OSPF authentication with multiple keys

Hi, 

 

I am working on the v5 workbook section "OSPF authentication with multiple keys". That does not work as well as in the workbook for me. 

It sounds like most of the time, R5 would only send out the latest key configured and not both keys. So I have half of the peer working ok, and the other ones reporting that the key they are receiving from R5 does not match (1 instead or 2 or vice-versa). 

If I configure key 1 in second in R5 config it will be the working key, if I configured key 2 first it will be the working key. 

 

Here is an output with the config of R5 and the debug ip ospf adj show only one key is sent out. 

I am running CSRs ver 15.4(2)s, I tried rebooting several time but not luck. I have been able to see only once in the debug output both keys being sent but I can't reproduce it now.

interface Tunnel0

 ip address 155.1.0.5 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication NHRPPASS

 ip nhrp map multicast dynamic

 ip nhrp network-id 1

 ip tcp adjust-mss 1360

 ip ospf authentication message-digest

 ip ospf message-digest-key 2 md5 KEYTWO

 ip ospf message-digest-key 1 md5 KEYONE

 ip ospf network point-to-multipoint non-broadcast

 delay 1000

 tunnel source GigabitEthernet1.100

 tunnel mode gre multipoint

 tunnel key 150

 tunnel protection ipsec profile DMVPN_PROFILE

end

 

R5#

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1

OSPF-1 ADJ   Tu0: Send with youngest Key 1



Any idea? bug?


Thanks

Comments

  • I think it's the order in which you enter the keys and the operational key is not necessarily the numerically higher key ID but the last one entered

  • The log "Youngest Key" says it all =) 

  • Hi,

     

    Yes, this was my conclusion too that the router is only sending the last key configured. My question is why. According to the workbook and to cisco documentation, it should send out all configured keys so that we can have different keys on different spokes, or so we can do some key rollover without dropping the adjacency. 

     

     

  • The router will only send hellos with the last key configured, until it hears incoming hellos using older keys. If an incoming hello packet has a matching configured key, it will start sending hellos using this key as well. Are you actively sending hellos from the other neighbors? I can see you are using ospf network type point-to-multipoint non-broadcast. If you have the same on the spokes, but no neighbor statements there, they will not send any hellos with their locally configured key (and will discard the incoming hellos from R5 due to key mismatch, since it only sends the youngest key before hearing any hellos back).

  • Hi!

     

    I've passed through the same problem and according to the drumfrodo, It is needed to include the neighbor statement on the spokes.
    I wrote a feedback on the workbook mentioning this issue.

    Thank you all!

     

    Renato Besson

     

     

  • drumfrodo
    You just saved my day and my mind. This information definitely should be on workbooks. There is not a single word about this caveat can be found just googling.
    Thank you very much!

Sign In or Register to comment.