Wired Intelligent Edge (Campus Switching and Routing)

OSPF Authentication MD5 Between Provision And Aruba OS-CX

MVP Expert
MVP Expert
Requirement:
  • 3810M - JL073A
  • 8400 Base Chassis - JL375A

  • Connected directly on a single link or aggregation
  • VLAN to form the OSPF adjacency in.

 

Firmware used on the 3810M = KB.16.09.0004

Firmware used on the 8400    = XL.10.03.0040

 



Solution:

The OSPF MD5 authentication is more secure than the plain text authentication. This method uses the MD5 algorithm to compute a hash value from the contents of the OSPF packet and a password. This hash value is transmitted in the packet.

There are different values in md5 authentication and some of them are:

  • Key ID
  • Key-chain value

 

In order for OSPF neighbourship to be formed the authentication has to be the same if at all it is used.

If there is any mismatch in authentication then the debug will display the following messages in the debug session on the 3810M switch:

---------------------------------------------------------------------------------------------------------------------------------

0000:06:13:57.28 OSPF eRouteCtrlSmiley SurprisedSPF RECV: 4.4.4.10 -> 224.0.0.5: Version 2,
   Type Hello (1), Length 44 ret 0
0000:06:13:57.28 OSPF eRouteCtrl:       Router ID 172.20.160.1, Area 0.0.0.0,
   Authentication <None> (0)
0000:06:13:57.28 OSPF eRouteCtrl:       Authentication data: 00000000 00000000
0000:06:13:57.28 OSPF eRouteCtrl:OSPF: invalid packet: Invalid authentication
   type (5)

0000:06:13:57.44 OSPF eRouteCtrlSmiley SurprisedSPF SEND: 4.4.4.4 -> 224.0.0.5: Version 2,
   Type Hello (1), Length 44 ret 80
0000:06:13:57.44 OSPF eRouteCtrl:       Router ID 10.23.193.200, Area 0.0.0.0,
   Authentication <MD5> (2)
0000:06:13:57.44 OSPF eRouteCtrl:       Zero: 0, Key ID: 9, Length: 16, Sequence: 0
0000:06:13:57.44 OSPF eRouteCtrl:       Mask 255.255.255.0, Options <E> (2), Priority
   1, Neighbors 0
0000:06:13:57.44 OSPF eRouteCtrl:       Intervals: Hello 10s, Dead Router 40s,
   Designated Router 4.4.4.4, Backup 0.0.0.0

---------------------------------------------------------------------------------------------------------------------------------

Once this mismatch occurs, you will find that the "show ip ospf neighbor" command does not list the neighbor anymore.

 

And in the Logging, we shall also see the following events:

---------------------------------------------------------------------------------------------------------------------------------

3810M(config)# sh log -r
 Keys:   W=Warning   I=Information
         M=Major     D=Debug E=Error
----  Reverse event Log listing: Events Since Boot  ----
E 10/30/19 07:09:27 03132 OSPF: RECV: Discarding packet on interface vl400 :
            Invalid authentication type (5 times in 60 seconds)
E 10/30/19 07:08:27 03132 OSPF: RECV: Discarding packet on interface vl400 :
            Invalid authentication type (5 times in 60 seconds)
E 10/30/19 07:07:27 03132 OSPF: RECV: Discarding packet on interface vl400 :
            Invalid authentication type (5 times in 60 seconds)
E 10/30/19 07:06:27 03132 OSPF: RECV: Discarding packet on interface vl400 :
            Invalid authentication type (5 times in 60 seconds)
E 10/30/19 07:05:27 03132 OSPF: RECV: Discarding packet on interface vl400 :
            Invalid authentication type (5 times in 60 seconds)
E 10/30/19 07:05:17 03132 OSPF: RECV: Discarding packet on interface vl400 :
            Invalid authentication key or sequence number mismatch (5 times in
            60 seconds)
---------------------------------------------------------------------------------------------------------------------------------

 

In the debug of 8400 switch, you will find the following messages:

2019-10-30:03:14:20.371489|hpe-routing|LOG_WARN|AMM|1/5|OSPFV2|OSPFV2|OSPF 268698624 Packet received with unexpected authentication type
2019-10-30:03:14:20.371503|hpe-routing|LOG_WARN|AMM|1/5|OSPFV2|OSPFV2|Expected authentication type = 0.
 

---------------------------------------------------------------------------------------------------------------------------------

Authentication type = 0 means that the switch does not expect any authentication in the OSPF packets. Hence, to resolve this issue make sure that the authentication is not just configured but also enabled on both the ends.

 



Configuration:

 

Configuration on the 3810M switch:

key-chain "aruba123"
key-chain "aruba123" key 9 encrypted-key "H8cWXQR0n/DIWz2h1B2Ot948YWHenmsCy8FHZkw/koA="


router ospf
   area backbone
   enable
   exit

vlan 400
   name "test"
   tagged Trk1
   ip address 4.4.4.4 255.255.255.0
   ip ospf 4.4.4.4 area backbone
   ip ospf 4.4.4.4 md5-auth-key-chain "aruba123"
   exit

 

Debug commands on the 3810M:

debug ip ospf

debug destination [session | buffer | syslog]

 

 

Configuration on the 8400:

router ospf 1
   area 0.0.0.0
interface vlan400
    ip address 4.4.4.10/24
    ip ospf 1 area 0.0.0.0
    ip ospf authentication message-digest
    ip ospf message-digest-key 9 md5 ciphertext AQBapUbZyuMyDkoDN0zeQbI8qY0p5vpa77xnpPQEngEkpWjWBQAAAIouj7OC

 

Debug commands on the 8400:

debug ospfv2 all

debug destination [console | buffer | syslog]

 

The key-chain command is only required on the Provision switch.

 



Verification

Run the following command to verify that the neighbourship is UP:

  • show ip ospf neighbor
Version history
Revision #:
1 of 1
Last update:
‎10-30-2019 04:01 PM
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: