cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
10656
Views
10
Helpful
4
Replies
Beginner

ASR900 - OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface

Hi,

I have some ASR902 running 15.4(3)S1, where I'm seeing a lot of the following messages:

225908: Feb 16 13:22:19.850 AST: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface BDI960
225909: Feb 16 13:22:36.571 AST: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960
225910: Feb 16 13:23:19.921 AST: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface BDI960
225911: Feb 16 13:23:36.751 AST: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960
225912: Feb 16 13:24:20.213 AST: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface BDI960
225913: Feb 16 13:24:36.819 AST: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960
225914: Feb 16 13:25:20.304 AST: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface BDI960

 

The configuration applied to the interface is the following:

interface BDI960
 ip address 10.1.1.1 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 9198
 ip pim sparse-mode
 ip ospf authentication message-digest
 ip ospf authentication-key 7 <>
 ip ospf network point-to-point
 ip ospf dead-interval minimal hello-multiplier 3
 ip ospf 1 area 0
 no mpls ldp igp autoconfig

 

OSPF adjacency is up and everything looks OK. Any idea?

 

Thanks,

Pedro

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Hi Pedro,Is this the actual

Hi Pedro,

Is this the actual config on the interface or did you blank out the key? 

ip ospf authentication-key 7 <>

Also, check your upstream router that it is configured to send the right key number. In the below example the key is 1 and and it uses md5 with a 7 encryption. 

ip ospf message-digest-key 1 md5 7 xxxxxxxxx

-Mario

P.S. If you look at your error message, it says that the interface received the wrong key: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960

Hall of Fame Cisco Employee

Pedro,I believe you have a

Pedro,

I believe you have a fairly common configuration error. Your authentication is set to MD5 thanks to the ip ospf authentication message-digest command. However, the ip ospf authentication-key command defines a key only for the plaintext authentication, not for the MD5 authentication. As a result, you have activated MD5 authentication but you did not define a key for it, so an implicit empty key with ID 0 is being  used for the authentication. That is also what the logging messages say. The OSPF adjacencies currently work because they are all authenticated using the same implicit empty key with ID 0.

The correction is simple: remove the ip ospf authentication-key command and instead, configure the ip ospf message-digest-key key-id md5 key-string command, substituting key-id for a proper key number and key-string for a proper password.

Be aware that as soon as you configure this, your OSPF adjacencies may flap because you define an explicit MD5 key which is not yet configured on the other routers. Therefore, I would suggest doing this configuration during a maintenance window.

Definitely, though, you should not leave the current configuration as-is. Because the key ID and key string of an empty key is well known, you essentially have no protection.

Best regards,
Peter


 

4 REPLIES 4

Hi Pedro,Is this the actual

Hi Pedro,

Is this the actual config on the interface or did you blank out the key? 

ip ospf authentication-key 7 <>

Also, check your upstream router that it is configured to send the right key number. In the below example the key is 1 and and it uses md5 with a 7 encryption. 

ip ospf message-digest-key 1 md5 7 xxxxxxxxx

-Mario

P.S. If you look at your error message, it says that the interface received the wrong key: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960

Highlighted
Beginner

Hi Mario,Thanks for your help

Hi Mario,

Thanks for your help!

 

Hall of Fame Cisco Employee

Pedro,I believe you have a

Pedro,

I believe you have a fairly common configuration error. Your authentication is set to MD5 thanks to the ip ospf authentication message-digest command. However, the ip ospf authentication-key command defines a key only for the plaintext authentication, not for the MD5 authentication. As a result, you have activated MD5 authentication but you did not define a key for it, so an implicit empty key with ID 0 is being  used for the authentication. That is also what the logging messages say. The OSPF adjacencies currently work because they are all authenticated using the same implicit empty key with ID 0.

The correction is simple: remove the ip ospf authentication-key command and instead, configure the ip ospf message-digest-key key-id md5 key-string command, substituting key-id for a proper key number and key-string for a proper password.

Be aware that as soon as you configure this, your OSPF adjacencies may flap because you define an explicit MD5 key which is not yet configured on the other routers. Therefore, I would suggest doing this configuration during a maintenance window.

Definitely, though, you should not leave the current configuration as-is. Because the key ID and key string of an empty key is well known, you essentially have no protection.

Best regards,
Peter


 

Beginner

Hi Peter,Thanks for you help.

Hi Peter,

Thanks for you help. This is definitely the problem!

Cheers,

Pedro

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards