Solved: ASR900 - OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface

Pedro Morais · ‎02-16-2015

Hi,

I have some ASR902 running 15.4(3)S1, where I'm seeing a lot of the following messages:

225908: Feb 16 13:22:19.850 AST: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface BDI960
225909: Feb 16 13:22:36.571 AST: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960
225910: Feb 16 13:23:19.921 AST: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface BDI960
225911: Feb 16 13:23:36.751 AST: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960
225912: Feb 16 13:24:20.213 AST: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface BDI960
225913: Feb 16 13:24:36.819 AST: %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960
225914: Feb 16 13:25:20.304 AST: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface BDI960

The configuration applied to the interface is the following:

interface BDI960
 ip address 10.1.1.1 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 9198
 ip pim sparse-mode
 ip ospf authentication message-digest
 ip ospf authentication-key 7 <>
 ip ospf network point-to-point
 ip ospf dead-interval minimal hello-multiplier 3
 ip ospf 1 area 0
 no mpls ldp igp autoconfig

OSPF adjacency is up and everything looks OK. Any idea?

Thanks,

Pedro

Mario Grozdanovic · ‎02-16-2015

Hi Pedro,

Is this the actual config on the interface or did you blank out the key?

ip ospf authentication-key 7 <>

Also, check your upstream router that it is configured to send the right key number. In the below example the key is 1 and and it uses md5 with a 7 encryption.

ip ospf message-digest-key 1 md5 7 xxxxxxxxx

-Mario

P.S. If you look at your error message, it says that the interface received the wrong key:

 %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960

View solution in original post

Peter Paluch · ‎02-16-2015

Pedro,

I believe you have a fairly common configuration error. Your authentication is set to MD5 thanks to the

ip ospf authentication message-digest

command. However, the

ip ospf authentication-key

command defines a key only for the plaintext authentication, not for the MD5 authentication. As a result, you have activated MD5 authentication but you did not define a key for it, so an implicit empty key with ID 0 is being used for the authentication. That is also what the logging messages say. The OSPF adjacencies currently work because they are all authenticated using the same implicit empty key with ID 0.

The correction is simple: remove the

ip ospf authentication-key

command and instead, configure the

 ip ospf message-digest-key

key-id md5 key-string

command, substituting

key-id

for a proper key number and

key-string

for a proper password.

Be aware that as soon as you configure this, your OSPF adjacencies may flap because you define an explicit MD5 key which is not yet configured on the other routers. Therefore, I would suggest doing this configuration during a maintenance window.

Definitely, though, you should not leave the current configuration as-is. Because the key ID and key string of an empty key is well known, you essentially have no protection.

Best regards,
Peter

View solution in original post

Mario Grozdanovic · ‎02-16-2015

Hi Pedro,

Is this the actual config on the interface or did you blank out the key?

ip ospf authentication-key 7 <>

Also, check your upstream router that it is configured to send the right key number. In the below example the key is 1 and and it uses md5 with a 7 encryption.

ip ospf message-digest-key 1 md5 7 xxxxxxxxx

-Mario

P.S. If you look at your error message, it says that the interface received the wrong key:

 %OSPF-4-INVALIDKEY: Key ID 0 received on interface BDI960

Pedro Morais · ‎04-06-2015

Hi Mario,

Thanks for your help!

Peter Paluch · ‎02-16-2015

Pedro,

I believe you have a fairly common configuration error. Your authentication is set to MD5 thanks to the

ip ospf authentication message-digest

command. However, the

ip ospf authentication-key

command defines a key only for the plaintext authentication, not for the MD5 authentication. As a result, you have activated MD5 authentication but you did not define a key for it, so an implicit empty key with ID 0 is being used for the authentication. That is also what the logging messages say. The OSPF adjacencies currently work because they are all authenticated using the same implicit empty key with ID 0.

The correction is simple: remove the

ip ospf authentication-key

command and instead, configure the

 ip ospf message-digest-key

key-id md5 key-string

command, substituting

key-id

for a proper key number and

key-string

for a proper password.

Be aware that as soon as you configure this, your OSPF adjacencies may flap because you define an explicit MD5 key which is not yet configured on the other routers. Therefore, I would suggest doing this configuration during a maintenance window.

Definitely, though, you should not leave the current configuration as-is. Because the key ID and key string of an empty key is well known, you essentially have no protection.

Best regards,
Peter

Pedro Morais · ‎04-06-2015

Hi Peter,

Thanks for you help. This is definitely the problem!

Cheers,

Pedro

gnijs · ‎04-07-2022

Thanks Peter for your explanation.

However, i do have a question: if you define area authentication with

area 0.0.0.0 authentication message-digest

can you exclude one particular interface from using MD5 authentication ??

I have 3 interfaces in area 0.0.0.0, two have the proper keys defined, but one interface is to an external router which has no key defined.

I removed the key on my side, so the adjacency comes up, but now i am getting this log message as the key is not "defined" but MD5 is still "enabled"

Can i do

no ip ospf authentication message-digest

on the interface to not using MD5 on this particular interface only, even though it is part of area 0.0.0.0 ???

regards,

Geert