Skip navigation
Cisco Learning Home > CCNP R&S Study Group > Discussions
Up to Discussions in CCNP R&S Study Group
4278 Views 19 Replies Latest reply: Apr 28, 2012 8:08 PM by Patrick RSS 1 2 Previous Next

Currently Being Moderated

EIGRP Authentication

May 16, 2011 6:18 AM

Aninda
Aninda
302 posts since
Jun 19, 2010

Hi guys,

 

Below is the lab I'm working on (from CBT Nuggets Route).

 

I thought I'd just try fooling around a bit, just to see what does what. Mess up things and see what happens you know.

 

authentication.png

Now from what I know, we enable authention after setting up key chains in eigrp. And since it only supports md5 and no clear text so that is the only real option we got.

I went and set up the key chains as follows:

 

On BB:

 

BB(config-keychain-key)#do sho key chain

Key-chain EIGRP_KEYS:

    key 1 -- text "cisco1"

        accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

        send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

 

On R2:

 

R2(config-keychain-key)#do sh key chain

Key-chain EIGRP_KEYS:

    key 2 -- text "cisco2"

        accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

        send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

 

On R3:

 

R3(config-keychain-key)#do sho key chain

Key-chain EIGRP_KEYS:

    key 1 -- text "cisco1"

        accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

        send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

 

 

I then enabled md5 authentication on ONLY BB Router (on s0/0):

 

BB(config)#int s0/0

BB(config-if)#ip authentication mode eigrp 35 md5

 

Now, I understand due to a mismatch in authentication type (one side uses md5 - the other no authentication enabled at all), the neighbor relationship would go down.

 

But for some reason, it keeps bouncing between neighbor up and down. I don't get it.

 

R2(config)#

*Mar  1 00:38:24.687: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:38:29.095: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:39:48.619: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:39:52.283: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:41:11.799: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:41:14.947: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:42:34.463: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:42:37.931: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:43:57.447: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:43:59.659: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:45:19.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:45:22.663: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:46:42.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:46:46.575: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:48:06.091: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:48:09.579: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

 

 

What is happening here, can someone please explain this?

  • Aninda
    Aninda
    302 posts since
    Jun 19, 2010
    Currently Being Moderated
    1. May 16, 2011 6:32 AM (in response to Aninda)
    Re: EIGRP Authentication

    And now I have authentication enabled correctly (I assume) on BB and R3.

     

    show clock for both says:

     

    BB(config-if)#do sh clock

    *01:01:42.659 UTC Fri Mar 1 2002

     

    And both have key 1 and correct key string which is cisco1.

     

    R3(config-if)#do sho key chain

    Key-chain EIGRP_KEYS:

        key 1 -- text "cisco1"

            accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

            send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

     

     

    BB(config-if)#do sho key chain

    Key-chain EIGRP_KEYS:

        key 1 -- text "cisco1"

            accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

            send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

     

    What could be wrong now?

  • Aninda
    Aninda
    302 posts since
    Jun 19, 2010
    Currently Being Moderated
    2. May 16, 2011 6:34 AM (in response to Aninda)
    Re: EIGRP Authentication

    Sorry I forgot to add that they aren't being authenticated and no neighbor relationship is being formed.

     

    I get the following error on BB.

     

    BB(config-if)#

    *Mar  1 01:00:08.647: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.34.2 (Serial0/1) is down: Auth failure

  • Eddie
    Eddie
    225 posts since
    Feb 4, 2011
    Currently Being Moderated
    3. May 16, 2011 6:52 AM (in response to Aninda)
    Re: EIGRP Authentication

    Hello Aninda,

    i have this is bug too!

    after i am add key 2 and all was good))

    key chain must match on both routers!!!

    R3#sh key chain
    Key-chain cisco:
        key 1 -- text "www"
            accept lifetime (06:00:00 UTC May 1 2011) - (06:00:00 UTC Jun 1 2011) [valid now]
            send lifetime (06:00:00 UTC May 1 2011) - (06:00:00 UTC Jun 1 2011) [valid now]
        key 2 -- text "test"
            accept lifetime (06:00:00 UTC Jun 1 2011) - (06:00:00 UTC Jul 1 2011)
            send lifetime (06:00:00 UTC Jun 1 2011) - (06:00:00 UTC Jul 1 2011)
        key 3 -- text "infiniti_key"
            accept lifetime (06:00:00 UTC Jul 1 2011) - (infinite)
            send lifetime (06:00:00 UTC Jul 1 2011) - (infinite)
    R3#sh run int f0/0
    Building configuration...

    Current configuration : 263 bytes
    !
    interface FastEthernet0/0
    ip address 172.16.2.2 255.255.255.0
    ip bandwidth-percent eigrp 1 999999
    ip hello-interval eigrp 1 2
    ip hold-time eigrp 1 6
    ip authentication mode eigrp 1 md5
    ip authentication key-chain eigrp 1 cisco
    duplex auto
    speed auto
    end

    R3#

     

     

    R3#debug eigrp packets

    EIGRP Packets debugging is on

        (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)

    R3#

    May 16 17:51:05.688: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:05.696: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1

    May 16 17:51:05.700:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    May 16 17:51:05.796: EIGRP: Sending HELLO on FastEthernet0/0

    May 16 17:51:05.800:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    May 16 17:51:05.816: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:05.816: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1

    May 16 17:51:05.820:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    R3#

    May 16 17:51:06.008: EIGRP: Sending HELLO on FastEthernet0/1

    May 16 17:51:06.012:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    R3#

    May 16 17:51:07.512: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:07.516: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1

    May 16 17:51:07.520:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    May 16 17:51:07.572: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:07.572: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1

    May 16 17:51:07.576:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    May 16 17:51:07.720: EIGRP: Sending HELLO on FastEthernet0/0

    May 16 17:51:07.720:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    R3#

    May 16 17:51:08.004: EIGRP: Sending HELLO on FastEthernet0/1

    May 16 17:51:08.004:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    R3#

    May 16 17:51:09.372: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:09.372: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1

    May 16 17:51:09.376:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    May 16 17:51:09.460: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:09.460: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1

    May 16 17:51:09.464:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    May 16 17:51:09.476: EIGRP: Sending HELLO on FastEthernet0/0

    May 16 17:51:09.476:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    R3#un

    May 16 17:51:09.944: EIGRP: Sending HELLO on FastEthernet0/1

    May 16 17:51:09.944:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    R3#un all

    All possible debugging has been turned off

    R3#

    May 16 17:51:11.216: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:11.220: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1

    May 16 17:51:11.220:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    May 16 17:51:11.304: EIGRP: Sending HELLO on FastEthernet0/0

    May 16 17:51:11.308:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    May 16 17:51:11.380: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:11.380: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1

    May 16 17:51:11.380:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    R3#

    May 16 17:51:11.768: EIGRP: Sending HELLO on FastEthernet0/1

    May 16 17:51:11.772:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    R3#

  • Ahmed
    Ahmed
    114 posts since
    Nov 14, 2010
    Currently Being Moderated
    4. May 16, 2011 7:02 AM (in response to Eddie)
    Re: EIGRP Authentication

    In order to run authentication between the router, clock on all routers must be synchronised,

    Try setting one of the route as NTP Master and the others NTP Client.

  • Ahmed
    Ahmed
    114 posts since
    Nov 14, 2010
    Currently Being Moderated
    5. May 16, 2011 7:06 AM (in response to Eddie)
    Re: EIGRP Authentication

    if you remember from the same video jermy speak about the NTP while doing the authentication, but NTP Configuration is not shown.  Go to Routergods.com for the ntp video and is three command setup.  you can do it easily.

  • Eddie
    Eddie
    225 posts since
    Feb 4, 2011
    Currently Being Moderated
    6. May 16, 2011 7:16 AM (in response to Ahmed)
    Re: EIGRP Authentication

    Ahmed, you are right!!!

    R3 is client

    R3#sh run | inc
    R3#sh run | include ntp
    ntp clock-period 17179688
    ntp server 172.16.1.1
    R3#sh ntp associations

          address         ref clock     st  when  poll reach  delay  offset    disp
    *~172.16.1.1       127.127.7.1       3   135   512  377     8.0   36.67    11.4
    * master (synced), # master (unsynced), + selected, - candidate, ~ configured
    R3#sh clock
    18:13:11.169 UTC Mon May 16 2011
    R3#

     

    R1 is master

    R1#sh run | inc ntp
    ntp master 3
    R1#sh ntp ***
    R1#sh ntp associations

          address         ref clock     st  when  poll reach  delay  offset    disp
    *~127.127.7.1      127.127.7.1       2    16    64  377     0.0    0.00     0.0
    * master (synced), # master (unsynced), + selected, - candidate, ~ configured
    R1#sh clo
    R1#sh clock
    18:15:01.986 UTC Mon May 16 2011
    R1#

  • Ahmed
    Ahmed
    114 posts since
    Nov 14, 2010
    Currently Being Moderated
    7. May 16, 2011 7:19 AM (in response to Eddie)
    Re: EIGRP Authentication

    does it solve your problem

  • Daz_UK
    Daz_UK
    136 posts since
    Sep 4, 2009
    Currently Being Moderated
    8. May 16, 2011 10:13 AM (in response to Aninda)
    Re: EIGRP Authentication

    Aninda

    Have you added the IP AUTHENTICATION KEY-CHAIN EIGRP 1 EIGRP-KEY  under the s 0/0 interface ?

  • Adam - CCNP
    Adam - CCNP
    47 posts since
    Dec 23, 2010
    Currently Being Moderated
    9. May 16, 2011 2:54 PM (in response to Aninda)
    Re: EIGRP Authentication

    Hi,

     

    You need to configure the key chains on each router, and then tell the interface to use MD5 authentication but then you need to tell the interface what key chain to use.

     

    So e.g.

     

    BB(config)#int s0/0

    BB(config-if)#ip authentication mode eigrp 35 md5

    BB(config-if)#ip authentication key-chain eigrp 35 EIGRP_KEY

     

    Remember that as well as the key-strings, the key numbers also have to match. You can call the key chains whatever you want.

     

    Cheers

  • Aninda
    Aninda
    302 posts since
    Jun 19, 2010
    Currently Being Moderated
    10. May 16, 2011 6:17 PM (in response to Adam - CCNP)
    Re: EIGRP Authentication

    Ahmed, Eduard. I agree, NTP is a good thing. But it cannot be causing this issue. The clock times are same on both the routers (I pasted the sh clock earlier) and both the keys are valid so a clocking mismatch cannot be the prob. I suppose NTP is useful as we wouldn't have to set the clock manually on all routers one by one, they would get synchronized on their own. But in this case, having set the clock manually should not be an issue.

     

    Babasdad, you got it spot on. I saw your post, and I know I'm prone to very stupid mistakes. Went back and checked if authentication is enabled on correct interfaces. It wasn't. Enable it on s0/0, authentication pass, neighbors came up.

     

    But I still don't get why that flapping was happening when I only put in the ip authenticaiton mode eigrp md5 on BB router. 

  • Ahmed
    Ahmed
    114 posts since
    Nov 14, 2010
    Currently Being Moderated
    11. May 16, 2011 7:17 PM (in response to Aninda)
    Re: EIGRP Authentication

    debug eigrp packets

    and paste the result

  • Ahmed
    Ahmed
    114 posts since
    Nov 14, 2010
    Currently Being Moderated
    12. May 16, 2011 7:19 PM (in response to Aninda)
    Re: EIGRP Authentication

    it is very idfficult to synchronize the clock manually, for sure there will be a differance in in min. or sec,

    and a differance of min. or sec makes a big differance for the security and logging.

  • Aninda
    Aninda
    302 posts since
    Jun 19, 2010
    Currently Being Moderated
    13. May 16, 2011 7:53 PM (in response to Ahmed)
    Re: EIGRP Authentication

    Yes, that is true. But here, since I'm just using two routers for the authentication, and I see their clocks seem to be fine, I guess that couldn't be the issue.

     

    Also, I don't know how NTP really works. Never tried it out. Can you list the exact commands needed to set this up? I'll probably go back home and search for it too.

  • smsnaqvi
    smsnaqvi
    532 posts since
    Feb 6, 2010
    Currently Being Moderated
    14. May 16, 2011 10:52 PM (in response to Aninda)
    Re: EIGRP Authentication

    Hi Aninda

     

    On the BB router, in the global config mde type in

     

    config # ntp server  66.27.60.10

     

    the above ip is an ntp server

     

    then on R2 and R3, in the global config mode, type in

     

    ntp server 10.1.24.1 and 10.1.34.1 respectively. Your BB is the primary point of contact with the public NTP server, R2 and R3 will consider the BB router as their servers to synchronize the time. You wanna read about NTP, here you go.

     

    http://oreilly.com/catalog/hardcisco/chapter/ch10.html

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)