RE: OSPF authentication using rollover keys

From: Scott Morris (swm@emanon.com)
Date: Sat May 27 2006 - 22:57:25 ART

By the way, if you wait long enough (about 10 minutes on my test) it WILL
indeed come back online. ;)
 
Emanon-R1#
*Mar 1 00:12:56.431: OSPF: Send with key 1
*Mar 1 00:12:56.431: OSPF: Send with key 2
*Mar 1 00:12:56.435: OSPF: Send with key 3
Emanon-R1#sh ip o n
 
Neighbor ID Pri State Dead Time Address Interface
200.103.1.1 0 FULL/DROTHER 00:01:39 172.17.150.2
Serial0/0.1
15.15.15.15 0 FULL/DROTHER 00:01:49 172.17.150.3
Serial0/0.1
172.17.155.5 0 FULL/ - 00:00:35 172.17.155.5 Serial0/1
Emanon-R1#sh ip o i s0/0.1
Serial0/0.1 is up, line protocol is up
  Internet Address 172.17.150.1/24, Area 0
  Process ID 1, Router ID 223.1.7.1, Network Type NON_BROADCAST, Cost: 64
  Transmit Delay is 1 sec, State DR, Priority 128
  Designated Router (ID) 223.1.7.1, Interface address 172.17.150.1
  No backup designated router on this network
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    oob-resync timeout 120
    Hello due in 00:00:19
  Index 2/4, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 4
  Last flood scan time is 12 msec, maximum is 12 msec
  Neighbor Count is 2, Adjacent neighbor count is 2
    Adjacent with neighbor 200.103.1.1
    Adjacent with neighbor 15.15.15.15
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 3
    Rollover in progress, 1 neighbor(s) using the old key(s):
      key id 1
      key id 2
Emanon-R1#
 
Emanon-R1#sh ip o n det
 Neighbor 200.103.1.1, interface address 172.17.150.2
    In the area 0 via interface Serial0/0.1
    Neighbor priority is 0, State is FULL, 10 state changes
    DR is 172.17.150.1 BDR is 0.0.0.0
    Poll interval 120
    Options is 0x52
    LLS Options is 0x1 (LR)
    Dead timer due in 00:01:45
    Neighbor is up for 00:01:59
    Index 2/3, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 4 msec, maximum is 4 msec
 Neighbor 15.15.15.15, interface address 172.17.150.3
    In the area 0 via interface Serial0/0.1
    Neighbor priority is 0, State is FULL, 8 state changes
    DR is 172.17.150.1 BDR is 0.0.0.0
    Poll interval 120
    Options is 0x52
    LLS Options is 0x1 (LR)
    Dead timer due in 00:01:55
    Neighbor is up for 00:11:59
    Index 1/2, retransmission queue length 0, number of retransmission 1
 --More--
*Mar 1 00:14:26.447: OSPF: Send with key 1
*Mar 1 00:14:26.447: OSPF: Send with key 2
*Mar 1 00:14:26.451: OSPF: Send with key 3
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec
 Neighbor 172.17.155.5, interface address 172.17.155.5
    In the area 5 via interface Serial0/1
    Neighbor priority is 0, State is FULL, 6 state changes
    DR is 0.0.0.0 BDR is 0.0.0.0
    Options is 0x52
    LLS Options is 0x1 (LR)
    Dead timer due in 00:00:33
    Neighbor is up for 00:13:57
    Index 1/1, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec
Emanon-R1#
 
Notice the difference in the times that neighbors have been up...
 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 

  _____

From: Larry Chuon [mailto:lchuon@gmail.com]
Sent: Saturday, May 27, 2006 7:08 PM
To: swm@emanon.com
Cc: Cisco certification
Subject: Re: OSPF authentication using rollover keys

Hi Scott,

The problem occurred after a reload. OSPF adj failed for one of th spokes.
Prior to reloading the routers, everything worked just fine. The remedy to
this problem is to use apply the keys in reverse order IF you don't rollover
all the keys before the reboot. Of course, once you've rebooted, show ip
ospf interface won't show rollover in process anymore.

This is what I noticed during my trials and errors. Thanks for getting back
to me though.

Larry

On 5/27/06, Scott Morris <swm@emanon.com> wrote:

Do you have any neighbor using the other key??? If you do, then they'll
all show up:

Emanon-R1(config)#do sh ip o n

Neighbor ID Pri State Dead Time Address Interface
15.15.15.15 0 FULL/DROTHER 00:01:48 172.17.150.3
Serial0/0.1
200.103.1.1 0 FULL/DROTHER 00:01:39 172.17.150.2
Serial0/0.1
172.17.155.5 0 FULL/ - 00:00:33 172.17.155.5 Serial0/1
Emanon-R1(config)#do sh ip o i s0/0.1
Serial0/0.1 is up, line protocol is up
  Internet Address 172.17.150.1/24, Area 0
  Process ID 1, Router ID 24.24.24.24, Network Type NON_BROADCAST, Cost: 64
  Transmit Delay is 1 sec, State DR, Priority 128
  Designated Router (ID) 24.24.24.24, Interface address 172.17.150.1
  No backup designated router on this network
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    oob-resync timeout 120
    Hello due in 00:00:16
  Index 1/3, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 5, maximum is 6
  Last flood scan time is 8 msec, maximum is 12 msec
  Neighbor Count is 2, Adjacent neighbor count is 2
    Adjacent with neighbor 15.15.15.15
    Adjacent with neighbor 200.103.1.1
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 3
    Rollover in progress, 1 neighbor(s) using the old key(s):
      key id 1
      key id 2
Emanon-R1(config)#do sh run int s0/0.1
Building configuration...

Current configuration : 505 bytes
!
interface Serial0/0.1 multipoint
ip address 172.17.150.1 255.255.255.0
ip router isis
ip pim sparse-dense-mode
service-policy input testing
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 IPExpert
ip ospf message-digest-key 2 md5 R2Key
ip ospf message-digest-key 3 md5 R3Key
ip ospf priority 128
isis priority 127
frame-relay class trfshape
frame-relay map ip 172.17.150.2 102 broadcast
frame-relay map ip 172.17.150.3 103 broadcast
no frame-relay inverse-arp
end

Emanon-R1(config)#

Note, my hub there actually has three keys configured on it. Although
according to the show ip ospf interface command, only two of them are used.
Because I have two peers using separate/different keys.

HTH,

Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Larry Chuon
Sent: Friday, May 26, 2006 11:19 AM
To: Cisco certification
Subject: OSPF authentication using rollover keys

Hi group,

I've three routers. Each is configured to do md5 authentication. I put in
key 1. Everything works fine. Then, I proceed to add a second key on R1
(hub) and R3.

R1:
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2

R3:
ip ospf authentication message-digest
ip ospf message-digest-key 2 md5 cisco2

Now, only R1 and R3 form adjacency.

R2 display an error message:

*May 26 15:21:29.575: OSPF: Send with youngest Key 1 !
Serial0/0/0 : Mismatch Authentication Key - No message digest key 2 on
interface

It can't form adjacency with the hub.

Both R1 and R3 has the following info AFTER a reboot. I believe that all
three routers were working fine before the reboot.

sh ip os int s0/0/0 | in auth|key
  Message digest authentication enabled
    Youngest key id is 2

What is the proper way to do rollover?

TIA,
Larry

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART