ā09-30-2024 11:05 PM
Dear experts,
I'm playing with NCS55 running XR and ASR920 running XE. I changed the authentication to use keychain but its failing. I have run debug commands but yield nothing!
...........
ASR920
.............
interface TenGigabitEthernet0/0/24
description SYD1PAXSR001_TEST TenGigE0/0/0/22
mtu 9202
ip address 10.202.0.13 255.255.255.252
ip ospf authentication key-chain PROTOCOL-AUTHENTICATION
ip ospf network point-to-point
ip ospf 18361 area 2
cdp enable
bfd interval 250 min_rx 250 multiplier 4
end
SYD1QAXSR003#show key chain PROTOCOL-AUTHENTICATION
Key-chain PROTOCOL-AUTHENTICATION:
key 1 -- text "ASXNET!"
cryptographic-algorithm: md5
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
SYD1QAXSR003#
.......................
NCS5500
............
router ospf 18361
router-id 192.168.234.33
area 0.0.0.2
authentication keychain PROTOCOL-AUTHENTICATION
interface TenGigE0/0/0/22
!
RP/0/RP0/CPU0:SYD1PAXSR001_TEST#show key chain PROTOCOL-AUTHENTICATION
Tue Oct 1 16:04:28.383 AEST
Key-chain: PROTOCOL-AUTHENTICATION -
timezone -- local
Key 1 -- text "096D7D3137202353"
Cryptographic-Algorithm -- Not configured
Send lifetime -- Not configured
Accept lifetime -- Not configured
Please assist. Thanks
Solved! Go to Solution.
ā09-30-2024 11:52 PM
The key text on NCS "096D7D3137202353" is not an MD5 hash of "ASXNET!", it is a "Type 7" password, which means it uses the Vinegere cipher, not MD5. Since the hash on both systems are different, the comparsion of the OSPF keys fails.
ā09-30-2024 11:32 PM
In NCS5500 you dont config accept lifetime and send lifetime?
MHM
ā10-01-2024 02:22 PM
I did not configure that at all
key chain PROTOCOL-AUTHENTICATION
key 1
key-string ASXNET!
ā09-30-2024 11:35 PM
Hello @dgawaya1
There is a mismatch in the keychain configuration between the ASR920 and the NCS5500. Specifically, the keychain on the NCS5500 is missing the cryptographic algorithm (e.g., MD5) and send/accept lifetimes...
Once the keychain is consistent across both devices, OSPF should authenticate successfully. After applying the change, rerun OSPF and keychain debugging if necessary to verify that the key exchange and authentication process are working properly.
ā09-30-2024 11:52 PM
The key text on NCS "096D7D3137202353" is not an MD5 hash of "ASXNET!", it is a "Type 7" password, which means it uses the Vinegere cipher, not MD5. Since the hash on both systems are different, the comparsion of the OSPF keys fails.
ā10-01-2024 05:10 AM
whats the config to get the md5 on NCS?
On both sides I just configures
"key authenticayion
key 1
key-chin xxxx"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide