Network Setup for OSPF Authentication Warning Messages
Note: The passwords for the OSPF simple password authentication configured using the ip ospf authentication-key {passwd} interface subcommand on both routers are different by purpose. We can see that the routers can still establish an OSPF adjacency.
Cisco IOS 15.4(3)M release starts to support the new feature – OSPFv2 Cryptographic Authentication (RFC 5709 – OSPFv2 HMAC-SHA Cryptographic Authentication).
Starting with Cisco IOS 15.4(3)M release, OSPF notifies about OSPF authentication misconfiguration issues with the %OSPF-4-INVALIDKEY and %OSPF-4-NOVALIDKEY error messages.
RT1#sh ver | in IOS|Compiled Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.4(3)M, RELEASE SOFTWARE (fc1) Compiled Mon 21-Jul-14 17:38 by prod_rel_team RT1# 09:44:59: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up 09:45:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up 09:45:08: %OSPF-4-INVALIDKEY: Key ID 0 received on interface GigabitEthernet0/0 09:45:37: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface GigabitEthernet0/0 09:45:44: %OSPF-5-ADJCHG: Process 100, Nbr 10.10.10.2 on GigabitEthernet0/0 from LOADING to FULL, Loading Done 09:46:15: %OSPF-4-INVALIDKEY: Key ID 0 received on interface GigabitEthernet0/0 09:46:44: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface GigabitEthernet0/0 09:47:21: %OSPF-4-INVALIDKEY: Key ID 0 received on interface GigabitEthernet0/0 09:47:51: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface GigabitEthernet0/0 RT1# RT1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.10.10.2 1 FULL/DR 00:00:39 10.10.10.2 GigabitEthernet0/0 RT1# RT1#sh ip ospf int gi0/0 GigabitEthernet0/0 is up, line protocol is up Internet Address 10.10.10.1/24, Area 0, Attached via Network Statement Process ID 100, Router ID 10.10.10.1, Network Type BROADCAST, Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name 0 1 no no Base Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 10.10.10.2, Interface address 10.10.10.2 Backup Designated router (ID) 10.10.10.1, Interface address 10.10.10.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:05 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 10.10.10.2 (Designated Router) Suppress hello for 0 neighbor(s) Cryptographic authentication enabled No key configured, using default key id 0 RT1#
Basically, the warning messages are due to a configuration error. The ip ospf authentication message-digest interface subcommand enables the MD5 authentication; however, the ip ospf authentication-key {passwd} interface subcommand defines a key for the simple password authentication, not for the MD5 authentication.
As a result, MD5 authentication is activated but no key is defined for it; an implicit empty / null key with the ID of 0 is being used for the authentication. That is also what the logging messages say. The OSPF adjacencies formed on the routers because they are all authenticated using the same empty / null key.
I am getting this on NVI0 and its driving me nuts. All my config is fine, my ospf is fine, but i get a No valid authentication send key is available on interface NVI0 every 60 seconds.
ReplyDeleteHello,
Deletedid you ever find a way to get rid of this warning ? I am having the same problem, every 60 seconds I get that message...