Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
234
Views
1
Helpful
5
Replies

ip ospf authentication failing

Go to solution
dgawaya1
Level 1
Level 1

‎09-30-2024 11:05 PM

Dear experts, 
I'm playing with NCS55 running XR and ASR920 running XE. I changed the authentication to use keychain but its failing. I have run debug commands but yield nothing! 

...........
ASR920
.............
interface TenGigabitEthernet0/0/24
description SYD1PAXSR001_TEST TenGigE0/0/0/22
mtu 9202
ip address 10.202.0.13 255.255.255.252
ip ospf authentication key-chain PROTOCOL-AUTHENTICATION
ip ospf network point-to-point
ip ospf 18361 area 2
cdp enable
bfd interval 250 min_rx 250 multiplier 4
end

SYD1QAXSR003#show key chain PROTOCOL-AUTHENTICATION
Key-chain PROTOCOL-AUTHENTICATION:
key 1 -- text "ASXNET!"
cryptographic-algorithm: md5
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
SYD1QAXSR003#


.......................
NCS5500
............
router ospf 18361
router-id 192.168.234.33
area 0.0.0.2
authentication keychain PROTOCOL-AUTHENTICATION
interface TenGigE0/0/0/22
!

RP/0/RP0/CPU0:SYD1PAXSR001_TEST#show key chain PROTOCOL-AUTHENTICATION
Tue Oct 1 16:04:28.383 AEST

Key-chain: PROTOCOL-AUTHENTICATION -

timezone -- local
Key 1 -- text "096D7D3137202353"
Cryptographic-Algorithm -- Not configured
Send lifetime -- Not configured
Accept lifetime -- Not configured


Please assist. Thanks 


 



Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
etienne-buxin
Level 1
Level 1

‎09-30-2024 11:52 PM

The key text on NCS "096D7D3137202353" is not an MD5 hash of "ASXNET!", it is a "Type 7" password, which means it uses the Vinegere cipher, not MD5. Since the hash on both systems are different, the comparsion of the OSPF keys fails.

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎09-30-2024 11:32 PM

In NCS5500 you dont config accept lifetime and send lifetime?

MHM

0 Helpful

Go to solution
dgawaya1
Level 1
Level 1
In response to MHM Cisco World

‎10-01-2024 02:22 PM

I did not configure that at all 

key chain PROTOCOL-AUTHENTICATION
key 1
key-string ASXNET!

0 Helpful

Go to solution
M02@rt37
VIP
VIP

‎09-30-2024 11:35 PM

Hello @dgawaya1 

There is a mismatch in the keychain configuration between the ASR920 and the NCS5500. Specifically, the keychain on the NCS5500 is missing the cryptographic algorithm (e.g., MD5) and send/accept lifetimes...

Once the keychain is consistent across both devices, OSPF should authenticate successfully. After applying the change, rerun OSPF and keychain debugging if necessary to verify that the key exchange and authentication process are working properly.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
etienne-buxin
Level 1
Level 1

‎09-30-2024 11:52 PM

The key text on NCS "096D7D3137202353" is not an MD5 hash of "ASXNET!", it is a "Type 7" password, which means it uses the Vinegere cipher, not MD5. Since the hash on both systems are different, the comparsion of the OSPF keys fails.

Go to solution
dgawaya1
Level 1
Level 1
In response to etienne-buxin

‎10-01-2024 05:10 AM

whats the config to get the md5 on NCS? 

On both sides I just configures 
"key authenticayion 

key 1

key-chin xxxx"

 

0 Helpful
Customers Also Viewed These Support Documents