From: gladston@br.ibm.com
Date: Wed Apr 27 2005 - 09:57:53 GMT-3
Thanks for your effort on this subject George,
I makes sense with the result I got.
What scares me is to be not sure if the guy that is doing the CCIE Lab
know that, because it seems it is not documented.
(eheh, after failing the test strange things use to scare me)
Cordially,
------------------------------------------------------------------
Gladston
"George Cassels \(gcassels\)" <gcassels@cisco.com>
26/04/2005 20:13
To
Alaerte Gladston Vidali/Brazil/IBM@IBMBR, "Alsontra Daniels"
<alsontra@gmail.com>, "Pearson John" <jnhpearson@yahoo.co.jp>
cc
<ccielab@groupstudy.com>
Subject
RE: OSPF MD5 - Rollover
Alaerte,
I had a theory about what the problem might be but wanted to test it
before I sent it out. In your debug I noticed that although your R4 was
sending the youngest key, you were never receiving a key from R1. So
what I did is the following: R1 had the two keys and the neighbor
statement and it failed just like your R4 did (see debug below). Then I
put the neighbor statement on R4 which would be like your R1 and it
worked fine. My theory is that with neighbor statements the router with
the neighbor statement did not receive the key from the neighbor which
would not allow it to figure out to use key 1 instead of key 2. By
putting the neighbor statement on the router with the older key number,
it allowed that router to send out its key, allowing the router with two
keys to use key 1 based on the capabilities of its neighbor instead of
the youngest key (key 2).
Does that make sense?
debugs from working and non-working config below. Also at the bottom is
the working config.
George
Non-working with R1 having neighbor statements and with two keys
R4 (only one key (key 1) and no neighbor)
00:16:29: OSPF: end of Wait on interface Serial2/0
00:16:29: OSPF: DR/BDR election on Serial2/0
00:16:29: OSPF: Elect BDR 172.16.1.4
00:16:29: OSPF: Elect DR 172.16.1.4
00:16:29: OSPF: Elect BDR 0.0.0.0
00:16:29: OSPF: Elect DR 172.16.1.4
00:16:29: DR: 172.16.1.4 (Id) BDR: none
00:16:29: OSPF: Send with youngest Key 1
00:16:29: OSPF: No full nbrs to build Net Lsa for interface Serial2/0
R4#
00:16:50: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
R4#
00:16:59: OSPF: Send with youngest Key 1
R4#
R1 with neighbor statement and two keys (never receives)
00:16:51: OSPF: Send with youngest Key 2
R1#
00:17:21: OSPF: 0.0.0.0 address 172.16.1.4 on Serial1/0 is dead
00:17:21: OSPF: 0.0.0.0 address 172.16.1.4 on Serial1/0 is dead, state
DOWN
00:17:21: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.0 on Serial1/0 from
ATTEMPT to DOWN, Neighbor Down: Dead timer expired
R1#
00:17:21: OSPF: Neighbor change Event on interface Serial1/0
00:17:21: OSPF: DR/BDR election on Serial1/0
00:17:21: OSPF: Elect BDR 0.0.0.0
00:17:21: OSPF: Elect DR 172.16.1.1
00:17:21: DR: 172.16.1.1 (Id) BDR: none
00:17:21: OSPF: Send with youngest Key 2
R1#
00:17:51: OSPF: Send with youngest Key 2
R1#
--------------------------------------------------------------------------------------------------------------
working exchange with R4 having the neighbor statement
R1 (has two keys but no neighbor statement)
00:18:33: OSPF: Neighbor change Event on interface Serial1/0
00:18:33: OSPF: DR/BDR election on Serial1/0
00:18:33: OSPF: Elect BDR 0.0.0.0
00:18:33: OSPF: Elect DR 172.16.1.1
00:18:33: DR: 172.16.1.1 (Id) BDR: none
00:18:34: %SYS-5-CONFIG_I: Configured from console by console
R1#
00:18:51: OSPF: Send with youngest Key 2
R1#
00:19:21: OSPF: Send with key 1
00:19:21: OSPF: Send with key 2
00:19:21: OSPF: Rcv DBD from 172.16.1.4 on Serial1/0 seq 0x263E opt 0x52
flag 0x7 len 32 mtu 1500 state INIT
00:19:21: OSPF: 2 Way Communication to 172.16.1.4 on Serial1/0, state
2WAY
00:19:21: OSPF: Neighbor change Event on interface Serial1/0
00:19:21: OSPF: DR/BDR election on Serial1/0
00:19:21: OSPF: Elect BDR 0.0.0.0
00:19:21: OSPF: Elect DR 172.16.1.4
00:19:21: OSPF: Elect BDR 172.16.1.1
00:19:21: OSPF: Elect DR 172.16.1.4
00:19:21: DR: 172.16.1.4 (Id) BDR: 172.16.1.1 (Id)
00:19:21: OSPF: Send DBD to 172.16.1.4 on Serial1/0 seq 0x19C0 opt 0x52
flag 0x7 len 32
00:19:21: OSPF: Send with key 1
00:19:21: OSPF: Send with key 2
00:19:21: OSPF: Set Serial1/0 flush timer
00:19:21: OSPF: Remember old DR 172.16.1.1 (id)
00:19:21: OSPF: NBR Negotiation Done. We are the SLAVE
00:19:21: OSPF: Send DBD to 172.16.1.4 on Serial1/0 seq 0x263E opt 0x52
flag 0x2 len 52
00:19:21: OSPF: Send with key 1
00:19:21: OSPF: Send with key 2
00:19:21: OSPF: Rcv DBD from 172.16.1.4 on Serial1/0 seq 0x263F opt 0x52
flag 0x3 len 52 mtu 1500 state EXCHANGE
00:19:21: OSPF: Send DBD to 172.16.1.4 on Serial1/0 seq 0x263F opt 0x52
flag 0x0 len 32
00:19:21: OSPF: Send with key 1
00:19:21: OSPF: Send with key 2
00:19:21: OSPF: Send with key 1
00:19:21: OSPF: Send with key 2
00:19:21: OSPF: Database request to 172.16.1.4
00:19:21: OSPF: sent LS REQ packet to 172.16.1.4, length 12
00:19:21: OSPF: Send with key 1
00:19:21: OSPF: Send with key 2
00:19:21: OSPF: Rcv DBD from 172.16.1.4 on Serial1/0 seq 0x2640 opt 0x52
flag 0x1 len 32 mtu 1500 state EXCHANGE
00:19:21: OSPF: Exchange Done with 172.16.1.4 on Serial1/0
00:19:21: OSPF: Send DBD to 172.16.1.4 on Serial1/0 seq 0x2640 opt 0x52
flag 0x0 len 32
00:19:21: OSPF: Send with key 1
00:19:21: OSPF: Send with key 2
00:19:21: OSPF: Synchronized with 172.16.1.4 on Serial1/0, state FULL
00:19:21: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.1.4 on Serial1/0 from
LOADING to FULL, Loading Done
R1#
00:19:22: OSPF: Reset old DR on Serial1/0
00:19:22: OSPF: Send with key 1
00:19:22: OSPF: Send with key 2
00:19:22: OSPF: Build router LSA for area 0, router ID 172.16.1.1, seq
0x80000002
R1#
00:19:24: OSPF: Send with key 1
00:19:24: OSPF: Send with key 2
R1#
00:19:26: OSPF: Send with key 1
00:19:26: OSPF: Send with key 2
R1#
00:19:29: OSPF: Send with key 1
00:19:29: OSPF: Send with key 2
R1#
00:19:31: OSPF: Send with key 1
00:19:31: OSPF: Send with key 2
R1#sh ip
00:19:51: OSPF: Send with key 1
00:19:51: OSPF: Send with key 2
R1#sh ip ospf nei
Neighbor ID Pri State Dead Time Address
Interface
172.16.1.4 1 FULL/DR 00:01:37 172.16.1.4
Serial1/0
R1#no debug all
All possible debugging has been turned off
R4 with Neighbor statement and only one key (key 1)
00:19:20: OSPF: 2 Way Communication to 172.16.1.1 on Serial2/0, state 2WAY
00:19:20: OSPF: Neighbor change Event on interface Serial2/0
00:19:20: OSPF: DR/BDR election on Serial2/0
00:19:20: OSPF: Elect BDR 0.0.0.0
00:19:20: OSPF: Elect DR 172.16.1.4
00:19:20: DR: 172.16.1.4 (Id) BDR: none
00:19:20: OSPF: Send DBD to 172.16.1.1 on Serial2/0 seq 0x263E opt 0x52
flag 0x7 len 32
00:19:20: OSPF: Send with key 1
00:19:20: OSPF: Neighbor change Event on interface Serial2/0
00:19:20: OSPF: DR/BDR election on Serial2/0
00:19:20: OSPF: Elect BDR 0.0.0.0
00:19:20: OSPF: Elect DR 172.16.1.4
00:19:20: DR: 172.16.1.4 (Id) BDR: none
00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
00:19:20: OSPF: Rcv DBD from 172.16.1.1 on Serial2/0 seq 0x19C0 opt 0x52
flag 0x7 len 32 mtu 1500 state EXSTART
00:19:20: OSPF: First DBD and we are not SLAVE
00:19:20: OSPF: Rcv DBD from 172.16.1.1 on Serial2/0 seq 0x263E opt 0x52
flag 0x2 len 52 mtu 1500 state EXSTART
00:19:20: OSPF: NBR Negotiation Done. We are the MASTER
00:19:20: OSPF: Send DBD to 172.16.1.1 on Serial2/0 seq 0x263F opt 0x52
flag 0x3 len 52
00:19:20: OSPF: Send with youngest Key 1
00:19:20: OSPF: Send with youngest Key 1
00:19:20: OSPF: Database request to 172.16.1.1
00:19:20: OSPF: sent LS REQ packet to 172.16.1.1, length 12
00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
00:19:20: OSPF: Rcv DBD from 172.16.1.1 on Serial2/0 seq 0x263F opt 0x52
flag 0x0 len 32 mtu 1500 state EXCHANGE
00:19:20: OSPF: Send DBD to 172.16.1.1 on Serial2/0 seq 0x2640 opt 0x52
flag 0x1 len 32
00:19:20: OSPF: Send with youngest Key 1
00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
00:19:20: OSPF: Send with youngest Key 1
00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
00:19:20: OSPF: Rcv DBD from 172.16.1.1 on Serial2/0 seq 0x2640 opt 0x52
flag 0x0 len 32 mtu 1500 state EXCHANGE
00:19:20: OSPF: Exchange Done with 172.16.1.1 on Serial2/0
00:19:20: OSPF: Synchronized with 172.16.1.1 on Serial2/0, state FULL
00:19:20: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.1.1 on Serial2/0 from
LOADING to FULL, Loading Done
R4#
00:19:20: OSPF: Send with youngest Key 1
00:19:20: OSPF: Build router LSA for area 0, router ID 172.16.1.4, seq
0x80000002
00:19:21: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
00:19:21: OSPF: Build network LSA for Serial2/0, router ID 172.16.1.4
00:19:21: OSPF: Send with youngest Key 1
00:19:21: OSPF: Build network LSA for Serial2/0, router ID 172.16.1.4
R4#
00:19:23: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
R4#
00:19:25: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
00:19:25: OSPF: Send with youngest Key 1
R4#
00:19:28: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
00:19:29: OSPF: Send with youngest Key 1
R4#
00:19:30: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
00:19:30: OSPF: Send with youngest Key 1
R4#
00:19:50: OSPF: Neighbor change Event on interface Serial2/0
00:19:50: OSPF: DR/BDR election on Serial2/0
00:19:50: OSPF: Elect BDR 172.16.1.1
00:19:50: OSPF: Elect DR 172.16.1.4
00:19:50: DR: 172.16.1.4 (Id) BDR: 172.16.1.1 (Id)
00:19:50: OSPF: Neighbor change Event on interface Serial2/0
00:19:50: OSPF: DR/BDR election on Serial2/0
00:19:50: OSPF: Elect BDR 172.16.1.1
00:19:50: OSPF: Elect DR 172.16.1.4
00:19:50: DR: 172.16.1.4 (Id) BDR: 172.16.1.1 (Id)
00:19:50: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
Authentication Key - No message digest key 2 on interface
R4#
00:19:59: OSPF: Send with youngest Key 1
R4#
R4#
R4#sh ip sopf nei
^
% Invalid input detected at '^' marker.
R4#sh ip ospf nei
Neighbor ID Pri State Dead Time Address
Interface
172.16.1.1 1 FULL/BDR 00:01:42 172.16.1.1
Serial2/0
R4#u all
All possible debugging has been turned off
R4#
R1 working config
interface Serial1/0
ip address 172.16.1.1 255.255.255.0
encapsulation frame-relay
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 ccie
no arp frame-relay
frame-relay map ip 172.16.1.4 104 broadcast
frame-relay map ip 172.16.1.1 104
no frame-relay inverse-arp
!
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
network 172.16.1.0 0.0.0.255 area 0
R4 working config
interface Serial2/0
ip address 172.16.1.4 255.255.255.0
encapsulation frame-relay
ip ospf message-digest-key 1 md5 cisco
no arp frame-relay
frame-relay map ip 172.16.1.4 401
frame-relay map ip 172.16.1.1 401 broadcast
no frame-relay inverse-arp
!
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
network 172.16.1.0 0.0.0.255 area 0
neighbor 172.16.1.1 priority 1
From: gladston@br.ibm.com [mailto:gladston@br.ibm.com]
Sent: Tuesday, April 26, 2005 8:50 AM
To: George Cassels (gcassels); Alsontra Daniels; Pearson John
Cc: ccielab@groupstudy.com
Subject: Fw: OSPF MD5 - Rollover
Hi,
I am reproducing the same lab at the moment. And the problem is there
again, so if you want me to get any result of commands, just let me know.
Just R4 has "neighbor x.x.x.x" statement.
R4 just tries to authenticate using key 2, although it is configured with
key 1 and key 2.
If I remove the key 2 on R4 or configure key 2 on R1, OSPF adj goes up.
After adjacency goes up, I can return the key 2 on R4 and everything is
normal, UNTIL reload router R4 again.
R4
interface Serial0/0
ip address 142.20.14.4 255.255.255.0
ip pim sparse-dense-mode
encapsulation frame-relay
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 ccie
ipv6 address 2001::4/64
no fair-queue
frame-relay map ip 142.20.14.1 401 broadcast
no sh
!
interface Serial0/0
ip address 142.20.14.4 255.255.255.0
ip pim sparse-dense-mode
encapsulation frame-relay
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 ccie
ipv6 address 2001::4/64
no fair-queue
frame-relay map ip 142.20.14.1 401 broadcast
no sh
!
R4#deb ip os ad
OSPF adjacency events debugging is on
Rack2R4#sh ip os int ser 0/0
Serial0/0 is up, line protocol is up
Internet Address 142.20.14.4/24, Area 112
Process ID 1, Router ID 142.20.4.1, Network Type NON_BROADCAST, Cost:
64
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 142.20.4.1, Interface address 142.20.14.4
No backup designated router on this network
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
oob-resync timeout 120
Hello due in 00:00:01
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rack2R4#
*Mar 1 00:48:29.453: OSPF: Sending poll to 0.0.0.0 address 142.20.14.1
on Serial0/0
*Mar 1 00:48:29.453: OSPF: Send with youngest Key 2
*Mar 1 00:48:29.497: OSPF: Send with youngest Key 2
Rack2R4#s
*Mar 1 00:48:59.498: OSPF: Send with youngest Key 2
R4#
R1
interface Serial0/0.14 multipoint
ip address 142.20.14.1 255.255.255.0
ip pim sparse-dense-mode
ip ospf message-digest-key 1 md5 cisco
ip ospf priority 0
ipv6 address 2001::1/64
frame-relay map ip 142.20.1.4 104 broadcast
frame-relay map ip 142.20.14.4 104 broadcast
!
router ospf 1
router-id 142.20.1.1
log-adjacency-changes
area 0 authentication
area 112 authentication message-digest
redistribute rip subnets
network 142.20.1.0 0.0.0.255 area 0
network 142.20.14.0 0.0.0.255 area 112
network 142.20.125.0 0.0.0.31 area 0
2R1#sh ip os int ser 0/0.14
Serial0/0.14 is up, line protocol is up
Internet Address 142.20.14.1/24, Area 112
Process ID 1, Router ID 142.20.1.1, Network Type NON_BROADCAST, Cost:
64
Transmit Delay is 1 sec, State DROTHER, Priority 0
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
oob-resync timeout 120
Hello due in 00:00:23
Index 1/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Cordially
------------------------------------------------------------------
Alaerte
----- Forwarded by Alaerte Gladston Vidali/Brazil/IBM on 26/04/2005 09:31
-----
Alaerte Gladston Vidali/Brazil/IBM
22/04/2005 16:08
To
Pearson John <jnhpearson@yahoo.co.jp>
cc
ccielab@groupstudy.com, "George Cassels \(gcassels\)"
<gcassels@cisco.com>, "Alsontra Daniels" <alsontra@gmail.com>
Subject
RE: OSPF MD5 - RolloverLink
Hi,
Thanks for the replies.
The problem I faced seems to be the same as Pearson experimented. It does
occurs only after reloading the router R4.
No reload, no problem. OSPF adjacencies keep up, and if I configure the
new key (key2) on R1, the rollover process finishes succefully.
Sorry for the missing config parts. They are all there, layer 2/3 is
working (besides the problem with reload and rollover).
R4 is connected to R1 --> nbma frame-relay
Just R4 is configured with neighbor statement. (although after
configuring R1 with neighbor, the adjacency goes UP after reloading R4)
On real networks that would not be a problem, because it would be rarely
to reload the routers during rollover process.
But can you see the problem in the CCIE lab? or before lunch, when we
usually reload the routers.
====================================
quoted
Because you are using non-broadcast with frame relay it would
require one of the routers to have a neighbor statement to establish an
adjacency (typically the hub).
Regards,
George
==================================
R4 has the neighbor statement. There is just R1 and R4 on this particular
problem.
====================
Also I don't know if it was cut off in
the paste but I don't see your map statement on the S0/0 interface on
R4?
Regards,
George
==================================
It was cut off. Sorry.
==================================
Also I don't understand why on R1 you have two map statements on s
0/0.14 mult interface going to two different subnets? OSPF should try
and use the youngest key that is similar between the two routers.
Regards,
George
==================================
My mistake, probably typed wrongly during rack rental time. MAPs are on R4
and R1.
================================
OSPF should try
and use the youngest key that is similar between the two routers.
Regards,
George
==================================
And it does, the problem is just after reloading R4. It sends OSPF
packets with Key 1 and key 2 but OSPF adjacency stay DOWN. If I remove
key 1 from R4 or configure key 2 on R1 adjacency goes UP.
==================================
I'm somewhat confused by your explanation of the behavior. Can
you post the appropriate adj. debug?
HTH,
Alsontra
==================================
I will rent rack lab time next April 26th, so I can reproduce it again.
Cordially,
------------------------------------------------------------------
Gladston
Pearson John <jnhpearson@yahoo.co.jp>
21/04/2005 23:21
To
"George Cassels \(gcassels\)" <gcassels@cisco.com>, Alaerte Gladston
Vidali/Brazil/IBM@IBMBR, <ccielab@groupstudy.com>
cc
Subject
RE: OSPF MD5 - Rollover
George,
Many thanks for the comments concerning MD5 rollover with
OSPF. I've seen a case with an FR Hub&Spoke topology (OSPF
non-broadcast) - Hub and two spokes, where the DR Hub (say
R1) and one spoke (say R2) have been updated with new key
2 and the other spoke (say R3) has just the old key.
What was seen is that the neighboring between R1 and R2
use the younger key 2, and R1 and R3 use the older key1.
This is fine whilst the DR is still up and even after
clearing the OSPF process on the DR R1. However, once the
DR Hub R1 is reloaded, R1 and R2 can neighbor up, but R1
and R3 son't seem to be able to neighbor up with the older
key1.
Cisco documentation on OSPF rollover states that until a
router knows ALL neighbors have the new key configured, it
will still send packets with each key. This doesn't seem
to be the case in this scenario once R1 was reloaded.
What's your experience with an FR Hub&Spoke OSPF
non-broadcast topology where keys are updated on one spoke
and the DR Hub only? Shouldn't the DR Hub send both keys
whilst other spokes haven't been updated with the new key?
Any advice would be greatly appreciated.
Thanks in advance.
John