key)#cryptographic-algorithm hm Router(config-keychain-key)#cryptographic-algorithm hmac-sha-1 Router(config-keychain-key)#exit Router(config-keychain)#exit Router(config)# Router(config)# Router(config)#int Gi0/0/1 Router(config-if)#ospfv3 authen key-chain OSPF-KEYS Router(config-if)# Router(config-if)#^Z Router# Router# Router# Router# *Nov 3 15:40:18.774: %SYS-5-CONFIG_I: Configured from console by console
Router#show ospfv3 int GigabitEthernet0/0/1 is administratively down, line protocol is down Link Local Address FE80::B28B:CFFF:FE1B:3601, Interface ID 8 Area 0, Process ID 1, Instance ID 0, Router ID 1.1.1.1 Network Type BROADCAST, Cost: 1 Cryptographic authentication enabled Sending SA: Key 1, Algorithm HMAC-SHA-1 - key chain OSPF-KEYS Transmit Delay is 1 sec, State DOWN, Priority 1 No designated router on this network No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Router# Router# Router#
I've struggled a bit to choose the right parameters for the keys. So apparently the send-lifetime must be (!) in the past and it seems that only SHA1 is a valid algorithm for the IPsec/AH authentication for OSPFv3.
The key-string parameter must match both or all ends of the OSPF link.
11-02-2018 12:57 PM
Strange. I just tried it with a CSR1k image and it works. I would open a TAC case or upgrade to a new image if I were you.
XE-1#sh ver | incl Fuji
Cisco IOS Software [Fuji], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.7.1, RELEASE SOFTWARE (fc6)
XE-1#config t
Enter configuration commands, one per line. End with CNTL/Z.
XE-1(config)#int gi2
XE-1(config-if)#ipv6 ospf ?
<1-65535> Process ID
adjacency Adjacency staggering
authentication Enable authentication
bfd Enable BFD on this interface
XE-1(config-if)#ipv6 ospf
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: