[c-nsp] IOS-XR IS-IS authentication

Eric Van Tol eric at atlantech.net
Wed May 27 15:08:31 EDT 2020 

After messing a lot more with this, I decided to remove my IS-IS config completely on both routers and start over. I found that when using a key chain in IOS-XR, it seems to have trouble attaching the key to CSNP packets:

SEND L2 PSNP on TenGigabitEthernet0/0/0/19: Add of Key Chain authentication failed

While I was able to get the adjacency established and accept LSPs, their acceptance by the neighbor is failing. I couldn't find anything in my debug file on Junos to indicate there was any authentication error or any 'adding new LSP to database', but it's possible I don't have the right traceoptions flag enabled:

May 27 18:39:30.242356 Received L2 PSN, source 1071.3820.2192, interface xe-0/0/0.0
May 27 18:39:31.259319 Received L2 PSN, source 1071.3820.2192, interface xe-0/0/0.0

I'm not sure if this is due to a misconfiguration on my end (entirely possible), as I wasn't even consciously aware of separate authentication of IIH, CSNP and PSNP until I re-read Junos docs. I can't find if separate settings are even possible on IOS-XR, though I know it's available in Junos to disable one or all three.

Unless I get suggestions otherwise, I suppose I'll just not use keys, which seems prohibitive, particularly if a password needs changing at some point. The 'lsp-password' without a key chain seems to work just fine. :-/

-evt

On 5/27/20, 7:47 AM, "cisco-nsp on behalf of Eric Van Tol" <cisco-nsp-bounces at puck.nether.net on behalf of eric at atlantech.net> wrote:

    Sorry if this is a duplicate – Outlook chose the ‘bounces’ address as the one to send to and I didn’t notice.

    Hi all,
    I’m testing out an NCS540 for use in our network and this is my first foray into IOS-XR. We have a mix of Juniper and Cisco IOS/IOS-XE devices that the NCS needs to interoperate with. I’m having some minor trouble with IS-IS authentication and it’s kind of driving me nuts because I can’t get IS-IS to come up when authentication is configured. I keep getting this error:

    BAD P2P IIH rcvd from TenGigE0/0/0/19 SNPA 5c5e.abde.1e00: dropped because cryptographic password mismatch

    Seems pretty obvious, but my keychain key password is configured and verified to match on both sides:

    key chain isis-chain
    key 1
      accept-lifetime 00:00:00 january 01 1993 infinite
      key-string password <password>
      send-lifetime 00:00:00 january 01 1993 infinite
      cryptographic-algorithm HMAC-MD5
    !
    accept-tolerance infinite

    I’ve tried both MD5 and HMAC-MD5, neither works. Here is my IS-IS config on the NCS540:

    router isis rtr1
    set-overload-bit on-startup wait-for-bgp
    is-type level-2-only
    net 49.0001.1071.3820.2192.00
    log adjacency changes
    lsp-mtu 1497
    lsp-password keychain isis-chain
    address-family ipv4 unicast
      metric-style wide level 2
    !
    address-family ipv6 unicast
      metric-style wide level 2
      single-topology
    !
    interface Loopback1
      passive
      address-family ipv4 unicast
      !
      address-family ipv6 unicast
      !
    !
    interface TenGigE0/0/0/19
      circuit-type level-2-only
      point-to-point
      hello-password keychain isis-chain
      address-family ipv4 unicast
       metric 3500
      !
      address-family ipv6 unicast
       metric 3500
      !
    !

    traceoptions on the Juniper shows something similar:

    ERROR: IIH from 1071.3820.2192 on xe-0/0/0.0 failed authentication

    Here’s the Juniper key config and isis stanza:

    authentication-key-chains {
        key-chain isis-chain {
            key 1 {
                secret "<password>"; ## SECRET-DATA
                start-time "1993-1-1.00:00:00 +0000";
                algorithm md5;
            }
        }
    }
    protocols {
        isis {
            level 1 disable;
            level 2 {
                authentication-key-chain isis-chain;
                wide-metrics-only;
            }
            interface xe-0/0/0.0 {
                point-to-point;
                level 2 {
                    metric 3500;
                    hello-authentication-key-chain isis-chain;
                }
                level 1 disable;
            }
    }

    I know it’s got to be something simple, but it’s not clicking for me today. It seems like any step forward I take with IOS-XR, I end up taking two steps back on the next thing that ‘just works’ everywhere else.

    -evt
    _______________________________________________
    cisco-nsp mailing list  cisco-nsp at puck.nether.net
    https://puck.nether.net/mailman/listinfo/cisco-nsp
    archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list