[j-nsp] ISIS Authentication Problems

John Neiberger jneiberger at gmail.com
Wed Mar 7 22:22:48 EST 2012


I think some mixture of those commands would have helped, but I think
I also just spotted the real culprit. The CRS that is working has the
following configured:

lsp-password hmac-md5 encrypted ##encrypted stuff##

So, on the CRS I was working on, I need to enable md5 on LSPs. I had
no idea it was done separately.

Regards,
John

On Wed, Mar 7, 2012 at 8:03 PM, Aaron Dewell <aaron.dewell at gmail.com> wrote:
>
> Have you tried knobs such as:
>
> loose-authentication-check
> level X no-csnp-authentication
> level X no-psnp-authentication
>
> The second two sound like what you might be looking for.  I have no CRS thus no further ideas...
>
> Aaron
>
> On Mar 7, 2012, at 7:53 PM, John Neiberger wrote:
>> I'm pretty new to Juniper and I'm trying to troubleshoot a pretty
>> weird problem between an MX960 running 9.6R4.4 and a CRS-8 running XR
>> 4.0.4. It's a very straightforward ISIS configuration for IPv6. We
>> have MD5 authentication configured on both sides. The adjacency comes
>> up, but the Juniper doesn't learn any routes from the CRS and the logs
>> complain about packets unexpectedly having a message digest. I'm not
>> sure why they'd be unexpected.
>>
>> The CRS is learning routes from the MX960, but it's critical that the
>> reverse happen, as well. I just checked the logs and now I'm seeing
>> messages about LSPs being ignored because they're missing
>> authentication. I have a suspicion about what is happening, but I'm
>> not sure. I think the CRS is only authenticating the hello packets but
>> is not authenticating the LSPs, whereas the MX960 is expecting
>> everything to have md5 headers.
>>
>> I'm not ever sure that it's possible to configure IOS XR to only add
>> md5 to the hellos but not the LSPs. This is really just a guess based
>> on what I'm seeing. To enable md5 authentication in IOS XR, you add
>> "hello-password hmac-md5 encrypted ##hashed text##" on the neighbor.
>> That seems like it might actually be specific to the hellos and not
>> necessarily the LSPs.
>>
>> On the MX960, we have an authentication-key and authentication-type
>> md5 configured. On a different router in our network, I see that
>> someone has configured a different MX960 the same way, but they also
>> added a hello-authentication-key and hello-authentication-type md5 to
>> a specific neighbor.
>>
>> This is all a little confusing because in that latter case I
>> mentioned, the mix of routers is the same and the configuration
>> between the two is the same as what I have, but the software is a
>> little different. I'm wondering if I'm running into a bug or at least
>> some quirky behavior. My MX960 is setting up the adjacency but
>> dropping the other LSPs, but the other MX960 is not even though
>> they're both connected to CRS.
>>
>> Have any of you had any weird authentication issues like this?
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



More information about the juniper-nsp mailing list