Re: ISIS Hello-Password with Keychain

nonamer15 · ‎12-17-2018

I'm unable to get any neighbor adjacencies with ISIS when using a hello-password with a keychain. However, if I just use an encrypted hello-password, everything works as expected. Is a keychain not supported or is there some additional commands to make this work?

Below is a topology diagram. I'm using XR nodes running 6.1.2. I've also tried using actual hardware running 6.5.1 with the same results.

Here's the configuration without the keychain and everything works as expected.

hostname R1
key chain ISIS-KEY
 key 1
  key-string password 10460C15091843595F50
  cryptographic-algorithm HMAC-MD5
 !
!
interface Loopback0
 ipv4 address 11.11.11.11 255.255.255.255
!
interface MgmtEth0/0/CPU0/0
 shutdown
!
interface GigabitEthernet0/0/0/0
 ipv4 address 1.1.1.1 255.255.255.0
!
router isis iroute
 net 49.1001.0010.0100.1001.00
 interface Loopback0
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/0
  hello-password hmac-md5 encrypted 10460C15091843595F50
  address-family ipv4 unicast
  !
 !
!
end



hostname R2
key chain ISIS-KEY
 key 1
  key-string password 10460C15091843595F50
  cryptographic-algorithm HMAC-MD5
 !
!
interface Loopback0
 ipv4 address 22.22.22.22 255.255.255.255
!
interface MgmtEth0/0/CPU0/0
 shutdown
!
interface GigabitEthernet0/0/0/0
 ipv4 address 1.1.1.2 255.255.255.0
!
router isis iroute
 net 49.2002.0020.0200.2002.00
 interface Loopback0
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/0
  hello-password hmac-md5 encrypted 10460C15091843595F50
  address-family ipv4 unicast
  !
 !
!
end

Below is the configuration with the keychain and I'm unable to see neighbors or routes. The only difference is the hello-password keychain ISIS-KEY command.

hostname R1
key chain ISIS-KEY
 key 1
  key-string password 10460C15091843595F50
  cryptographic-algorithm HMAC-MD5
 !
!
interface Loopback0
 ipv4 address 11.11.11.11 255.255.255.255
!
interface MgmtEth0/0/CPU0/0
 shutdown
!
interface GigabitEthernet0/0/0/0
 ipv4 address 1.1.1.1 255.255.255.0
!
router isis iroute
 net 49.1001.0010.0100.1001.00
 interface Loopback0
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/0
  hello-password keychain ISIS-KEY
  address-family ipv4 unicast
  !
 !
!
end



hostname R2
key chain ISIS-KEY
 key 1
  key-string password 10460C15091843595F50
  cryptographic-algorithm HMAC-MD5
 !
!
interface Loopback0
 ipv4 address 22.22.22.22 255.255.255.255
!
interface MgmtEth0/0/CPU0/0
 shutdown
!
interface GigabitEthernet0/0/0/0
 ipv4 address 1.1.1.2 255.255.255.0
!
router isis iroute
 net 49.2002.0020.0200.2002.00
 interface Loopback0
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/0
  hello-password keychain ISIS-KEY
  address-family ipv4 unicast
  !
 !
!
end

nishetti · ‎02-17-2020

enable 'terminal monitor'
You should see below error message:
isis[1013]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped P2P IIH from Bundle-Ether11 SNPA 6c9c.ed2c.d95b due to authentication TLV not found

To resolve this use below command under the isis interface config:
hello-password keychain ISIS-KEY send-only

ryarammadov · ‎11-10-2024

Hello @nishetti

could you please tell is why we should use one way authentication. This ios-xr bug or something special ?

Br

Rashad Y.

Krishan · ‎03-10-2023

This command has solved the issue in my setup. Thanks a lot.

Redmist · ‎12-08-2024

Hi,

I think the issue is with the key. In XR unless you configure the send-lifetime and the accept-lifetime then the key isnt 'valid'. so wont be used. In the above example if you configure the following it should work

key chain ISIS-KEY
 key 1
  key-string password 10460C15091843595F50
  cryptographic-algorithm HMAC-MD5
  send-lifetime 00:00:00 november 01 1993 infinite
  accept-lifetime 00:00:00 november 01 1993 infinite

You can verify the keys with - show key chain ISIS-KEY

Hope this helps