[c-nsp] IOS-XR IS-IS authentication

[Eric Van Tol]

On Wed, 27 May 2020 at 12:58, Dave Bell <dave at geordish.org<mailto:dave at geordish.org>> wrote:
>We've just turned up something similar. The difference is we are not using a keychain for the P2P password.

I changed the interface-level hello-password to just use the password only (no key chain) and while the adjacency comes up, I kept getting this in the logs:

%ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from 1071.3820.2072.00 due to cryptographic password mismatch

Using plain ‘MD5’ authentication on the key chain causes the adjacency to drop entirely, so I returned it to HMAC-MD5.  Thinking maybe there’s a character in my password that is messing things up (for some reason), I changed it to just ‘password’ and it was still bitching about a ‘cryptographic password mismatch’.

If I remove the key chain entirely and just use a single ‘lsp-password’ with hmac-md5, everything appears to come up and no complaints from the NCS about password mismatches. LSPs are installed, along with routes. I cannot imagine that key chains simply do not work. Juniper states that the encryption algorithm is HMAC-MD5 (https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/routing-configuring-is-is-authentication.html
), which makes sense since changing to just ‘MD5’ on the Cisco breaks the adjacency completely, so I don’t think it’s an issue with the algorithm.

-evt