cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20093
Views
15
Helpful
5
Replies

ASR900 - OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface

Pedro Morais
Beginner
Beginner

Hi,

I have some ASR902 running 15.4(3)S1, where I'm seeing a lot of the following messages:

225908: Feb 16 13:22:19.850 AST: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface BDI960
225909: Feb 16 13:22:36.571 AST: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960
225910: Feb 16 13:23:19.921 AST: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface BDI960
225911: Feb 16 13:23:36.751 AST: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960
225912: Feb 16 13:24:20.213 AST: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface BDI960
225913: Feb 16 13:24:36.819 AST: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960
225914: Feb 16 13:25:20.304 AST: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface BDI960

 

The configuration applied to the interface is the following:

interface BDI960
 ip address 10.1.1.1 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 9198
 ip pim sparse-mode
 ip ospf authentication message-digest
 ip ospf authentication-key 7 <>
 ip ospf network point-to-point
 ip ospf dead-interval minimal hello-multiplier 3
 ip ospf 1 area 0
 no mpls ldp igp autoconfig

 

OSPF adjacency is up and everything looks OK. Any idea?

 

Thanks,

Pedro

2 Accepted Solutions

Accepted Solutions

Hi Pedro,

Is this the actual config on the interface or did you blank out the key? 

ip ospf authentication-key 7 <>

Also, check your upstream router that it is configured to send the right key number. In the below example the key is 1 and and it uses md5 with a 7 encryption. 

ip ospf message-digest-key 1 md5 7 xxxxxxxxx

-Mario

P.S. If you look at your error message, it says that the interface received the wrong key: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960

View solution in original post

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Pedro,

I believe you have a fairly common configuration error. Your authentication is set to MD5 thanks to the ip ospf authentication message-digest command. However, the ip ospf authentication-key command defines a key only for the plaintext authentication, not for the MD5 authentication. As a result, you have activated MD5 authentication but you did not define a key for it, so an implicit empty key with ID 0 is being  used for the authentication. That is also what the logging messages say. The OSPF adjacencies currently work because they are all authenticated using the same implicit empty key with ID 0.

The correction is simple: remove the ip ospf authentication-key command and instead, configure the ip ospf message-digest-key key-id md5 key-string command, substituting key-id for a proper key number and key-string for a proper password.

Be aware that as soon as you configure this, your OSPF adjacencies may flap because you define an explicit MD5 key which is not yet configured on the other routers. Therefore, I would suggest doing this configuration during a maintenance window.

Definitely, though, you should not leave the current configuration as-is. Because the key ID and key string of an empty key is well known, you essentially have no protection.

Best regards,
Peter


 

View solution in original post

5 Replies 5

Hi Pedro,

Is this the actual config on the interface or did you blank out the key? 

ip ospf authentication-key 7 <>

Also, check your upstream router that it is configured to send the right key number. In the below example the key is 1 and and it uses md5 with a 7 encryption. 

ip ospf message-digest-key 1 md5 7 xxxxxxxxx

-Mario

P.S. If you look at your error message, it says that the interface received the wrong key: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960

Hi Mario,

Thanks for your help!

 

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Pedro,

I believe you have a fairly common configuration error. Your authentication is set to MD5 thanks to the ip ospf authentication message-digest command. However, the ip ospf authentication-key command defines a key only for the plaintext authentication, not for the MD5 authentication. As a result, you have activated MD5 authentication but you did not define a key for it, so an implicit empty key with ID 0 is being  used for the authentication. That is also what the logging messages say. The OSPF adjacencies currently work because they are all authenticated using the same implicit empty key with ID 0.

The correction is simple: remove the ip ospf authentication-key command and instead, configure the ip ospf message-digest-key key-id md5 key-string command, substituting key-id for a proper key number and key-string for a proper password.

Be aware that as soon as you configure this, your OSPF adjacencies may flap because you define an explicit MD5 key which is not yet configured on the other routers. Therefore, I would suggest doing this configuration during a maintenance window.

Definitely, though, you should not leave the current configuration as-is. Because the key ID and key string of an empty key is well known, you essentially have no protection.

Best regards,
Peter


 

Hi Peter,

Thanks for you help. This is definitely the problem!

Cheers,

Pedro

Thanks Peter for your explanation.

However, i do have a question: if you define area authentication with "area 0.0.0.0 authentication message-digest",

can you exclude one particular interface from using MD5 authentication ??

 

I have 3 interfaces in area 0.0.0.0, two have the proper keys defined, but one interface is to an external router which has no key defined.

I removed the key on my side, so the adjacency comes up, but now i am getting this log message as the key is not "defined" but MD5 is still "enabled"

Can i do "no ip ospf authentication message-digest" on the interface to not using MD5 on this particular interface only, even though it is part of area 0.0.0.0 ???

 

regards,

Geert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers