[j-nsp] ISIS Authentication Problems

John Neiberger jneiberger at gmail.com
Wed Mar 7 21:53:37 EST 2012


I'm pretty new to Juniper and I'm trying to troubleshoot a pretty
weird problem between an MX960 running 9.6R4.4 and a CRS-8 running XR
4.0.4. It's a very straightforward ISIS configuration for IPv6. We
have MD5 authentication configured on both sides. The adjacency comes
up, but the Juniper doesn't learn any routes from the CRS and the logs
complain about packets unexpectedly having a message digest. I'm not
sure why they'd be unexpected.

The CRS is learning routes from the MX960, but it's critical that the
reverse happen, as well. I just checked the logs and now I'm seeing
messages about LSPs being ignored because they're missing
authentication. I have a suspicion about what is happening, but I'm
not sure. I think the CRS is only authenticating the hello packets but
is not authenticating the LSPs, whereas the MX960 is expecting
everything to have md5 headers.

I'm not ever sure that it's possible to configure IOS XR to only add
md5 to the hellos but not the LSPs. This is really just a guess based
on what I'm seeing. To enable md5 authentication in IOS XR, you add
"hello-password hmac-md5 encrypted ##hashed text##" on the neighbor.
That seems like it might actually be specific to the hellos and not
necessarily the LSPs.

On the MX960, we have an authentication-key and authentication-type
md5 configured. On a different router in our network, I see that
someone has configured a different MX960 the same way, but they also
added a hello-authentication-key and hello-authentication-type md5 to
a specific neighbor.

This is all a little confusing because in that latter case I
mentioned, the mix of routers is the same and the configuration
between the two is the same as what I have, but the software is a
little different. I'm wondering if I'm running into a bug or at least
some quirky behavior. My MX960 is setting up the adjacency but
dropping the other LSPs, but the other MX960 is not even though
they're both connected to CRS.

Have any of you had any weird authentication issues like this?


More information about the juniper-nsp mailing list