Thursday, August 11, 2016

New OSPF Authentication Warning Messages

Network Setup for OSPF Authentication Warning Messages

Note: The passwords for the OSPF simple password authentication configured using the ip ospf authentication-key {passwd} interface subcommand on both routers are different by purpose. We can see that the routers can still establish an OSPF adjacency.

Cisco IOS 15.4(3)M release starts to support the new feature – OSPFv2 Cryptographic Authentication (RFC 5709 – OSPFv2 HMAC-SHA Cryptographic Authentication).

Starting with Cisco IOS 15.4(3)M release, OSPF notifies about OSPF authentication misconfiguration issues with the %OSPF-4-INVALIDKEY and %OSPF-4-NOVALIDKEY error messages.
RT1#sh ver | in IOS|Compiled
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.4(3)M, RELEASE SOFTWARE (fc1)
Compiled Mon 21-Jul-14 17:38 by prod_rel_team
RT1#
09:44:59: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
09:45:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
09:45:08: %OSPF-4-INVALIDKEY: Key ID 0 received on interface GigabitEthernet0/0
09:45:37: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface GigabitEthernet0/0
09:45:44: %OSPF-5-ADJCHG: Process 100, Nbr 10.10.10.2 on GigabitEthernet0/0 from LOADING to FULL, Loading Done
09:46:15: %OSPF-4-INVALIDKEY: Key ID 0 received on interface GigabitEthernet0/0
09:46:44: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface GigabitEthernet0/0
09:47:21: %OSPF-4-INVALIDKEY: Key ID 0 received on interface GigabitEthernet0/0
09:47:51: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface GigabitEthernet0/0
RT1#
RT1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.2        1   FULL/DR         00:00:39    10.10.10.2      GigabitEthernet0/0
RT1#
RT1#sh ip ospf int gi0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet Address 10.10.10.1/24, Area 0, Attached via Network Statement
  Process ID 100, Router ID 10.10.10.1, Network Type BROADCAST, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State BDR, Priority 1
  Designated Router (ID) 10.10.10.2, Interface address 10.10.10.2
  Backup Designated router (ID) 10.10.10.1, Interface address 10.10.10.1
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:05
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 10.10.10.2  (Designated Router)
  Suppress hello for 0 neighbor(s)
  Cryptographic authentication enabled
      No key configured, using default key id 0
RT1#


Basically, the warning messages are due to a configuration error. The ip ospf authentication message-digest interface subcommand enables the MD5 authentication; however, the ip ospf authentication-key {passwd} interface subcommand defines a key for the simple password authentication, not for the MD5 authentication.

As a result, MD5 authentication is activated but no key is defined for it; an implicit empty / null key with the ID of 0 is being used for the authentication. That is also what the logging messages say. The OSPF adjacencies formed on the routers because they are all authenticated using the same empty / null key.

2 comments:

  1. I am getting this on NVI0 and its driving me nuts. All my config is fine, my ospf is fine, but i get a No valid authentication send key is available on interface NVI0 every 60 seconds.

    ReplyDelete
    Replies
    1. Hello,

      did you ever find a way to get rid of this warning ? I am having the same problem, every 60 seconds I get that message...

      Delete