Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1160
Views
0
Helpful
1
Replies

OSPF MD5 Key Rollover

mmurray
Level 1
Level 1

‎02-09-2009 12:21 PM - edited ‎03-04-2019 03:29 AM

I'm using MD5 auth on a virtual link and need to understand the key rollover process. I initially configured the routers (7206VXR, 12.4(15)T7) as follows:

R3:

router ospf 1

router-id 3.3.3.3

log-adjacency-changes

area 2 virtual-link 4.4.4.4 authentication message-digest

area 2 virtual-link 4.4.4.4 message-digest-key 1 md5 CISCO

R4:

router ospf 1

router-id 4.4.4.4

log-adjacency-changes

area 2 virtual-link 3.3.3.3 authentication message-digest

area 2 virtual-link 3.3.3.3 message-digest-key 1 md5 CISCO

The virtual link came up fine:

R3(config-router)#do sho ip ospf virt

Virtual Link OSPF_VL2 to router 4.4.4.4 is up

Run as demand circuit

DoNotAge LSA allowed.

Transit area 2, via interface Serial1/0.34, Cost of using 64

Transmit Delay is 1 sec, State POINT_TO_POINT,

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

Hello due in 00:00:09

Adjacency State FULL (Hello suppressed)

Index 2/3, retransmission queue length 0, number of retransmission 0

First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)

Last retransmission scan length is 0, maximum is 0

Last retransmission scan time is 0 msec, maximum is 0 msec

Message digest authentication enabled

Youngest key id is 1

Then I changed the keys as follows:

R3(config-router)#area 2 virtual-link 4.4.4.4 message-digest-key 2 md5 CCIE

R4(config-router)#area 2 virtual-link 3.3.3.3 message-digest-key 2 md5 CCIE

On both routers:

show ip ospf vir

...

Rollover process begins....

Message digest authentication enabled

Youngest key id is 2

Rollover in progress, 1 neighbor(s) using the old key(s):

key id 1

Then I remove the old keys:

R3(config-router)#no area 2 virtual-link 4.4.4.4 message-digest-key 1

R4(config-router)#no area 2 virtual-link 3.3.3.3 message-digest-key 1

And I still see the rollover process in effect on both routers:

Message digest authentication enabled

Youngest key id is 2

Rollover in progress, 1 neighbor(s) using the old key(s):

The output is the same from both routers. My virtual link is still up and OSPF is functioning correctly. But why am I still getting this message?

A show run confirms that key 1 no longer exists:

router ospf 1

router-id 3.3.3.3

log-adjacency-changes

area 2 virtual-link 4.4.4.4 authentication message-digest

area 2 virtual-link 4.4.4.4 message-digest-key 2 md5 CCIE

network 3.3.3.3 0.0.0.0 area 0

network 30.3.3.3 0.0.0.0 area 2

network 131.1.23.3 0.0.0.0 area 0

network 131.1.34.3 0.0.0.0 area 2

router ospf 1

router-id 4.4.4.4

log-adjacency-changes

area 2 virtual-link 3.3.3.3 authentication message-digest

area 2 virtual-link 3.3.3.3 message-digest-key 2 md5 CCIE

network 4.4.4.4 0.0.0.0 area 2

network 40.4.4.4 0.0.0.0 area 4

network 131.1.34.4 0.0.0.0 area 2

network 131.1.45.4 0.0.0.0 area 4

Any ideas? thanks.

Labels:
0 Helpful
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-09-2009 01:11 PM

Hello Michael,

try to repeat the tests using

• debug ip ospf event

• debug ip ospf packet

• debug ip ospf hello

to see how the smooth change of key is implemented: the sending of two copies of each hellos one with key1 and one with key2.

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card