EIGRP Authentication

Up to Discussions in CCNP R&S Study Group

4582 Views 19 Replies Latest reply: Apr 28, 2012 8:08 PM by Patrick

1 2 Previous Next

Currently Being Moderated

May 16, 2011 6:18 AM

Aninda

302 posts since
Jun 19, 2010

Hi guys,

Below is the lab I'm working on (from CBT Nuggets Route).

I thought I'd just try fooling around a bit, just to see what does what. Mess up things and see what happens you know.

Now from what I know, we enable authention after setting up key chains in eigrp. And since it only supports md5 and no clear text so that is the only real option we got.

I went and set up the key chains as follows:

On BB:

BB(config-keychain-key)#do sho key chain

Key-chain EIGRP_KEYS:

key 1 -- text "cisco1"

accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

On R2:

R2(config-keychain-key)#do sh key chain

Key-chain EIGRP_KEYS:

key 2 -- text "cisco2"

accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

On R3:

R3(config-keychain-key)#do sho key chain

Key-chain EIGRP_KEYS:

key 1 -- text "cisco1"

accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

I then enabled md5 authentication on ONLY BB Router (on s0/0):

BB(config)#int s0/0

BB(config-if)#ip authentication mode eigrp 35 md5

Now, I understand due to a mismatch in authentication type (one side uses md5 - the other no authentication enabled at all), the neighbor relationship would go down.

But for some reason, it keeps bouncing between neighbor up and down. I don't get it.

R2(config)#

*Mar 1 00:38:24.687: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:38:29.095: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:39:48.619: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:39:52.283: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:41:11.799: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:41:14.947: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:42:34.463: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:42:37.931: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:43:57.447: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:43:59.659: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:45:19.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:45:22.663: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:46:42.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:46:46.575: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:48:06.091: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:48:09.579: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

What is happening here, can someone please explain this?

Join this discussion now: Login / Register

Aninda
302 posts since
Jun 19, 2010

Currently Being Moderated

1. May 16, 2011 6:32 AM (in response to Aninda)
Re: EIGRP Authentication

And now I have authentication enabled correctly (I assume) on BB and R3.

show clock for both says:

BB(config-if)#do sh clock
*01:01:42.659 UTC Fri Mar 1 2002

And both have key 1 and correct key string which is cisco1.

R3(config-if)#do sho key chain
Key-chain EIGRP_KEYS:
    key 1 -- text "cisco1"
        accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]
        send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

BB(config-if)#do sho key chain
Key-chain EIGRP_KEYS:
    key 1 -- text "cisco1"
        accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]
        send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

What could be wrong now?

Join this discussion now: Login / Register
Aninda
302 posts since
Jun 19, 2010

Currently Being Moderated

2. May 16, 2011 6:34 AM (in response to Aninda)
Re: EIGRP Authentication

Sorry I forgot to add that they aren't being authenticated and no neighbor relationship is being formed.

I get the following error on BB.

BB(config-if)#
*Mar 1 01:00:08.647: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.34.2 (Serial0/1) is down: Auth failure

Join this discussion now: Login / Register
Eddie
229 posts since
Feb 4, 2011

Currently Being Moderated

3. May 16, 2011 6:52 AM (in response to Aninda)
Re: EIGRP Authentication

Hello Aninda,
i have this is bug too!
after i am add key 2 and all was good))
key chain must match on both routers!!!
R3#sh key chain
Key-chain cisco:
    key 1 -- text "www"
        accept lifetime (06:00:00 UTC May 1 2011) - (06:00:00 UTC Jun 1 2011) [valid now]
        send lifetime (06:00:00 UTC May 1 2011) - (06:00:00 UTC Jun 1 2011) [valid now]
    key 2 -- text "test"
        accept lifetime (06:00:00 UTC Jun 1 2011) - (06:00:00 UTC Jul 1 2011)
        send lifetime (06:00:00 UTC Jun 1 2011) - (06:00:00 UTC Jul 1 2011)
    key 3 -- text "infiniti_key"
        accept lifetime (06:00:00 UTC Jul 1 2011) - (infinite)
        send lifetime (06:00:00 UTC Jul 1 2011) - (infinite)
R3#sh run int f0/0
Building configuration...
Current configuration : 263 bytes
!
interface FastEthernet0/0
ip address 172.16.2.2 255.255.255.0
ip bandwidth-percent eigrp 1 999999
ip hello-interval eigrp 1 2
ip hold-time eigrp 1 6
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 cisco
duplex auto
speed auto
end
R3#

R3#debug eigrp packets
EIGRP Packets debugging is on
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R3#
May 16 17:51:05.688: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:05.696: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1
May 16 17:51:05.700:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
May 16 17:51:05.796: EIGRP: Sending HELLO on FastEthernet0/0
May 16 17:51:05.800:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
May 16 17:51:05.816: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:05.816: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1
May 16 17:51:05.820:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R3#
May 16 17:51:06.008: EIGRP: Sending HELLO on FastEthernet0/1
May 16 17:51:06.012:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R3#
May 16 17:51:07.512: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:07.516: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1
May 16 17:51:07.520:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
May 16 17:51:07.572: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:07.572: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1
May 16 17:51:07.576:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
May 16 17:51:07.720: EIGRP: Sending HELLO on FastEthernet0/0
May 16 17:51:07.720:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R3#
May 16 17:51:08.004: EIGRP: Sending HELLO on FastEthernet0/1
May 16 17:51:08.004:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R3#
May 16 17:51:09.372: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:09.372: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1
May 16 17:51:09.376:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
May 16 17:51:09.460: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:09.460: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1
May 16 17:51:09.464:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
May 16 17:51:09.476: EIGRP: Sending HELLO on FastEthernet0/0
May 16 17:51:09.476:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R3#un
May 16 17:51:09.944: EIGRP: Sending HELLO on FastEthernet0/1
May 16 17:51:09.944:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R3#un all
All possible debugging has been turned off
R3#
May 16 17:51:11.216: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:11.220: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1
May 16 17:51:11.220:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
May 16 17:51:11.304: EIGRP: Sending HELLO on FastEthernet0/0
May 16 17:51:11.308:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
May 16 17:51:11.380: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:11.380: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1
May 16 17:51:11.380:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R3#
May 16 17:51:11.768: EIGRP: Sending HELLO on FastEthernet0/1
May 16 17:51:11.772:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R3#

Join this discussion now: Login / Register
Ahmed
114 posts since
Nov 14, 2010

Currently Being Moderated

4. May 16, 2011 7:02 AM (in response to Eddie)
Re: EIGRP Authentication

In order to run authentication between the router, clock on all routers must be synchronised,
Try setting one of the route as NTP Master and the others NTP Client.

Join this discussion now: Login / Register
Ahmed
114 posts since
Nov 14, 2010

Currently Being Moderated

5. May 16, 2011 7:06 AM (in response to Eddie)
Re: EIGRP Authentication

if you remember from the same video jermy speak about the NTP while doing the authentication, but NTP Configuration is not shown. Go to Routergods.com for the ntp video and is three command setup. you can do it easily.

Join this discussion now: Login / Register
Eddie
229 posts since
Feb 4, 2011

Currently Being Moderated

6. May 16, 2011 7:16 AM (in response to Ahmed)
Re: EIGRP Authentication

Ahmed, you are right!!!
R3 is client
R3#sh run | inc
R3#sh run | include ntp
ntp clock-period 17179688
ntp server 172.16.1.1
R3#sh ntp associations
      address         ref clock     st when poll reach delay offset    disp
*~172.16.1.1       127.127.7.1       3   135   512 377     8.0   36.67    11.4
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
R3#sh clock
18:13:11.169 UTC Mon May 16 2011
R3#

R1 is master
R1#sh run | inc ntp
ntp master 3
R1#sh ntp ***
R1#sh ntp associations
      address         ref clock     st when poll reach delay offset    disp
*~127.127.7.1      127.127.7.1       2    16    64 377     0.0    0.00     0.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
R1#sh clo
R1#sh clock
18:15:01.986 UTC Mon May 16 2011
R1#

Join this discussion now: Login / Register
Ahmed
114 posts since
Nov 14, 2010

Currently Being Moderated

7. May 16, 2011 7:19 AM (in response to Eddie)
Re: EIGRP Authentication

does it solve your problem

Join this discussion now: Login / Register
Daz_UK
138 posts since
Sep 4, 2009

Currently Being Moderated

8. May 16, 2011 10:13 AM (in response to Aninda)
Re: EIGRP Authentication

Aninda
Have you added the IP AUTHENTICATION KEY-CHAIN EIGRP 1 EIGRP-KEY under the s 0/0 interface ?

