RE: OSPF authentication using rollover keys

From: juan_delgado (juan_delgado@etb.net.co)
Date: Sat May 27 2006 - 19:37:38 ART

 Scott,
 
I also was triying to test this configuration. Some times it works others no. Whe I reboot my routers it did not work and the hub router do not show the rollover process.
 
This is my hub router
 
interface Serial0/1/0.246 multipoint
 bandwidth 128
 ip address 150.50.246.2 255.255.255.0
 ip pim dr-priority 100
 ip pim sparse-dense-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 cisco
 ip ospf message-digest-key 25 md5 sanfran
 ip ospf hello-interval 10
 ip ospf priority 100
 frame-relay map ip 150.50.246.2 204
 frame-relay map ip 150.50.246.4 204 broadcast
 frame-relay map ip 150.50.246.6 206 broadcast
 no frame-relay inverse-arp
end
 
This is the output state of this interface
 
R2#show ip ospf interface serial 0/1/0.246
Serial0/1/0.246 is up, line protocol is up
  Internet Address 150.50.246.2/24, Area 246
  Process ID 1, Router ID 2.2.2.2, Network Type NON_BROADCAST, Cost: 781
  Transmit Delay is 1 sec, State DR, Priority 100
  Designated Router (ID) 2.2.2.2, Interface address 150.50.246.2
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:08
  Supports Link-local Signaling (LLS)
  Index 2/8, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 4.4.4.4
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 25

 
This the spoke that is unable to make the neighboring with the hub.
 
interface Serial4/0
 ip address 150.50.246.6 255.255.255.0
 ip pim sparse-dense-mode
 encapsulation frame-relay
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 cisco
 ip ospf hello-interval 10
 ip ospf priority 0
 serial restart_delay 0
 frame-relay map ip 150.50.246.2 602 broadcast
 frame-relay map ip 150.50.246.4 602 broadcast
 frame-relay map ip 150.50.246.6 602
 no frame-relay inverse-arp
end
 
 
This is after rebooting all the routers. so I am worried that the rollover process is a mechanism that depends of the current OSPF process and I reload my routers I loose neighboring with some routers. While all routers are up and runnig I can made the changes and the rollover process appears as you say in yor email but after rebooting the router some times it works and others no.
What could be the cause?

        -----Mensaje original-----
        De: nobody@groupstudy.com en nombre de Scott Morris
        Enviado el: sab 27/05/2006 13:03
        Para: 'Larry Chuon'; 'Cisco certification'
        CC:
        Asunto: RE: OSPF authentication using rollover keys
        
        

        Do you have any neighbor using the other key??? If you do, then they'll
        all show up:
        
        Emanon-R1(config)#do sh ip o n
        
        Neighbor ID Pri State Dead Time Address Interface
        15.15.15.15 0 FULL/DROTHER 00:01:48 172.17.150.3
        Serial0/0.1
        200.103.1.1 0 FULL/DROTHER 00:01:39 172.17.150.2
        Serial0/0.1
        172.17.155.5 0 FULL/ - 00:00:33 172.17.155.5 Serial0/1
        Emanon-R1(config)#do sh ip o i s0/0.1
        Serial0/0.1 is up, line protocol is up
          Internet Address 172.17.150.1/24, Area 0
          Process ID 1, Router ID 24.24.24.24, Network Type NON_BROADCAST, Cost: 64
          Transmit Delay is 1 sec, State DR, Priority 128
          Designated Router (ID) 24.24.24.24, Interface address 172.17.150.1
          No backup designated router on this network
          Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
            oob-resync timeout 120
            Hello due in 00:00:16
          Index 1/3, flood queue length 0
          Next 0x0(0)/0x0(0)
          Last flood scan length is 5, maximum is 6
          Last flood scan time is 8 msec, maximum is 12 msec
          Neighbor Count is 2, Adjacent neighbor count is 2
            Adjacent with neighbor 15.15.15.15
            Adjacent with neighbor 200.103.1.1
          Suppress hello for 0 neighbor(s)
          Message digest authentication enabled
            Youngest key id is 3
            Rollover in progress, 1 neighbor(s) using the old key(s):
              key id 1
              key id 2
        Emanon-R1(config)#do sh run int s0/0.1
        Building configuration...
        
        Current configuration : 505 bytes
        !
        interface Serial0/0.1 multipoint
         ip address 172.17.150.1 255.255.255.0
         ip router isis
         ip pim sparse-dense-mode
         service-policy input testing
         ip ospf authentication message-digest
         ip ospf message-digest-key 1 md5 IPExpert
         ip ospf message-digest-key 2 md5 R2Key
         ip ospf message-digest-key 3 md5 R3Key
         ip ospf priority 128
         isis priority 127
         frame-relay class trfshape
         frame-relay map ip 172.17.150.2 102 broadcast
         frame-relay map ip 172.17.150.3 103 broadcast
         no frame-relay inverse-arp
        end
        
        Emanon-R1(config)#
        
        Note, my hub there actually has three keys configured on it. Although
        according to the show ip ospf interface command, only two of them are used.
        Because I have two peers using separate/different keys.
        
        HTH,
        
        
        Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
        #153, CISSP, et al.
        CCSI/JNCI
        IPExpert CCIE Program Manager
        IPExpert Sr. Technical Instructor
        smorris@ipexpert.com
        http://www.ipexpert.com
        
        
        
        -----Original Message-----
        From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
        Larry Chuon
        Sent: Friday, May 26, 2006 11:19 AM
        To: Cisco certification
        Subject: OSPF authentication using rollover keys
        
        Hi group,
        
        I've three routers. Each is configured to do md5 authentication. I put in
        key 1. Everything works fine. Then, I proceed to add a second key on R1
        (hub) and R3.
        
        R1:
         ip ospf authentication message-digest
         ip ospf message-digest-key 1 md5 cisco
         ip ospf message-digest-key 2 md5 cisco2
        
        R3:
        ip ospf authentication message-digest
        ip ospf message-digest-key 2 md5 cisco2
        
        Now, only R1 and R3 form adjacency.
        
        R2 display an error message:
        
        *May 26 15:21:29.575: OSPF: Send with youngest Key 1 !
        Serial0/0/0 : Mismatch Authentication Key - No message digest key 2 on
        interface
        
        It can't form adjacency with the hub.
        
        Both R1 and R3 has the following info AFTER a reboot. I believe that all
        three routers were working fine before the reboot.
        
        sh ip os int s0/0/0 | in auth|key
          Message digest authentication enabled
            Youngest key id is 2
        
        What is the proper way to do rollover?
        
        TIA,
        Larry
        
        _______________________________________________________________________
        Subscription information may be found at:
        http://www.groupstudy.com/list/CCIELab.html
        
        _______________________________________________________________________
        Subscription information may be found at:
        http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART