Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2635
Views
15
Helpful
4
Replies

OSPF Keychain auth issue

Go to solution
Trent211111
Level 1
Level 1

‎01-21-2022 11:48 AM - last edited on ‎01-22-2022 04:17 AM by Community Manager

So I configured 2 switch interfaces to use Keychain Authentication and after the key expires the switches still propagates the OSPF Networks instead of shutting off the adjacency....any idea why this is happening?

 

This is the config I used:

enable
conf t
key chain OSPF_KEYCHAIN
key 1
key-string cisco
cryptographic-algorithm hmac-sha-256
send-lifetime 13:00:00 21 Jan 2022 13:09:59 Jan 21 2022
accept-lifetime 12:59:50 21 Jan 2022 13:10:05 Jan 21 2022
exit
key 2
key-string cisco1
cryptographic-algorithm hmac-sha-256
send-lifetime 13:09:50 Jan 21 2022 13:20:00 Jan 21 2022
accept-lifetime 13:09:40 Jan 21 2022 13:20:05 Jan 21 2022

 

 

And here are the logs:

 

Jan 21 13:41:07.725: %OSPF-5-LASTKEYEXP: The last key has expired for interface GigabitEthernet0/2, packets sent using last valid key.
--More--
Jan 21 13:41:42.384: %OSPF-5-EXPIREDKEY: Packet received on interface GigabitEthernet0/2 with expired Key ID 2.
--More--
Jan 21 13:42:15.061: %OSPF-5-LASTKEYEXP: The last key has expired for interface GigabitEthernet0/2, packets sent using last valid key.
--More--
Jan 21 13:42:44.015: %OSPF-5-EXPIREDKEY: Packet sent on interface GigabitEthernet0/2 with expired Key ID 2.
--More--
Jan 21 13:43:23.039: %OSPF-5-LASTKEYEXP: The last key has expired for interface GigabitEthernet0/2, packets sent using last valid key.
--More--
Jan 21 13:43:46.920: %OSPF-5-EXPIREDKEY: Packet received on interface GigabitEthernet0/2 with expired Key ID 2.

 

And here is the ospf interface information:

 

AccessHelpDesk1#show ip ospf interface gigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up (connected)
Internet Address 10.10.30.2/30, Area 0, Attached via Network Statement
Process ID 1, Router ID 10.10.30.10, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 10.10.30.10, Interface address 10.10.30.2
Backup Designated router (ID) 10.10.10.10, Interface address 10.10.30.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:03
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 2
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.10.10.10 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Sending SA: Key 2, Algorithm HMAC-SHA-256 - key chain OSPF_KEYCHAIN




Distro1B#show ip ospf interface gigabitEthernet 0/2
GigabitEthernet0/2 is up, line protocol is up (connected)
Internet Address 10.10.30.1/30, Area 0, Attached via Network Statement
Process ID 1, Router ID 10.10.10.10, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 10.10.30.10, Interface address 10.10.30.2
Backup Designated router (ID) 10.10.10.10, Interface address 10.10.30.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:06
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.10.30.10 (Designated Router)
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Sending SA: Key 2, Algorithm HMAC-SHA-256 - key chain OSPF_KEYCHAIN


I can provide other information if needed..

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎01-21-2022 12:05 PM

Hi there,

As the output shows the routers continue to send the expired key to ensure that the adjacency does not get removed.

"packets sent using last valid key."

 

This is the defined in the OSPF IETF RFC 2328 under section D3:

 

        ....it is unacceptable to
        revert to an unauthenticated condition, and not advisable to
        disrupt routing.  Therefore, the router should send a "last
        authentication key expiration" notification to the network
        manager and treat the key as having an infinite lifetime until
        the lifetime is extended, the key is deleted by network
        management, or a new key is configured.

cheers,

Seb.

 

 

View solution in original post

4 Replies 4

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎01-21-2022 12:05 PM

Hi there,

As the output shows the routers continue to send the expired key to ensure that the adjacency does not get removed.

"packets sent using last valid key."

 

This is the defined in the OSPF IETF RFC 2328 under section D3:

 

        ....it is unacceptable to
        revert to an unauthenticated condition, and not advisable to
        disrupt routing.  Therefore, the router should send a "last
        authentication key expiration" notification to the network
        manager and treat the key as having an infinite lifetime until
        the lifetime is extended, the key is deleted by network
        management, or a new key is configured.

cheers,

Seb.

 

 

Go to solution
Trent211111
Level 1
Level 1
In response to Seb Rupik

‎01-21-2022 12:22 PM

Thank you sir. That makes sense but just wanted to make sure as I didn't know for sure.

0 Helpful

Go to solution
Sergey Lisitsin
VIP Alumni
VIP Alumni
In response to Trent211111

‎01-28-2022 12:25 AM

This is an interesting topic

@Trent211111 ,

I think if you really need to break the neighbour relationships, what you could do is add another "dummy" key in your keychain and make sure it is either only added on one of the two routers or if added on both, it is random and doesn't match. This way when last "real" key dies, the "dummy" one takes over and causes key mismatch issue, so the OSPF goes down.

 

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-21-2022 12:07 PM - last edited on ‎01-22-2022 04:18 AM by Community Manager

the one you shared connected each other

 

post below  output :

 

show run interface x/x (from bot the devices)

show IP route

show IP OSPF neigh

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Related community topics
Top