CSCve93491 bug check it.

jigojar · ‎01-10-2022

Hi,

I am trying to configure the BGP TCP AO between ASR 1001-X to ASR 9006 and i am getting the authentication error.

Can anyone help pls

ASR 9006:-

==========================================

tcp ao
keychain kc1
key 10 SendID 10 ReceiveID 10
!

key chain kc1
key 10
accept-lifetime 11:09:10 january 10 2022 infinite
key-string password klmno
send-lifetime 11:09:10 january 10 2022 infinite
cryptographic-algorithm SHA-1
!

router bgp 100
address-family ipv4 unicast
!
address-family vpnv4 unicast
!
vrf TEST
rd 100:100
address-family ipv4 unicast
redistribute connected
!
neighbor 192.168.1.226
remote-as 65002
ao kc1 include-tcp-options disable accept-ao-mismatch-connection
address-family ipv4 unicast
route-policy DEFAULT_PASS3 in
maximum-prefix 1000 75
route-policy DEFAULT_PASS3 out

ASR 1001-X:-

--------------------------------------

key chain kc1 tcp
key 10
send-id 10
recv-id 10
accept-ao-mismatch
cryptographic-algorithm hmac-sha-1
key-string klmno
accept-lifetime local 04:15:50 Jan 10 2022 infinite
send-lifetime local 04:15:50 Jan 10 2022 infinite
!
!

router bgp 65002
bgp log-neighbor-changes
neighbor 192.168.1.225 remote-as 100
neighbor 192.168.1.225 ao kc1 include-tcp-options accept-ao-mismatch-connections
neighbor 192.168.1.225 update-source TenGigabitEthernet0/0/1
!
address-family ipv4
neighbor 192.168.1.225 activate
neighbor 192.168.1.225 maximum-prefix 1000
exit-address-family
!

jigojar · ‎01-10-2022

ASR 1001-X:-

-------------------------------------

*Jan 10 03:49:02: %BGP-4-AO_KEYCHAIN: Failed to set TCB AO properties
*Jan 10 03:49:02: %BGP-3-NOTIFICATION: sent to neighbor 192.168.1.225 6/2 (Administrative Shutdown) 0 bytes
*Jan 10 03:49:02: %BGP-5-NBR_RESET: Neighbor 192.168.1.225 reset (TCP AO config change)
*Jan 10 03:49:02: %BGP-5-ADJCHANGE: neighbor 192.168.1.225 Down Admin. shutdown

ASR 9006:-

-------------------------------------

RP/0/RSP1/CPU0:Jan 10 11:35:52.475 UTC: tcp[481]: %IP-TCP-3-BADAUTH : Invalid AO digest from 192.168.1.226:43970 to 192.168.1.225:179 for vrf:1026-ICICI-Mesh (0x60000002)
RP/0/RSP1/CPU0:Jan 10 11:36:06.474 UTC: tcp[481]: %IP-TCP-3-BADAUTH : Invalid AO digest from 192.168.1.226:43970 to 192.168.1.225:179 for vrf:1026-ICICI-Mesh (0x60000002)
RP/0/RSP1/CPU0:Jan 10 11:36:32.413 UTC: tcp[481]: %IP-TCP-3-BADAUTH : Invalid AO digest from 192.168.1.226:14399 to 192.168.1.225:179 for vrf:1026-ICICI-Mesh (0x60000002)
RP/0/RSP1/CPU0:Jan 10 11:36:46.414 UTC: tcp[481]: %IP-TCP-3-BADAUTH : Invalid AO digest from 192.168.1.226:14399 to 192.168.1.225:179 for vrf:1026-ICICI-Mesh (0x60000002)
RP/0/RSP1/CPU0:Jan 10 11:37:14.408 UTC: tcp[481]: %IP-TCP-3-BADAUTH : Invalid AO digest from 192.168.1.226:28374 to 192.168.1.225:179 for vrf:1026-ICICI-Mesh (0x60000002)
RP/0/RSP1/CPU0:Jan 10 11:37:23.304 UTC: tcp[481]: %IP-TCP-3-AOOPT_SEND_NOKEY : No active send-key for key-chain 'kc1' for the Authentication Option to send to peer 192.168.1.226, error - 0x4f8bb200
RP/0/RSP1/CPU0:Jan 10 11:37:28.408 UTC: tcp[481]: %IP-TCP-3-BADAUTH : Invalid AO digest from 192.168.1.226:28374 to 192.168.1.225:179 for vrf:1026-ICICI-Mesh (0x60000002)
RP/0/RSP1/CPU0:Jan 10 11:37:56.394 UTC: tcp[481]: %IP-TCP-3-BADAUTH : Invalid AO digest from 192.168.1.226:46426 to 192.168.1.225:179 for vrf:1026-ICICI-Mesh (0x60000002)
RP/0/RSP1/CPU0:Jan 10 11:38:10.393 UTC: tcp[481]: %IP-TCP-3-BADAUTH : Invalid AO digest from 192.168.1.226:46426 to 192.168.1.225:179 for vrf:1026-ICICI-Mesh (0x60000002)

tkarnani · ‎01-10-2022

does it work properly with md5?

please rule out this bug on the XE side

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx80537

this one on XR with compatibility

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp58305

jigojar · ‎01-10-2022

yes it works properly with MD5

MHM Cisco World · ‎01-10-2022

BGP TCP AO authentication

CSCve93491 bug check it.