[c-nsp] IOS-XR IS-IS authentication

Eric Van Tol eric at atlantech.net
Wed May 27 07:43:26 EDT 2020 

Sorry if this is a duplicate – Outlook chose the ‘bounces’ address as the one to send to and I didn’t notice.

Hi all,
I’m testing out an NCS540 for use in our network and this is my first foray into IOS-XR. We have a mix of Juniper and Cisco IOS/IOS-XE devices that the NCS needs to interoperate with. I’m having some minor trouble with IS-IS authentication and it’s kind of driving me nuts because I can’t get IS-IS to come up when authentication is configured. I keep getting this error:

BAD P2P IIH rcvd from TenGigE0/0/0/19 SNPA 5c5e.abde.1e00: dropped because cryptographic password mismatch

Seems pretty obvious, but my keychain key password is configured and verified to match on both sides:

key chain isis-chain
key 1
  accept-lifetime 00:00:00 january 01 1993 infinite
  key-string password <password>
  send-lifetime 00:00:00 january 01 1993 infinite
  cryptographic-algorithm HMAC-MD5
!
accept-tolerance infinite

I’ve tried both MD5 and HMAC-MD5, neither works. Here is my IS-IS config on the NCS540:

router isis rtr1
set-overload-bit on-startup wait-for-bgp
is-type level-2-only
net 49.0001.1071.3820.2192.00
log adjacency changes
lsp-mtu 1497
lsp-password keychain isis-chain
address-family ipv4 unicast
  metric-style wide level 2
!
address-family ipv6 unicast
  metric-style wide level 2
  single-topology
!
interface Loopback1
  passive
  address-family ipv4 unicast
  !
  address-family ipv6 unicast
  !
!
interface TenGigE0/0/0/19
  circuit-type level-2-only
  point-to-point
  hello-password keychain isis-chain
  address-family ipv4 unicast
   metric 3500
  !
  address-family ipv6 unicast
   metric 3500
  !
!

traceoptions on the Juniper shows something similar:

ERROR: IIH from 1071.3820.2192 on xe-0/0/0.0 failed authentication

Here’s the Juniper key config and isis stanza:

authentication-key-chains {
    key-chain isis-chain {
        key 1 {
            secret "<password>"; ## SECRET-DATA
            start-time "1993-1-1.00:00:00 +0000";
            algorithm md5;
        }
    }
}
protocols {
    isis {
        level 1 disable;
        level 2 {
            authentication-key-chain isis-chain;
            wide-metrics-only;
        }
        interface xe-0/0/0.0 {
            point-to-point;
            level 2 {
                metric 3500;
                hello-authentication-key-chain isis-chain;
            }
            level 1 disable;
        }
}

I know it’s got to be something simple, but it’s not clicking for me today. It seems like any step forward I take with IOS-XR, I end up taking two steps back on the next thing that ‘just works’ everywhere else.

-evt

More information about the cisco-nsp mailing list