1 2 Previous Next 19 Replies Latest reply: Apr 28, 2012 8:08 PM by Patrick RSS

    EIGRP Authentication

    Aninda

      Hi guys,

       

      Below is the lab I'm working on (from CBT Nuggets Route).

       

      I thought I'd just try fooling around a bit, just to see what does what. Mess up things and see what happens you know.

       

      authentication.png

      Now from what I know, we enable authention after setting up key chains in eigrp. And since it only supports md5 and no clear text so that is the only real option we got.

      I went and set up the key chains as follows:

       

      On BB:

       

      BB(config-keychain-key)#do sho key chain

      Key-chain EIGRP_KEYS:

          key 1 -- text "cisco1"

              accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

              send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

       

      On R2:

       

      R2(config-keychain-key)#do sh key chain

      Key-chain EIGRP_KEYS:

          key 2 -- text "cisco2"

              accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

              send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

       

      On R3:

       

      R3(config-keychain-key)#do sho key chain

      Key-chain EIGRP_KEYS:

          key 1 -- text "cisco1"

              accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

              send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

       

       

      I then enabled md5 authentication on ONLY BB Router (on s0/0):

       

      BB(config)#int s0/0

      BB(config-if)#ip authentication mode eigrp 35 md5

       

      Now, I understand due to a mismatch in authentication type (one side uses md5 - the other no authentication enabled at all), the neighbor relationship would go down.

       

      But for some reason, it keeps bouncing between neighbor up and down. I don't get it.

       

      R2(config)#

      *Mar  1 00:38:24.687: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

      R2(config)#

      *Mar  1 00:38:29.095: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

      R2(config)#

      *Mar  1 00:39:48.619: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

      R2(config)#

      *Mar  1 00:39:52.283: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

      R2(config)#

      *Mar  1 00:41:11.799: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

      R2(config)#

      *Mar  1 00:41:14.947: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

      R2(config)#

      *Mar  1 00:42:34.463: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

      R2(config)#

      *Mar  1 00:42:37.931: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

      R2(config)#

      *Mar  1 00:43:57.447: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

      R2(config)#

      *Mar  1 00:43:59.659: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

      R2(config)#

      *Mar  1 00:45:19.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

      R2(config)#

      *Mar  1 00:45:22.663: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

      R2(config)#

      *Mar  1 00:46:42.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

      R2(config)#

      *Mar  1 00:46:46.575: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

      R2(config)#

      *Mar  1 00:48:06.091: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

      R2(config)#

      *Mar  1 00:48:09.579: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

       

       

      What is happening here, can someone please explain this?

        • 1. Re: EIGRP Authentication
          Aninda

          And now I have authentication enabled correctly (I assume) on BB and R3.

           

          show clock for both says:

           

          BB(config-if)#do sh clock

          *01:01:42.659 UTC Fri Mar 1 2002

           

          And both have key 1 and correct key string which is cisco1.

           

          R3(config-if)#do sho key chain

          Key-chain EIGRP_KEYS:

              key 1 -- text "cisco1"

                  accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

                  send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

           

           

          BB(config-if)#do sho key chain

          Key-chain EIGRP_KEYS:

              key 1 -- text "cisco1"

                  accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

                  send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

           

          What could be wrong now?

          • 2. Re: EIGRP Authentication
            Aninda

            Sorry I forgot to add that they aren't being authenticated and no neighbor relationship is being formed.

             

            I get the following error on BB.

             

            BB(config-if)#

            *Mar  1 01:00:08.647: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.34.2 (Serial0/1) is down: Auth failure

            • 3. Re: EIGRP Authentication
              Eddie

              Hello Aninda,

              i have this is bug too!

              after i am add key 2 and all was good))

              key chain must match on both routers!!!

              R3#sh key chain
              Key-chain cisco:
                  key 1 -- text "www"
                      accept lifetime (06:00:00 UTC May 1 2011) - (06:00:00 UTC Jun 1 2011) [valid now]
                      send lifetime (06:00:00 UTC May 1 2011) - (06:00:00 UTC Jun 1 2011) [valid now]
                  key 2 -- text "test"
                      accept lifetime (06:00:00 UTC Jun 1 2011) - (06:00:00 UTC Jul 1 2011)
                      send lifetime (06:00:00 UTC Jun 1 2011) - (06:00:00 UTC Jul 1 2011)
                  key 3 -- text "infiniti_key"
                      accept lifetime (06:00:00 UTC Jul 1 2011) - (infinite)
                      send lifetime (06:00:00 UTC Jul 1 2011) - (infinite)
              R3#sh run int f0/0
              Building configuration...

              Current configuration : 263 bytes
              !
              interface FastEthernet0/0
              ip address 172.16.2.2 255.255.255.0
              ip bandwidth-percent eigrp 1 999999
              ip hello-interval eigrp 1 2
              ip hold-time eigrp 1 6
              ip authentication mode eigrp 1 md5
              ip authentication key-chain eigrp 1 cisco
              duplex auto
              speed auto
              end

              R3#

               

               

              R3#debug eigrp packets

              EIGRP Packets debugging is on

                  (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)

              R3#

              May 16 17:51:05.688: EIGRP: received packet with MD5 authentication, key id = 1

              May 16 17:51:05.696: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1

              May 16 17:51:05.700:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

              May 16 17:51:05.796: EIGRP: Sending HELLO on FastEthernet0/0

              May 16 17:51:05.800:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

              May 16 17:51:05.816: EIGRP: received packet with MD5 authentication, key id = 1

              May 16 17:51:05.816: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1

              May 16 17:51:05.820:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

              R3#

              May 16 17:51:06.008: EIGRP: Sending HELLO on FastEthernet0/1

              May 16 17:51:06.012:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

              R3#

              May 16 17:51:07.512: EIGRP: received packet with MD5 authentication, key id = 1

              May 16 17:51:07.516: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1

              May 16 17:51:07.520:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

              May 16 17:51:07.572: EIGRP: received packet with MD5 authentication, key id = 1

              May 16 17:51:07.572: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1

              May 16 17:51:07.576:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

              May 16 17:51:07.720: EIGRP: Sending HELLO on FastEthernet0/0

              May 16 17:51:07.720:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

              R3#

              May 16 17:51:08.004: EIGRP: Sending HELLO on FastEthernet0/1

              May 16 17:51:08.004:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

              R3#

              May 16 17:51:09.372: EIGRP: received packet with MD5 authentication, key id = 1

              May 16 17:51:09.372: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1

              May 16 17:51:09.376:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

              May 16 17:51:09.460: EIGRP: received packet with MD5 authentication, key id = 1

              May 16 17:51:09.460: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1

              May 16 17:51:09.464:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

              May 16 17:51:09.476: EIGRP: Sending HELLO on FastEthernet0/0

              May 16 17:51:09.476:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

              R3#un

              May 16 17:51:09.944: EIGRP: Sending HELLO on FastEthernet0/1

              May 16 17:51:09.944:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

              R3#un all

              All possible debugging has been turned off

              R3#

              May 16 17:51:11.216: EIGRP: received packet with MD5 authentication, key id = 1

              May 16 17:51:11.220: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1

              May 16 17:51:11.220:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

              May 16 17:51:11.304: EIGRP: Sending HELLO on FastEthernet0/0

              May 16 17:51:11.308:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

              May 16 17:51:11.380: EIGRP: received packet with MD5 authentication, key id = 1

              May 16 17:51:11.380: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1

              May 16 17:51:11.380:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

              R3#

              May 16 17:51:11.768: EIGRP: Sending HELLO on FastEthernet0/1

              May 16 17:51:11.772:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

              R3#

              • 4. Re: EIGRP Authentication
                Ahmed

                In order to run authentication between the router, clock on all routers must be synchronised,

                Try setting one of the route as NTP Master and the others NTP Client.

                • 5. Re: EIGRP Authentication
                  Ahmed

                  if you remember from the same video jermy speak about the NTP while doing the authentication, but NTP Configuration is not shown.  Go to Routergods.com for the ntp video and is three command setup.  you can do it easily.

                  • 6. Re: EIGRP Authentication
                    Eddie

                    Ahmed, you are right!!!

                    R3 is client

                    R3#sh run | inc
                    R3#sh run | include ntp
                    ntp clock-period 17179688
                    ntp server 172.16.1.1
                    R3#sh ntp associations

                          address         ref clock     st  when  poll reach  delay  offset    disp
                    *~172.16.1.1       127.127.7.1       3   135   512  377     8.0   36.67    11.4
                    * master (synced), # master (unsynced), + selected, - candidate, ~ configured
                    R3#sh clock
                    18:13:11.169 UTC Mon May 16 2011
                    R3#

                     

                    R1 is master

                    R1#sh run | inc ntp
                    ntp master 3
                    R1#sh ntp ***
                    R1#sh ntp associations

                          address         ref clock     st  when  poll reach  delay  offset    disp
                    *~127.127.7.1      127.127.7.1       2    16    64  377     0.0    0.00     0.0
                    * master (synced), # master (unsynced), + selected, - candidate, ~ configured
                    R1#sh clo
                    R1#sh clock
                    18:15:01.986 UTC Mon May 16 2011
                    R1#

                    • 7. Re: EIGRP Authentication
                      Ahmed

                      does it solve your problem

                      • 8. Re: EIGRP Authentication
                        Daz_UK

                        Aninda

                        Have you added the IP AUTHENTICATION KEY-CHAIN EIGRP 1 EIGRP-KEY  under the s 0/0 interface ?

                        • 9. Re: EIGRP Authentication
                          Adam - CCNP

                          Hi,

                           

                          You need to configure the key chains on each router, and then tell the interface to use MD5 authentication but then you need to tell the interface what key chain to use.

                           

                          So e.g.

                           

                          BB(config)#int s0/0

                          BB(config-if)#ip authentication mode eigrp 35 md5

                          BB(config-if)#ip authentication key-chain eigrp 35 EIGRP_KEY

                           

                          Remember that as well as the key-strings, the key numbers also have to match. You can call the key chains whatever you want.

                           

                          Cheers

                          • 10. Re: EIGRP Authentication
                            Aninda

                            Ahmed, Eduard. I agree, NTP is a good thing. But it cannot be causing this issue. The clock times are same on both the routers (I pasted the sh clock earlier) and both the keys are valid so a clocking mismatch cannot be the prob. I suppose NTP is useful as we wouldn't have to set the clock manually on all routers one by one, they would get synchronized on their own. But in this case, having set the clock manually should not be an issue.

                             

                            Babasdad, you got it spot on. I saw your post, and I know I'm prone to very stupid mistakes. Went back and checked if authentication is enabled on correct interfaces. It wasn't. Enable it on s0/0, authentication pass, neighbors came up.

                             

                            But I still don't get why that flapping was happening when I only put in the ip authenticaiton mode eigrp md5 on BB router. 

                            • 11. Re: EIGRP Authentication
                              Ahmed

                              debug eigrp packets

                              and paste the result

                              • 12. Re: EIGRP Authentication
                                Ahmed

                                it is very idfficult to synchronize the clock manually, for sure there will be a differance in in min. or sec,

                                and a differance of min. or sec makes a big differance for the security and logging.

                                • 13. Re: EIGRP Authentication
                                  Aninda

                                  Yes, that is true. But here, since I'm just using two routers for the authentication, and I see their clocks seem to be fine, I guess that couldn't be the issue.

                                   

                                  Also, I don't know how NTP really works. Never tried it out. Can you list the exact commands needed to set this up? I'll probably go back home and search for it too.

                                  • 14. Re: EIGRP Authentication
                                    smsnaqvi

                                    Hi Aninda

                                     

                                    On the BB router, in the global config mde type in

                                     

                                    config # ntp server  66.27.60.10

                                     

                                    the above ip is an ntp server

                                     

                                    then on R2 and R3, in the global config mode, type in

                                     

                                    ntp server 10.1.24.1 and 10.1.34.1 respectively. Your BB is the primary point of contact with the public NTP server, R2 and R3 will consider the BB router as their servers to synchronize the time. You wanna read about NTP, here you go.

                                     

                                    http://oreilly.com/catalog/hardcisco/chapter/ch10.html

                                    1 2 Previous Next