Re: OSPF authentication using rollover keys

From: Larry Chuon (lchuon@gmail.com)
Date: Sat May 27 2006 - 20:07:34 ART

• Next message: juan_delgado: "RE: OSPF authentication using rollover keys"
• Previous message: Scott Morris: "RE: OSPF authentication using rollover keys"
• Maybe in reply to: Larry Chuon: "OSPF authentication using rollover keys"
• Next in thread: juan_delgado: "RE: OSPF authentication using rollover keys"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Scott,

The problem occurred after a reload. OSPF adj failed for one of th spokes.
Prior to reloading the routers, everything worked just fine. The remedy to
this problem is to use apply the keys in reverse order IF you don't rollover
all the keys before the reboot. Of course, once you've rebooted, show ip
ospf interface won't show rollover in process anymore.

This is what I noticed during my trials and errors. Thanks for getting back
to me though.

Larry

On 5/27/06, Scott Morris <swm@emanon.com> wrote:
>
> Do you have any neighbor using the other key??? If you do, then they'll
> all show up:
>
> Emanon-R1(config)#do sh ip o n
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 15.15.15.15 0 FULL/DROTHER 00:01:48 172.17.150.3
> Serial0/0.1
> 200.103.1.1 0 FULL/DROTHER 00:01:39 172.17.150.2
> Serial0/0.1
> 172.17.155.5 0 FULL/ - 00:00:33 172.17.155.5
> Serial0/1
> Emanon-R1(config)#do sh ip o i s0/0.1
> Serial0/0.1 is up, line protocol is up
> Internet Address 172.17.150.1/24, Area 0
> Process ID 1, Router ID 24.24.24.24, Network Type NON_BROADCAST, Cost:
> 64
> Transmit Delay is 1 sec, State DR, Priority 128
> Designated Router (ID) 24.24.24.24, Interface address 172.17.150.1
> No backup designated router on this network
> Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
> oob-resync timeout 120
> Hello due in 00:00:16
> Index 1/3, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 5, maximum is 6
> Last flood scan time is 8 msec, maximum is 12 msec
> Neighbor Count is 2, Adjacent neighbor count is 2
> Adjacent with neighbor 15.15.15.15
> Adjacent with neighbor 200.103.1.1
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 3
> Rollover in progress, 1 neighbor(s) using the old key(s):
> key id 1
> key id 2
> Emanon-R1(config)#do sh run int s0/0.1
> Building configuration...
>
> Current configuration : 505 bytes
> !
> interface Serial0/0.1 multipoint
> ip address 172.17.150.1 255.255.255.0
> ip router isis
> ip pim sparse-dense-mode
> service-policy input testing
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 IPExpert
> ip ospf message-digest-key 2 md5 R2Key
> ip ospf message-digest-key 3 md5 R3Key
> ip ospf priority 128
> isis priority 127
> frame-relay class trfshape
> frame-relay map ip 172.17.150.2 102 broadcast
> frame-relay map ip 172.17.150.3 103 broadcast
> no frame-relay inverse-arp
> end
>
> Emanon-R1(config)#
>
> Note, my hub there actually has three keys configured on it. Although
> according to the show ip ospf interface command, only two of them are
> used.
> Because I have two peers using separate/different keys.
>
> HTH,
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
> #153, CISSP, et al.
> CCSI/JNCI
> IPExpert CCIE Program Manager
> IPExpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Larry Chuon
> Sent: Friday, May 26, 2006 11:19 AM
> To: Cisco certification
> Subject: OSPF authentication using rollover keys
>
> Hi group,
>
> I've three routers. Each is configured to do md5 authentication. I put
> in
> key 1. Everything works fine. Then, I proceed to add a second key on R1
> (hub) and R3.
>
> R1:
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 cisco
> ip ospf message-digest-key 2 md5 cisco2
>
> R3:
> ip ospf authentication message-digest
> ip ospf message-digest-key 2 md5 cisco2
>
> Now, only R1 and R3 form adjacency.
>
> R2 display an error message:
>
> *May 26 15:21:29.575: OSPF: Send with youngest Key 1 !
> Serial0/0/0 : Mismatch Authentication Key - No message digest key 2 on
> interface
>
> It can't form adjacency with the hub.
>
> Both R1 and R3 has the following info AFTER a reboot. I believe that all
> three routers were working fine before the reboot.
>
> sh ip os int s0/0/0 | in auth|key
> Message digest authentication enabled
> Youngest key id is 2
>
> What is the proper way to do rollover?
>
> TIA,
> Larry
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: juan_delgado: "RE: OSPF authentication using rollover keys"
• Previous message: Scott Morris: "RE: OSPF authentication using rollover keys"
• Maybe in reply to: Larry Chuon: "OSPF authentication using rollover keys"
• Next in thread: juan_delgado: "RE: OSPF authentication using rollover keys"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART