Solved: Hello,

zekebashi · ‎01-29-2016

Hello,

I have configured an ASR1001 and C4500 with ospf. Each device has a port-channel with 2 interfaces bundled together. Here is the config of each. OSPF won't establish neighbor relationship. I have verified that I have the correct md5 on both sides and have enabled md5 on the port-channel interfaces and then removed them but nothing worked.

Can someone review my config and see what I am doing wrong? Thanks in advance.

c4500# sh run | s router ospf

router ospf 100
auto-cost reference-bandwidth 100000
nsf ietf
area 0 authentication message-digest
redistribute connected subnets
redistribute static subnets
passive-interface default
no passive-interface TenGigabitEthernet1/14

no passive-interface TenGigabitEthernet1/15
no passive-interface Port-channel1
network 10.35.0.0 0.0.0.255 area 0
-----------------------------------------------------------
c4500#sh run int po1

interface Port-channel1
description Link to DO-ASR-01 G0/0/0 & G0/0/1
ip address 10.35.1.1 255.255.255.0
ip ospf network point-to-point
end

------------------------------------------------------

c4500#sh run int te1/14

interface TenGigabitEthernet1/14
description Member of Po1 Link to DO-ASR-01 Po1 G0/0/0 & G0/0/1
no switchport
no ip address
ip ospf message-digest-key 1 md5 7 1049064B16141A040308
ip ospf network point-to-point
channel-group 1 mode active

c4500#sh run int te1/15
interface TenGigabitEthernet1/15
description Member of Po1 Link to DO-ASR-01 Po1 G0/0/0 & G0/0/1
no switchport
no ip address
ip ospf message-digest-key 1 md5 7 0826431C1A1A0D181D07
ip ospf network point-to-point
channel-group 1 mode active
end

----------------------------------------------------------------------------------------------------------

asr#sh run | s router ospf

router ospf 100
area 0 authentication message-digest
passive-interface default
no passive-interface GigabitEthernet0/0/0
no passive-interface GigabitEthernet0/0/1
no passive-interface Port-channel1
network 10.35.0.0 0.0.0.255 area 0

---------------------------------------------------------------------------------------------

asr#sh run int po1

interface Port-channel1
description Link to DO-Core-01 Po1 Te1/14 & Te1/15
ip address 10.35.1.25 255.255.255.0
ip ospf network point-to-point
no negotiation auto

---------------------------------------------------------------------------------------------

asr# sh run in g0/0/0

interface GigabitEthernet0/0/0
description Member of Po1
no ip address
ip ospf message-digest-key 1 md5 7 045C04541C2244410615
ip ospf network point-to-point
negotiation auto
channel-group 1 mode active
end

interface GigabitEthernet0/0/1
description Member of Po1
no ip address
ip ospf message-digest-key 1 md5 7 0826431C1A1A0D181D07
ip ospf network point-to-point
negotiation auto
channel-group 1 mode active

---------------------------------------------------------------------------------------------------

Best, ~zK

Jon Marshall · ‎01-29-2016

Your OSPF network statements are wrong.

You have "network 10.35.0.0 0.0.0.255" which equates to 10.35.0.0 255.255.255.0" but your subnets are 10.35.1.0 255.255.255.0.

So change the network statements to be -

"network 10.35.1.0 0.0.0.255"

Jon

View solution in original post

Peter Paluch · ‎01-29-2016

Hello,

First of all, can you ping 10.35.1.25 from 10.35.1.1? In addition, does the show etherchannel summary report the relevant ports as being successfully added the corresponding port channels?

One thing that immediately catches my eye: Your Port-channel interfaces are missing the ip ospf message-digest-key commands. You have these commands configured on the physical interfaces but not on the Port-channel interfaces. This is not correct - this command should be configured on the Port-channel interface. Having the physical and Port-channel interface configuration different can result in the physical interface being suspended from the port channel as being incompabitly configured. Even if the port was not suspended, it very very likely that the OSPF treats only the Port-channel interface as an IP interface, and because it misses the ip ospf message-digest-key command, OSPF operates without an MD5 authentication key over this interface.

