[c-nsp] Finding source of ISIS authentication failure
John Neiberger
jneiberger at gmail.com
Mon Jul 1 17:27:38 EDT 2013
Thanks!
On a related note, I'm stumped by the bewildering array of authentication
options and commands in 12.2. We know that some authentication problem
exists between this 7600 and another device but I don't know exactly what
it is.
We have the following on our interfaces:
isis authentication mode md5
isis authentication key-chain OurChain
It is my understanding that in IOS, this enables hello authentication only.
Not sure if that is even remotely correct.
We have the same thing under router isis:
router isis
authentication mode md5
authentication key-chain OurChain
I thought that this enabled area authentication in IOS, but I'm reading a
12.2 ISIS configuration guide that seems to indicate otherwise. So, I'm
confused. What exactly are we authenticating as currently configured? We do
not have an explicit area password or domain password set. It was my
assumption that the current config was doing hello and area authentication,
but the more I read, the more I realize that I don't know what IOS is doing
here.
Thanks!
John
On Mon, Jul 1, 2013 at 12:07 PM, <daniel.dib at reaper.nu> wrote:
>
>
> As pointed out to me by Ytti I was doing interface authentication
> and you are doing LSP autentication. I changed my lab and got the
> following debug from debug isis update-packets:
>
> ISIS-Upd: Rec L1 LSP
> 0000.0000.0002.00-00, seq 4, ht 1199,
> ISIS-Upd: from SNPA c201.22dc.0000
> (FastEthernet0/0)
> %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
>
>
> So there you have the system ID which was 000.0000.0002 for my NET
> which was 49.0001.0000.0000.0002
>
> This URL seems to explain it pretty
> well:
>
>
>
> http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080093f36.shtml#tshoot
> [3]
>
> Best regards,
>
> Daniel Dib
>
> CCIE #37149
>
> 2013-07-01 19:33 skrev
> daniel.dib at reaper.nu:
>
> > When testing on 12.4 code I get the following
> from debug isis
> > adj-packets and debug isis authentication information:
>
> >
> > ISIS-Adj: Rec
> > L2 IIH from c201.0d84.0000 (FastEthernet0/0), cir
> type L1L2, cir id
> > 0000.0000.0002.01, length 1497
> > ISIS-AuthInfo:
> Packet failed the md5
> > check, 1497 bytes, type 16
> > ISIS-Adj:
> Authentication failed
> >
> > So the MAC
> > address and interface is
> recorded. Don't you have these debugs or do
> > your debugs not show this
> information?
> >
> > Best regards,
> >
> > Daniel Dib
> >
> > CCIE #37149
> >
> >
> 2013-07-01 18:31 skrev John Neiberger:
> >
> >> This box is
> >
> > running
> 12.2(33)SRC code. The TAC engineer and I haven't really
> >
> >> found
> >
> >
> a good way to find what we're looking for. I have found some debugsthat
> confirm that we're having an authentication problem but they alsodon't
> show the source of the problem. Not even an interface.
>
>
>
>
> Links:
> ------
> [1] http://puck.nether.net/pipermail/cisco-nsp/
> [2]
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> [3]
>
> http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080093f36.shtml#tshoot
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list