1 2 Previous Next 19 Replies Latest reply: Apr 28, 2012 8:08 PM by Patrick

EIGRP Authentication

Aninda May 16, 2011 6:18 AM

Hi guys,

Below is the lab I'm working on (from CBT Nuggets Route).

I thought I'd just try fooling around a bit, just to see what does what. Mess up things and see what happens you know.

Now from what I know, we enable authention after setting up key chains in eigrp. And since it only supports md5 and no clear text so that is the only real option we got.

I went and set up the key chains as follows:

On BB:

BB(config-keychain-key)#do sho key chain

Key-chain EIGRP_KEYS:

key 1 -- text "cisco1"

accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

On R2:

R2(config-keychain-key)#do sh key chain

Key-chain EIGRP_KEYS:

key 2 -- text "cisco2"

accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

On R3:

R3(config-keychain-key)#do sho key chain

Key-chain EIGRP_KEYS:

key 1 -- text "cisco1"

accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

I then enabled md5 authentication on ONLY BB Router (on s0/0):

BB(config)#int s0/0

BB(config-if)#ip authentication mode eigrp 35 md5

Now, I understand due to a mismatch in authentication type (one side uses md5 - the other no authentication enabled at all), the neighbor relationship would go down.

But for some reason, it keeps bouncing between neighbor up and down. I don't get it.

R2(config)#

*Mar 1 00:38:24.687: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:38:29.095: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:39:48.619: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:39:52.283: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:41:11.799: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:41:14.947: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:42:34.463: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:42:37.931: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:43:57.447: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:43:59.659: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:45:19.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:45:22.663: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:46:42.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:46:46.575: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar 1 00:48:06.091: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar 1 00:48:09.579: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

What is happening here, can someone please explain this?

1. Re: EIGRP Authentication

Aninda May 16, 2011 6:32 AM (in response to Aninda)

And now I have authentication enabled correctly (I assume) on BB and R3.

show clock for both says:

BB(config-if)#do sh clock
*01:01:42.659 UTC Fri Mar 1 2002

And both have key 1 and correct key string which is cisco1.

R3(config-if)#do sho key chain
Key-chain EIGRP_KEYS:
    key 1 -- text "cisco1"
        accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]
        send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

BB(config-if)#do sho key chain
Key-chain EIGRP_KEYS:
    key 1 -- text "cisco1"
        accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]
        send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

What could be wrong now?
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
2. Re: EIGRP Authentication

Aninda May 16, 2011 6:34 AM (in response to Aninda)

Sorry I forgot to add that they aren't being authenticated and no neighbor relationship is being formed.

I get the following error on BB.

BB(config-if)#
*Mar 1 01:00:08.647: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.34.2 (Serial0/1) is down: Auth failure
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
3. Re: EIGRP Authentication

Eddie May 16, 2011 6:52 AM (in response to Aninda)

Hello Aninda,
i have this is bug too!
after i am add key 2 and all was good))
key chain must match on both routers!!!
R3#sh key chain
Key-chain cisco:
    key 1 -- text "www"
        accept lifetime (06:00:00 UTC May 1 2011) - (06:00:00 UTC Jun 1 2011) [valid now]
        send lifetime (06:00:00 UTC May 1 2011) - (06:00:00 UTC Jun 1 2011) [valid now]
    key 2 -- text "test"
        accept lifetime (06:00:00 UTC Jun 1 2011) - (06:00:00 UTC Jul 1 2011)
        send lifetime (06:00:00 UTC Jun 1 2011) - (06:00:00 UTC Jul 1 2011)
    key 3 -- text "infiniti_key"
        accept lifetime (06:00:00 UTC Jul 1 2011) - (infinite)
        send lifetime (06:00:00 UTC Jul 1 2011) - (infinite)
R3#sh run int f0/0
Building configuration...
Current configuration : 263 bytes
!
interface FastEthernet0/0
ip address 172.16.2.2 255.255.255.0
ip bandwidth-percent eigrp 1 999999
ip hello-interval eigrp 1 2
ip hold-time eigrp 1 6
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 cisco
duplex auto
speed auto
end
R3#

R3#debug eigrp packets
EIGRP Packets debugging is on
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R3#
May 16 17:51:05.688: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:05.696: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1
May 16 17:51:05.700:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
May 16 17:51:05.796: EIGRP: Sending HELLO on FastEthernet0/0
May 16 17:51:05.800:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
May 16 17:51:05.816: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:05.816: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1
May 16 17:51:05.820:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R3#
May 16 17:51:06.008: EIGRP: Sending HELLO on FastEthernet0/1
May 16 17:51:06.012:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R3#
May 16 17:51:07.512: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:07.516: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1
May 16 17:51:07.520:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
May 16 17:51:07.572: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:07.572: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1
May 16 17:51:07.576:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
May 16 17:51:07.720: EIGRP: Sending HELLO on FastEthernet0/0
May 16 17:51:07.720:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R3#
May 16 17:51:08.004: EIGRP: Sending HELLO on FastEthernet0/1
May 16 17:51:08.004:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R3#
May 16 17:51:09.372: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:09.372: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1
May 16 17:51:09.376:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
May 16 17:51:09.460: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:09.460: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1
May 16 17:51:09.464:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
May 16 17:51:09.476: EIGRP: Sending HELLO on FastEthernet0/0
May 16 17:51:09.476:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R3#un
May 16 17:51:09.944: EIGRP: Sending HELLO on FastEthernet0/1
May 16 17:51:09.944:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R3#un all
All possible debugging has been turned off
R3#
May 16 17:51:11.216: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:11.220: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1
May 16 17:51:11.220:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
May 16 17:51:11.304: EIGRP: Sending HELLO on FastEthernet0/0
May 16 17:51:11.308:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
May 16 17:51:11.380: EIGRP: received packet with MD5 authentication, key id = 1
May 16 17:51:11.380: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1
May 16 17:51:11.380:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R3#
May 16 17:51:11.768: EIGRP: Sending HELLO on FastEthernet0/1
May 16 17:51:11.772:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R3#
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
4. Re: EIGRP Authentication

Ahmed May 16, 2011 7:02 AM (in response to Eddie)

In order to run authentication between the router, clock on all routers must be synchronised,
Try setting one of the route as NTP Master and the others NTP Client.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
5. Re: EIGRP Authentication

Ahmed May 16, 2011 7:06 AM (in response to Eddie)

if you remember from the same video jermy speak about the NTP while doing the authentication, but NTP Configuration is not shown. Go to Routergods.com for the ntp video and is three command setup. you can do it easily.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
6. Re: EIGRP Authentication

Eddie May 16, 2011 7:16 AM (in response to Ahmed)

Ahmed, you are right!!!
R3 is client
R3#sh run | inc
R3#sh run | include ntp
ntp clock-period 17179688
ntp server 172.16.1.1
R3#sh ntp associations
      address         ref clock     st when poll reach delay offset    disp
*~172.16.1.1       127.127.7.1       3   135   512 377     8.0   36.67    11.4
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
R3#sh clock
18:13:11.169 UTC Mon May 16 2011
R3#

R1 is master
R1#sh run | inc ntp
ntp master 3
R1#sh ntp ***
R1#sh ntp associations
      address         ref clock     st when poll reach delay offset    disp
*~127.127.7.1      127.127.7.1       2    16    64 377     0.0    0.00     0.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
R1#sh clo
R1#sh clock
18:15:01.986 UTC Mon May 16 2011
R1#
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
7. Re: EIGRP Authentication

Ahmed May 16, 2011 7:19 AM (in response to Eddie)

does it solve your problem
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
8. Re: EIGRP Authentication

Daz_UK May 16, 2011 10:13 AM (in response to Aninda)

Aninda
Have you added the IP AUTHENTICATION KEY-CHAIN EIGRP 1 EIGRP-KEY under the s 0/0 interface ?
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
9. Re: EIGRP Authentication

Adam - CCNP May 16, 2011 2:54 PM (in response to Aninda)

Hi,

You need to configure the key chains on each router, and then tell the interface to use MD5 authentication but then you need to tell the interface what key chain to use.

So e.g.

BB(config)#int s0/0
BB(config-if)#ip authentication mode eigrp 35 md5
BB(config-if)#ip authentication key-chain eigrp 35 EIGRP_KEY

Remember that as well as the key-strings, the key numbers also have to match. You can call the key chains whatever you want.

Cheers
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
10. Re: EIGRP Authentication

Aninda May 16, 2011 6:17 PM (in response to Adam - CCNP)

Ahmed, Eduard. I agree, NTP is a good thing. But it cannot be causing this issue. The clock times are same on both the routers (I pasted the sh clock earlier) and both the keys are valid so a clocking mismatch cannot be the prob. I suppose NTP is useful as we wouldn't have to set the clock manually on all routers one by one, they would get synchronized on their own. But in this case, having set the clock manually should not be an issue.

Babasdad, you got it spot on. I saw your post, and I know I'm prone to very stupid mistakes. Went back and checked if authentication is enabled on correct interfaces. It wasn't. Enable it on s0/0, authentication pass, neighbors came up.

But I still don't get why that flapping was happening when I only put in the ip authenticaiton mode eigrp md5 on BB router.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
11. Re: EIGRP Authentication

Ahmed May 16, 2011 7:17 PM (in response to Aninda)

debug eigrp packets
and paste the result
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
12. Re: EIGRP Authentication

Ahmed May 16, 2011 7:19 PM (in response to Aninda)

it is very idfficult to synchronize the clock manually, for sure there will be a differance in in min. or sec,
and a differance of min. or sec makes a big differance for the security and logging.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
13. Re: EIGRP Authentication

Aninda May 16, 2011 7:53 PM (in response to Ahmed)

Yes, that is true. But here, since I'm just using two routers for the authentication, and I see their clocks seem to be fine, I guess that couldn't be the issue.

Also, I don't know how NTP really works. Never tried it out. Can you list the exact commands needed to set this up? I'll probably go back home and search for it too.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
14. Re: EIGRP Authentication

smsnaqvi May 16, 2011 10:52 PM (in response to Aninda)

Hi Aninda

On the BB router, in the global config mde type in

config # ntp server 66.27.60.10

the above ip is an ntp server

then on R2 and R3, in the global config mode, type in

ntp server 10.1.24.1 and 10.1.34.1 respectively. Your BB is the primary point of contact with the public NTP server, R2 and R3 will consider the BB router as their servers to synchronize the time. You wanna read about NTP, here you go.

http://oreilly.com/catalog/hardcisco/chapter/ch10.html
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register

1 2 Previous Next

Go to original post