From: gladston@br.ibm.com
Date: Tue Apr 26 2005 - 09:49:50 GMT-3
Hi,
I am reproducing the same lab at the moment. And the problem is there
again, so if you want me to get any result of commands, just let me know.
Just R4 has "neighbor x.x.x.x" statement.
R4 just tries to authenticate using key 2, although it is configured with
key 1 and key 2.
If I remove the key 2 on R4 or configure key 2 on R1, OSPF adj goes up.
After adjacency goes up, I can return the key 2 on R4 and everything is
normal, UNTIL reload router R4 again.
R4
interface Serial0/0
ip address 142.20.14.4 255.255.255.0
ip pim sparse-dense-mode
encapsulation frame-relay
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 ccie
ipv6 address 2001::4/64
no fair-queue
frame-relay map ip 142.20.14.1 401 broadcast
no sh
!
interface Serial0/0
ip address 142.20.14.4 255.255.255.0
ip pim sparse-dense-mode
encapsulation frame-relay
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 ccie
ipv6 address 2001::4/64
no fair-queue
frame-relay map ip 142.20.14.1 401 broadcast
no sh
!
R4#deb ip os ad
OSPF adjacency events debugging is on
Rack2R4#sh ip os int ser 0/0
Serial0/0 is up, line protocol is up
Internet Address 142.20.14.4/24, Area 112
Process ID 1, Router ID 142.20.4.1, Network Type NON_BROADCAST, Cost: 64
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 142.20.4.1, Interface address 142.20.14.4
No backup designated router on this network
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
oob-resync timeout 120
Hello due in 00:00:01
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rack2R4#
*Mar 1 00:48:29.453: OSPF: Sending poll to 0.0.0.0 address 142.20.14.1 on
Serial0/0
*Mar 1 00:48:29.453: OSPF: Send with youngest Key 2
*Mar 1 00:48:29.497: OSPF: Send with youngest Key 2
Rack2R4#s
*Mar 1 00:48:59.498: OSPF: Send with youngest Key 2
R4#
R1
interface Serial0/0.14 multipoint
ip address 142.20.14.1 255.255.255.0
ip pim sparse-dense-mode
ip ospf message-digest-key 1 md5 cisco
ip ospf priority 0
ipv6 address 2001::1/64
frame-relay map ip 142.20.1.4 104 broadcast
frame-relay map ip 142.20.14.4 104 broadcast
!
router ospf 1
router-id 142.20.1.1
log-adjacency-changes
area 0 authentication
area 112 authentication message-digest
redistribute rip subnets
network 142.20.1.0 0.0.0.255 area 0
network 142.20.14.0 0.0.0.255 area 112
network 142.20.125.0 0.0.0.31 area 0
2R1#sh ip os int ser 0/0.14
Serial0/0.14 is up, line protocol is up
Internet Address 142.20.14.1/24, Area 112
Process ID 1, Router ID 142.20.1.1, Network Type NON_BROADCAST, Cost: 64
Transmit Delay is 1 sec, State DROTHER, Priority 0
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
oob-resync timeout 120
Hello due in 00:00:23
Index 1/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Cordially
------------------------------------------------------------------
Alaerte
----- Forwarded by Alaerte Gladston Vidali/Brazil/IBM on 26/04/2005 09:31
-----
Alaerte Gladston Vidali/Brazil/IBM
22/04/2005 16:08
To
Pearson John <jnhpearson@yahoo.co.jp>
cc
ccielab@groupstudy.com, "George Cassels \(gcassels\)"
<gcassels@cisco.com>, "Alsontra Daniels" <alsontra@gmail.com>
Subject
RE: OSPF MD5 - Rollover
Hi,
Thanks for the replies.
The problem I faced seems to be the same as Pearson experimented. It does
occurs only after reloading the router R4.
No reload, no problem. OSPF adjacencies keep up, and if I configure the
new key (key2) on R1, the rollover process finishes succefully.
Sorry for the missing config parts. They are all there, layer 2/3 is
working (besides the problem with reload and rollover).
R4 is connected to R1 --> nbma frame-relay
Just R4 is configured with neighbor statement. (although after configuring
R1 with neighbor, the adjacency goes UP after reloading R4)
On real networks that would not be a problem, because it would be rarely
to reload the routers during rollover process.
But can you see the problem in the CCIE lab? or before lunch, when we
usually reload the routers.
====================================
quoted
Because you are using non-broadcast with frame relay it would
require one of the routers to have a neighbor statement to establish an
adjacency (typically the hub).
Regards,
George
==================================
R4 has the neighbor statement. There is just R1 and R4 on this particular
problem.
====================
Also I don't know if it was cut off in
the paste but I don't see your map statement on the S0/0 interface on
R4?
Regards,
George
==================================
It was cut off. Sorry.
==================================
Also I don't understand why on R1 you have two map statements on s
0/0.14 mult interface going to two different subnets? OSPF should try
and use the youngest key that is similar between the two routers.
Regards,
George
==================================
My mistake, probably typed wrongly during rack rental time. MAPs are on R4
and R1.
================================
OSPF should try
and use the youngest key that is similar between the two routers.
Regards,
George
==================================
And it does, the problem is just after reloading R4. It sends OSPF packets
with Key 1 and key 2 but OSPF adjacency stay DOWN. If I remove key 1 from
R4 or configure key 2 on R1 adjacency goes UP.
==================================
I'm somewhat confused by your explanation of the behavior. Can
you post the appropriate adj. debug?
HTH,
Alsontra
==================================
I will rent rack lab time next April 26th, so I can reproduce it again.
Cordially,
------------------------------------------------------------------
Gladston
Pearson John <jnhpearson@yahoo.co.jp>
21/04/2005 23:21
To
"George Cassels \(gcassels\)" <gcassels@cisco.com>, Alaerte Gladston
Vidali/Brazil/IBM@IBMBR, <ccielab@groupstudy.com>
cc
Subject
RE: OSPF MD5 - Rollover
George,
Many thanks for the comments concerning MD5 rollover with
OSPF. I've seen a case with an FR Hub&Spoke topology (OSPF
non-broadcast) - Hub and two spokes, where the DR Hub (say
R1) and one spoke (say R2) have been updated with new key
2 and the other spoke (say R3) has just the old key.
What was seen is that the neighboring between R1 and R2
use the younger key 2, and R1 and R3 use the older key1.
This is fine whilst the DR is still up and even after
clearing the OSPF process on the DR R1. However, once the
DR Hub R1 is reloaded, R1 and R2 can neighbor up, but R1
and R3 son't seem to be able to neighbor up with the older
key1.
Cisco documentation on OSPF rollover states that until a
router knows ALL neighbors have the new key configured, it
will still send packets with each key. This doesn't seem
to be the case in this scenario once R1 was reloaded.
What's your experience with an FR Hub&Spoke OSPF
non-broadcast topology where keys are updated on one spoke
and the DR Hub only? Shouldn't the DR Hub send both keys
whilst other spokes haven't been updated with the new key?
Any advice would be greatly appreciated.
Thanks in advance.
John