Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3257
Views
5
Helpful
5
Replies

FTD and OSPF MD5 authentication

Moon1998
Level 1
Level 1

‎06-22-2018 09:23 AM - edited ‎02-21-2020 07:54 AM

Hi all,

I am trying to get OSPF authentication working beween Catalyst 3650 and ASA 5506-X with FTD image, managed by FMC.

 

Connectivity works and also OSPF adjacency is up, when plaintext authentication is used. So it's not any of the usual issues like MTU etc. When I switch to MD5, adjacency is stuck at INIT.

 

LAB#sho ip ospf nei | i 201
10.1.39.194 0 INIT/DROTHER 00:00:37 10.1.39.194 Vlan201

 

As far as I can tell from the debugging, both-way communication is at place and keys are correctly exchanged:

Jun 22 16:09:49.664: OSPF-100 PAK : Vl201: IN: 10.1.39.194->224.0.0.5: ver:2 type:1 len:44 rid:10.1.39.194 area:0.0.0.100 chksum:0 auth:2 keyid:1 seq:0x5B2C
*Jun 22 16:09:50.392: OSPF-100 PAK : Vl201: OUT: 10.1.39.193->224.0.0.5: ver:2 type:1 len:48 rid:10.8.103.5 area:0.0.0.100 chksum:0 auth:2 keyid:1 seq:0x5B2C

 

However, the adjacency never comes up. The config is basic:

Switch:

interface Vlan201
ip address 10.1.39.193 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ***

 

FTD:

interface GigabitEthernet1/1
nameif WAN
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.1.39.194 255.255.255.252
ospf priority 0
ospf message-digest-key 1 md5 *****
ospf authentication message-digest
!

 

I was not able to get anything useful from ASA logs.

Now, this may be some issue on the switch as well... but I had that many issues with FTD and FMC over past weeks, that I would bet my monthly wage on the FTD...

 

FTD/FMC is running 6.2.3.2 and Catalyst 16.6.3.

 

Anyone had similar problem?

Thanks.

4 people had this problem
Labels:
0 Helpful
5 Replies 5

jai_chandra2001
Level 1
Level 1

‎04-04-2019 08:12 PM

I had the exact same problem, ended up using password authentication (no MD5) to make it work. Would like to know if someone found the solution to this.

0 Helpful

thomas.clupp@l3t.com
Level 1
Level 1
In response to jai_chandra2001

‎04-04-2019 08:54 PM

To make it work with md5, disable lls on the ospf interface that connects to the firepower. Firepower doesn't support lls.

tkitzky
Level 1
Level 1
In response to thomas.clupp@l3t.com

‎07-25-2019 03:40 PM

Yes. This solved my problem. I had two FTD devices affected by this. One was a ASA5555 w FTD 6.2.3 and the other a FP4110 FTD 6.2.3.

 

0 Helpful

ShirleyGaray1580
Level 1
Level 1
In response to thomas.clupp@l3t.com

‎08-10-2023 08:57 AM 

Hello Thomas

I am in the same situation with md5 authentication, in which part is that lls option disabled in the ftd (firepower) interface? I have several headaches for that 
0 Helpful

thomas.clupp@l3t.com
Level 1
Level 1
In response to ShirleyGaray1580

‎08-10-2023 09:19 AM

It's not in the Firepower interface, you disable lls on the device that connects to the Firepower (router, switch, etc...).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card