Join this discussion now: Login / Register
Adam - CCNP
47 posts since
Dec 23, 2010

Currently Being Moderated

9. May 16, 2011 2:54 PM (in response to Aninda)
Re: EIGRP Authentication

Hi,

You need to configure the key chains on each router, and then tell the interface to use MD5 authentication but then you need to tell the interface what key chain to use.

So e.g.

BB(config)#int s0/0
BB(config-if)#ip authentication mode eigrp 35 md5
BB(config-if)#ip authentication key-chain eigrp 35 EIGRP_KEY

Remember that as well as the key-strings, the key numbers also have to match. You can call the key chains whatever you want.

Cheers

Join this discussion now: Login / Register
Aninda
302 posts since
Jun 19, 2010

Currently Being Moderated

10. May 16, 2011 6:17 PM (in response to Adam - CCNP)
Re: EIGRP Authentication

Ahmed, Eduard. I agree, NTP is a good thing. But it cannot be causing this issue. The clock times are same on both the routers (I pasted the sh clock earlier) and both the keys are valid so a clocking mismatch cannot be the prob. I suppose NTP is useful as we wouldn't have to set the clock manually on all routers one by one, they would get synchronized on their own. But in this case, having set the clock manually should not be an issue.

Babasdad, you got it spot on. I saw your post, and I know I'm prone to very stupid mistakes. Went back and checked if authentication is enabled on correct interfaces. It wasn't. Enable it on s0/0, authentication pass, neighbors came up.

But I still don't get why that flapping was happening when I only put in the ip authenticaiton mode eigrp md5 on BB router.

Join this discussion now: Login / Register
Ahmed
114 posts since
Nov 14, 2010

Currently Being Moderated

11. May 16, 2011 7:17 PM (in response to Aninda)
Re: EIGRP Authentication

debug eigrp packets
and paste the result

Join this discussion now: Login / Register
Ahmed
114 posts since
Nov 14, 2010

Currently Being Moderated

12. May 16, 2011 7:19 PM (in response to Aninda)
Re: EIGRP Authentication

it is very idfficult to synchronize the clock manually, for sure there will be a differance in in min. or sec,
and a differance of min. or sec makes a big differance for the security and logging.

Join this discussion now: Login / Register
Aninda
302 posts since
Jun 19, 2010

Currently Being Moderated

13. May 16, 2011 7:53 PM (in response to Ahmed)
Re: EIGRP Authentication

Yes, that is true. But here, since I'm just using two routers for the authentication, and I see their clocks seem to be fine, I guess that couldn't be the issue.

Also, I don't know how NTP really works. Never tried it out. Can you list the exact commands needed to set this up? I'll probably go back home and search for it too.

Join this discussion now: Login / Register
smsnaqvi
656 posts since
Feb 6, 2010

Currently Being Moderated

14. May 16, 2011 10:52 PM (in response to Aninda)
Re: EIGRP Authentication

Hi Aninda

On the BB router, in the global config mde type in

config # ntp server 66.27.60.10

the above ip is an ntp server

then on R2 and R3, in the global config mode, type in

ntp server 10.1.24.1 and 10.1.34.1 respectively. Your BB is the primary point of contact with the public NTP server, R2 and R3 will consider the BB router as their servers to synchronize the time. You wanna read about NTP, here you go.

http://oreilly.com/catalog/hardcisco/chapter/ch10.html

Join this discussion now: Login / Register

1 2 Previous Next

Go to original post

Actions

Register / Login to participate in the community & access resources like:
- IT Training Videos and Seminars
- Cisco Certification Study Groups
- Cisco Certification Exam Topics
Register for free now.
Learn more about The Cisco
Learning Network and our Premium Subscription options.