cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
163
Views
1
Helpful
5
Replies

ip ospf authentication failing

dgawaya1
Level 1
Level 1

Dear experts, 
I'm playing with NCS55 running XR and ASR920 running XE. I changed the authentication to use keychain but its failing. I have run debug commands but yield nothing! 

...........
ASR920
.............
interface TenGigabitEthernet0/0/24
description SYD1PAXSR001_TEST TenGigE0/0/0/22
mtu 9202
ip address 10.202.0.13 255.255.255.252
ip ospf authentication key-chain PROTOCOL-AUTHENTICATION
ip ospf network point-to-point
ip ospf 18361 area 2
cdp enable
bfd interval 250 min_rx 250 multiplier 4
end

SYD1QAXSR003#show key chain PROTOCOL-AUTHENTICATION
Key-chain PROTOCOL-AUTHENTICATION:
key 1 -- text "ASXNET!"
cryptographic-algorithm: md5
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
SYD1QAXSR003#


.......................
NCS5500
............
router ospf 18361
router-id 192.168.234.33
area 0.0.0.2
authentication keychain PROTOCOL-AUTHENTICATION
interface TenGigE0/0/0/22
!

RP/0/RP0/CPU0:SYD1PAXSR001_TEST#show key chain PROTOCOL-AUTHENTICATION
Tue Oct 1 16:04:28.383 AEST

Key-chain: PROTOCOL-AUTHENTICATION -

timezone -- local
Key 1 -- text "096D7D3137202353"
Cryptographic-Algorithm -- Not configured
Send lifetime -- Not configured
Accept lifetime -- Not configured


Please assist. Thanks 


 



1 Accepted Solution

Accepted Solutions

etienne-buxin
Level 1
Level 1

The key text on NCS "096D7D3137202353" is not an MD5 hash of "ASXNET!", it is a "Type 7" password, which means it uses the Vinegere cipher, not MD5. Since the hash on both systems are different, the comparsion of the OSPF keys fails.

View solution in original post

5 Replies 5

In NCS5500 you dont config accept lifetime and send lifetime?

MHM

I did not configure that at all 

key chain PROTOCOL-AUTHENTICATION
key 1
key-string ASXNET!

M02@rt37
VIP
VIP

Hello @dgawaya1 

There is a mismatch in the keychain configuration between the ASR920 and the NCS5500. Specifically, the keychain on the NCS5500 is missing the cryptographic algorithm (e.g., MD5) and send/accept lifetimes...

Once the keychain is consistent across both devices, OSPF should authenticate successfully. After applying the change, rerun OSPF and keychain debugging if necessary to verify that the key exchange and authentication process are working properly.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

etienne-buxin
Level 1
Level 1

The key text on NCS "096D7D3137202353" is not an MD5 hash of "ASXNET!", it is a "Type 7" password, which means it uses the Vinegere cipher, not MD5. Since the hash on both systems are different, the comparsion of the OSPF keys fails.

whats the config to get the md5 on NCS? 

On both sides I just configures 
"key authenticayion 

key 1

key-chin xxxx"