Solved: Re: Trouble with OSPF in Firepower - Page 2

engineer467 · ‎07-07-2022

I have a firepower running OS 6.4, trying to configure basic ospf but its not working. I get this "Area BACKBONE(0) (Inactive)". Not sure what to check now.

Below is the output of show ospf-

Routing Process "ospf 1" with ID xx.xx.xx.xx
Start time: 12w3d, Time elapsed: 01:15:46.160
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Event-log enabled, Maximum number of events: 1000, Mode: cyclic
It is an autonomous system boundary router
Redistributing External Routes from,
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Initial LSA throttle delay 0 msecs
Minimum hold time for LSA throttle 5000 msecs
Maximum wait time for LSA throttle 5000 msecs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 1. Checksum Sum 0xbed8
Number of opaque AS LSA 0. Checksum Sum 0x0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled
Reference bandwidth unit is 100 mbps
Area BACKBONE(0) (Inactive)
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm last executed 01:15:41.160 ago
SPF algorithm executed 1 times
Area ranges are
Number of LSA 1. Checksum Sum 0xdb44
Number of opaque link LSA 0. Checksum Sum 0x0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0

balaji.bandi · ‎07-07-2022

OSPF header errors
Length 0, Auth Type 0, Checksum 0, Version 0,
Bad Source 0, No Virtual Link 0, Area Mismatch 0,
No Sham Link 0, Self Originated 0, Duplicate ID 0,
Hello 0, MTU Mismatch 0, Nbr Ignored 0,
LLS 0, Unknown Neighbor 0, Authentication 248,

This shows an authentication issue, may be key ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

engineer467 · ‎07-07-2022

yes may be. I am gonna go back to client and confirm the key again.

Will update here whatever it is.

Thanks so much Balaji and Rob.

engineer467 · ‎07-08-2022

So what I did is changed the auth to simple auth on both the devices and OSPF started working.

Changed the key as well.

Thanks all for your quick help and suggestions.

MHM Cisco World · ‎07-08-2022

You are so welcome

balaji.bandi · ‎07-08-2022

Sure, that what we been identified, Glad all working, so we mark as resolved. and appriciated your input.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎07-07-2022

@engineer467 is your authentication settings correct? If using message-digest, then you specify message-digest key, not authentication key.

interface GigabitEthernet1/2
 ospf authentication message-digest
 ospf message-digest-key 1 md5 *****

unless you are using a simple password

interface GigabitEthernet1/2
 ospf authentication-key *****
 ospf authentication

engineer467 · ‎07-07-2022

Its not simple password, its md5.

please check the screenshot.

Rob Ingram · ‎07-07-2022

@engineer467 my point was the ASA is configured with a simple password but is enabled for message-digest (MD5 authentication), the simple password defined will not work with message-digest. You'd need a message-digest key.

If you run "show ospf interface" on the ASA, it may state cryptographic authentication enabled but no key defined, so therefore will use a default key. So potentially both devices (the ASA and router) are not working as expected and using a default key.

MHM Cisco World · ‎07-07-2022

https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13697-25.html

friend there are two type of auth,
there is one that add hash and other using MD5,
it is not the key issue it the algorithm that OSPF use for security,
you must change one side either FPR or ISR.
check this link
https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13697-25.html

engineer467 · ‎07-07-2022

I am still not able to understand what to configure on firepower now.

how was it working before with asa and why its not working now with firepower.

engineer467 · ‎07-07-2022

Got the other devices' config-

interface Vlan10
description GW for xx
ip address xxxx 255.255.255.0
ip ospf authentication message-digest
ip ospf authentication-key 7 <password>

So its confirmed that key used is MD5, correct?

MHM Cisco World · ‎07-07-2022

https://bst.cisco.com/bugsearch/bug/CSCdw75860/?rfs=iqvred

it seem that it bug can you check the ISR IOS ver. in other side.