Please add this command to your Port-channel interfaces and see if it helps.

Best regards,
Peter

View solution in original post

Jon Marshall · ‎01-29-2016

Your OSPF network statements are wrong.

You have "network 10.35.0.0 0.0.0.255" which equates to 10.35.0.0 255.255.255.0" but your subnets are 10.35.1.0 255.255.255.0.

So change the network statements to be -

"network 10.35.1.0 0.0.0.255"

Jon

zekebashi · ‎01-29-2016

Thanks, Jon.

I can't believe that I didn't catch that. Another question, do I need to add the port channels in the no passive and also add the MD5 to them or just on the physical interfaces?

Best, ~zK

Jon Marshall · ‎01-29-2016

To be honest not entirely sure as I have not done that before.

I would have thought you only need to refer to the port channel interface because it is that interface that has the IP address.

Perhaps experiment :)

Jon

Joseph W. Doherty · ‎01-29-2016

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

As a general rule, you should configure non-physical interface stuff on the port-channel, such as router config stuff. Note, some of the configuration port-channel statements, the device will push onto the member ports. (Also, occasionally, IOS won't properly push necessary port-channel config statements to the member ports. Not too often seen on later IOSs, but it might be bumped into.)

BTW, some believe OSPF network statements mask much match the network being placed into OSPF. That's not the case. The OSPF network statement works someone like an ACL, looking for interface IPs that match. Any that do, will use that network statement.

Also BTW, later IOS versions support placing an interface into OSPFv2 with a statement on the interface, i.e. you don't need the network statement if you use those. (Of course, though, the network statement can be used to match multiple interfaces. Can be nice for routers where every interface should go into OSPF - only takes one statement.)

Peter Paluch · ‎01-29-2016

Hello,

First of all, can you ping 10.35.1.25 from 10.35.1.1? In addition, does the show etherchannel summary report the relevant ports as being successfully added the corresponding port channels?

One thing that immediately catches my eye: Your Port-channel interfaces are missing the ip ospf message-digest-key commands. You have these commands configured on the physical interfaces but not on the Port-channel interfaces. This is not correct - this command should be configured on the Port-channel interface. Having the physical and Port-channel interface configuration different can result in the physical interface being suspended from the port channel as being incompabitly configured. Even if the port was not suspended, it very very likely that the OSPF treats only the Port-channel interface as an IP interface, and because it misses the ip ospf message-digest-key command, OSPF operates without an MD5 authentication key over this interface.

Please add this command to your Port-channel interfaces and see if it helps.

Best regards,
Peter

Peter Paluch · ‎01-29-2016

Jon,

I apologize for seemingly strolling in here - only after I have posted my answer I noticed that you already answered. And I obviously missed the mismatch in the network command.

Best regards,
Peter

Jon Marshall · ‎01-29-2016

Peter

No apologies necessary and your post was needed for a full solution.

Jon

zekebashi · ‎01-29-2016

Hi, Peter. Thanks for your response.

After I changed the network ids, as per Jon's suggestion, both devices were able to establish neighbor relationship. And, yes, I can ping both ways.

I still haven't added message-key on the Port Channels and the ASR keeps producing this output

*Jan 29 05:54:46.431: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface Port-channel1

So, w/o having the message-digest-key command configured on the Port-channel, both devices are able to ping and establish OSPF neighbor relationship; however, the ASR keeps sending out this error message" *Jan 29 05:54:46.431: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface Port-channel1"

I will go ahead and add that command on both Port-Channels.

Much appreciated.

Best, ~zK

zekebashi · ‎01-29-2016

Final update. I applied the ip ospf message-digest-key on both Port-Channels(ASR & C4500). The ASR stopped producing this error message " %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface Port-channel1"

Thanks again, everyone.

Best, ~zK

OSPF Not Enabled On Interface