[j-nsp] ISIS Authentication Problems

Aaron Dewell aaron.dewell at gmail.com
Wed Mar 7 22:03:09 EST 2012 

Have you tried knobs such as:

loose-authentication-check
level X no-csnp-authentication
level X no-psnp-authentication

The second two sound like what you might be looking for.  I have no CRS thus no further ideas...

Aaron

On Mar 7, 2012, at 7:53 PM, John Neiberger wrote:
> I'm pretty new to Juniper and I'm trying to troubleshoot a pretty
> weird problem between an MX960 running 9.6R4.4 and a CRS-8 running XR
> 4.0.4. It's a very straightforward ISIS configuration for IPv6. We
> have MD5 authentication configured on both sides. The adjacency comes
> up, but the Juniper doesn't learn any routes from the CRS and the logs
> complain about packets unexpectedly having a message digest. I'm not
> sure why they'd be unexpected.
> 
> The CRS is learning routes from the MX960, but it's critical that the
> reverse happen, as well. I just checked the logs and now I'm seeing
> messages about LSPs being ignored because they're missing
> authentication. I have a suspicion about what is happening, but I'm
> not sure. I think the CRS is only authenticating the hello packets but
> is not authenticating the LSPs, whereas the MX960 is expecting
> everything to have md5 headers.
> 
> I'm not ever sure that it's possible to configure IOS XR to only add
> md5 to the hellos but not the LSPs. This is really just a guess based
> on what I'm seeing. To enable md5 authentication in IOS XR, you add
> "hello-password hmac-md5 encrypted ##hashed text##" on the neighbor.
> That seems like it might actually be specific to the hellos and not
> necessarily the LSPs.
> 
> On the MX960, we have an authentication-key and authentication-type
> md5 configured. On a different router in our network, I see that
> someone has configured a different MX960 the same way, but they also
> added a hello-authentication-key and hello-authentication-type md5 to
> a specific neighbor.
> 
> This is all a little confusing because in that latter case I
> mentioned, the mix of routers is the same and the configuration
> between the two is the same as what I have, but the software is a
> little different. I'm wondering if I'm running into a bug or at least
> some quirky behavior. My MX960 is setting up the adjacency but
> dropping the other LSPs, but the other MX960 is not even though
> they're both connected to CRS.
> 
> Have any of you had any weird authentication issues like this?
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list