02-09-2009 12:21 PM - edited 03-04-2019 03:29 AM
I'm using MD5 auth on a virtual link and need to understand the key rollover process. I initially configured the routers (7206VXR, 12.4(15)T7) as follows:
R3:
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
area 2 virtual-link 4.4.4.4 authentication message-digest
area 2 virtual-link 4.4.4.4 message-digest-key 1 md5 CISCO
R4:
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
area 2 virtual-link 3.3.3.3 authentication message-digest
area 2 virtual-link 3.3.3.3 message-digest-key 1 md5 CISCO
The virtual link came up fine:
R3(config-router)#do sho ip ospf virt
Virtual Link OSPF_VL2 to router 4.4.4.4 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 2, via interface Serial1/0.34, Cost of using 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:09
Adjacency State FULL (Hello suppressed)
Index 2/3, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
Message digest authentication enabled
Youngest key id is 1
Then I changed the keys as follows:
R3(config-router)#area 2 virtual-link 4.4.4.4 message-digest-key 2 md5 CCIE
R4(config-router)#area 2 virtual-link 3.3.3.3 message-digest-key 2 md5 CCIE
On both routers:
show ip ospf vir
...
Rollover process begins....
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
key id 1
Then I remove the old keys:
R3(config-router)#no area 2 virtual-link 4.4.4.4 message-digest-key 1
R4(config-router)#no area 2 virtual-link 3.3.3.3 message-digest-key 1
And I still see the rollover process in effect on both routers:
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
The output is the same from both routers. My virtual link is still up and OSPF is functioning correctly. But why am I still getting this message?
A show run confirms that key 1 no longer exists:
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
area 2 virtual-link 4.4.4.4 authentication message-digest
area 2 virtual-link 4.4.4.4 message-digest-key 2 md5 CCIE
network 3.3.3.3 0.0.0.0 area 0
network 30.3.3.3 0.0.0.0 area 2
network 131.1.23.3 0.0.0.0 area 0
network 131.1.34.3 0.0.0.0 area 2
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
area 2 virtual-link 3.3.3.3 authentication message-digest
area 2 virtual-link 3.3.3.3 message-digest-key 2 md5 CCIE
network 4.4.4.4 0.0.0.0 area 2
network 40.4.4.4 0.0.0.0 area 4
network 131.1.34.4 0.0.0.0 area 2
network 131.1.45.4 0.0.0.0 area 4
Any ideas? thanks.
02-09-2009 01:11 PM
Hello Michael,
try to repeat the tests using
⢠debug ip ospf event
⢠debug ip ospf packet
⢠debug ip ospf hello
to see how the smooth change of key is implemented: the sending of two copies of each hellos one with key1 and one with key2.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide