OSPF message-digest authentication order of operations issue

Hello

Today i came across an interesting case, where order of operations matters in a dmvpn point-to-multipoint ospf with message digest deployment.

The hub is configured with both key 1 and key 2, whereas some spokes are configured with key 1 and some spokes with key 2:

interface Tunnel0
ip address 155.1.0.5 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 myfirstkey
ip ospf message-digest-key 2 md5 mysecondkey
ip ospf network point-to-multipoint non-broadcast
tunnel source Ethernet0/0.100
tunnel mode gre multipoint
tunnel key 11
tunnel protection ipsec profile mydmvpnprofile
end

R5(config-if)#
OSPF-1 ADJ Tu0: Send with key 1
OSPF-1 ADJ Tu0: Send with key 2
R5(config-if)#

R5(config-if)#do show ip ospf nei

Neighbor ID Pri State Dead Time Address Interface
150.1.4.4 1 FULL/BDR 00:00:36 155.1.45.4 Ethernet0/0.45
150.1.4.4 0 FULL/ – 00:01:38 155.1.0.4 Tunnel0
150.1.3.3 0 FULL/ – 00:01:38 155.1.0.3 Tunnel0
150.1.2.2 0 FULL/ – 00:01:38 155.1.0.2 Tunnel0
150.1.1.1 0 FULL/ – 00:01:38 155.1.0.1 Tunnel0
150.1.8.8 1 FULL/BDR 00:00:38 155.1.58.8 Ethernet0/0.58
R5(config-if)#

 

Everything is fine now, the hub is sending both keys so all spokes can be neighbors. Let’s shut/no shut int tunnel0, though…

 

R5(config-if)#shut
R5(config-if)#no shut
OSPF-1 ADJ Tu0: Send with key 1
OSPF-1 ADJ Tu0: Send with key 2
OSPF EVENT Tu0: Route adjust
OSPF-1 ADJ Tu0: Route adjust notification: DOWN/DOWN
OSPF-1 ADJ Tu0: Interface going Down
OSPF-1 ADJ Tu0: 150.1.4.4 address 155.1.0.4 is dead, state DOWN
%OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached
OSPF-1 ADJ Tu0: 150.1.3.3 address 155.1.0.3 is dead, state DOWN
%OSPF-5-ADJCHG: Process 1, Nbr 150.1.3.3 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached
OSPF-1 ADJ Tu0: 150.1.2.2 address 155.1.0.2 is dead, state DOWN
%OSPF-5-ADJCHG: Process 1, Nbr 150.1.2.2 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached
OSPF-1 ADJ Tu0: 150.1.1.1 address 155.1.0.1 is dead, state DOWN
%OSPF-5-ADJCHG: Process 1, Nbr 150.1.1.1 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached
OSPF-1 ADJ Tu0: 150.1.5.5 address 155.1.0.5 is dead, state DOWN
OSPF-1 ADJ Tu0: Interface state change to DOWN, new ospf state DOWN
OSPF-1 EVENT: Query for Tunnel0
R5(config-if)#no shut
R5(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R5(config-if)#
OSPF EVENT Tu0: Route adjust
OSPF-1 ADJ Tu0: Route adjust notification: UP/UP
OSPF-1 ADJ Tu0: Interface going Up
OSPF-1 ADJ Tu0: Send with youngest Key 2
OSPF-1 ADJ Tu0: Interface state change to UP, new ospf state P2MP
OSPF-1 EVENT: Config: network 155.1.0.0 255.255.255.0 area 0
OSPF-1 ADJ Tu0: 2 Way Communication to 150.1.4.4, state 2WAY
OSPF-1 ADJ Tu0: Nbr 150.1.4.4: Prepare dbase exchange
OSPF-1 ADJ Tu0: Send DBD to 150.1.4.4 seq 0x1042 opt 0x52 flag 0x7 len 32
OSPF-1 ADJ Tu0: Send with youngest Key 2
OSPF-1 ADJ Tu0: Send with youngest Key 2
OSPF-1 ADJ Tu0: 2 Way Communication to 150.1.3.3, state 2WAY
OSPF-1 ADJ Tu0: Nbr 150.1.3.3: Prepare dbase exchange
OSPF-1 ADJ Tu0: Send DBD to 150.1.3.3 seq 0x156E opt 0x52 flag 0x7 len 32
OSPF-1 ADJ Tu0: Send with youngest Key 2
OSPF-1 ADJ Tu0: Send with youngest Key 2
OSPF-1 ADJ Tu0: Rcv DBD from 150.1.4.4 seq 0x1041 opt 0x52 flag 0x7 len 32 mtu 1400 state EXSTART
OSPF-1 ADJ Tu0: First DBD and we are not SLAVE
OSPF-1 ADJ Tu0: Rcv DBD from 150.1.4.4 seq 0x1042 opt 0x52 flag 0x2 len 612 mtu 1400 state EXSTART
OSPF-1 ADJ Tu0: NBR Negotiation Done. We are the MASTER
OSPF-1 ADJ Tu0: Nbr 150.1.4.4: Summary list built, size 29
OSPF-1 ADJ Tu0: Send DBD to 150.1.4.4 seq 0x1043 opt 0x52 flag 0x1 len 612
OSPF-1 ADJ Tu0: Send with youngest Key 2
OSPF-1 ADJ Tu0: Rcv DBD from 150.1.3.3 seq 0x156D opt 0x52 flag 0x7 len 32 mtu 1400 state EXSTART
OSPF-1 ADJ Tu0: First DBD and we are not SLAVE
OSPF-1 ADJ Tu0: Rcv DBD from 150.1.3.3 seq 0x156E opt 0x52 flag 0x2 len 612 mtu 1400 state EXSTART
OSPF-1 ADJ Tu0: NBR Negotiation Done. We are the MASTER
OSPF-1 ADJ Tu0: Nbr 150.1.3.3: Summary list built, size 29
OSPF-1 ADJ Tu0: Send DBD to 150.1.3.3 seq 0x156F opt 0x52 flag 0x1 len 612
OSPF-1 ADJ Tu0: Send with youngest Key 2
OSPF-1 ADJ Tu0: Rcv DBD from 150.1.4.4 seq 0x1043 opt 0x52 flag 0x0 len 32 mtu 1400 state EXCHANGE
OSPF-1 ADJ Tu0: Exchange Done with 150.1.4.4
OSPF-1 ADJ Tu0: Synchronized with 150.1.4.4, state FULL
%OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4 on Tunnel0 from LOADING to FULL, Loading Done
OSPF-1 ADJ Tu0: Rcv LS REQ from 150.1.3.3 length 36 LSA count 1
OSPF-1 ADJ Tu0: Send with youngest Key 2
OSPF-1 ADJ Tu0: Send LS UPD to 155.1.0.3 length 76 LSA count 1
OSPF-1 ADJ Tu0: Rcv DBD from 150.1.3.3 seq 0x156F opt 0x52 flag 0x0 len 32 mtu 1400 state EXCHANGE
OSPF-1 ADJ Tu0: Exchange Done with 150.1.3.3
OSPF-1 ADJ Tu0: Synchronized with 150.1.3.3, state FULL
R5(config-if)#
%OSPF-5-ADJCHG: Process 1, Nbr 150.1.3.3 on Tunnel0 from LOADING to FULL, Loading Done
R5(config-if)#
OSPF-1 ADJ Tu0: Send with youngest Key 2
R5(config-if)#

 

And now it is sending only one key…

The solution is to delete the youngest key, wait for those neighborships that use key 1 to come up, readd key 2.

I need to lab it up on other ios versions because this clearly is a bug.

 

 

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Wyloguj /  Zmień )

Zdjęcie na Google

Komentujesz korzystając z konta Google. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s