Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
843
Views
0
Helpful
5
Replies

EIGRP key-id range on cisco ASA's

vikran_anumukonda
Level 1
Level 1

‎03-13-2017 08:50 PM - edited ‎03-05-2019 08:11 AM

EIGRP key-id on cisco ASA's can only be between 0-255 , whereas it's much much higher on the Router's.  We are planning to implement EIGRP on cisco asa's to move away from static routing but realized that key-id on the router's is greater than 255 which is not supported on asa's. 

We can't change the key-id on the routers. is there any workaround on the ASA's to be able to configure EIGRP authentication and bring up the neighbor relationship with the router using key-id greater than 255 ?

There doesn't seem to be a solution from the documentation i read so far, but i wanted to try my luck here.

Labels:
0 Helpful
5 Replies 5

johnlloyd_13
Level 9
Level 9

‎03-14-2017 12:51 AM

hi,

i tried on both 5510 and 5525-X it supports EIGRP process ID of up to 65535.

5525-X# sh route eigrp ?

  <1-65535>  Process ID
  |          Output modifiers
  <cr>

5510# sh eigrp ?

  <1-65535>   Autonomous System
  events      EIGRP-IPv4 Events
  interfaces  EIGRP-IPv4 interfaces
  neighbors   EIGRP-IPv4 neighbors
  topology    EIGRP Topology Table or Topology Name
  traffic     EIGRP-IPv4 Traffic Statistics

could you post your ASA show version and show route eigrp ? (if 5500-X) or show eigrp ? (5500/non-X ASA)

0 Helpful

vikran_anumukonda
Level 1
Level 1
In response to johnlloyd_13

‎03-14-2017 01:46 AM

Hello John,

I meant the authentication key-id for eigrp on an ASA.

authentication key eigrp 12345 magik key-id ?

 interface mode commands/options:

  <0-255>  The shared key id that matches the key

Thanks,
Vikram

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to vikran_anumukonda

‎03-14-2017 03:09 PM

hi,

you don't need the key-id to be the same.

it's just an arbitrary sequence number local on the router/ASA.

only the key-string needs to be the same.

http://www.ciscopress.com/articles/article.asp?p=687478&seqNum=4

For EIGRP MD5 authentication, you must configure an authenticating key and a key ID on both the sending router and the receiving router. Each key has its own key ID, which is stored locally. The combination of the key ID and the interface associated with the message uniquely identifies the authentication algorithm and MD5 authentication key in use.

0 Helpful

vikran_anumukonda
Level 1
Level 1
In response to johnlloyd_13

‎03-14-2017 10:10 PM

Hello John - seems that is incorrect and they have corrected the statement at a later time.

Key-id's have to match on the neighbors.

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to vikran_anumukonda

‎03-14-2017 10:29 PM

hi,

yes, you're right. i saw there was an errata on the said book/doc for the EIGRP key-id number.

looks like you're out of luck with ASA EIGRP key-id limitation.

0 Helpful
Customers Also Viewed These Support Documents