Mailing List Archive

We've just turned up something similar. The difference is we are not using
a keychain for the P2P password.

>show configuration protocols isis
topologies ipv6-unicast;
overload timeout 300;
level 1 disable;
level 2 {
authentication-key-chain ISIS_DOMAIN;
wide-metrics-only;
}
interface ae6.0 {
ldp-synchronization;
lsp-interval 50;
point-to-point;
link-protection;
level 2 {
metric 10000;
ipv6-unicast-metric 10000;
hello-authentication-key "<password>"; ## SECRET-DATA
hello-authentication-type md5;
}
}

> show configuration security
authentication-key-chains {
key-chain ISIS_DOMAIN {
key 1 {
secret "<PASSWORD>; ## SECRET-DATA
start-time "2019-1-1.00:00:00 +0000";
algorithm md5;
}
}
}



router isis ISIS
set-overload-bit on-startup wait-for-bgp
is-type level-2-only
net 49.0001.0511.4807.2051.00
lsp-password keychain ISIS-DOMAIN
address-family ipv4 unicast
metric-style wide level 2
maximum-paths 8
segment-routing mpls
!
address-family ipv6 unicast
metric-style wide level 2
maximum-paths 8
!
interface Bundle-Ether1
hello-password hmac-md5 encrypted <PASSWORD>
address-family ipv4 unicast
metric 10000

On Wed, 27 May 2020 at 12:46, Eric Van Tol <eric@atlantech.net> wrote:

> Sorry if this is a duplicate – Outlook chose the ‘bounces’ address as the
> one to send to and I didn’t notice.
>
> Hi all,
> I’m testing out an NCS540 for use in our network and this is my first
> foray into IOS-XR. We have a mix of Juniper and Cisco IOS/IOS-XE devices
> that the NCS needs to interoperate with. I’m having some minor trouble with
> IS-IS authentication and it’s kind of driving me nuts because I can’t get
> IS-IS to come up when authentication is configured. I keep getting this
> error:
>
> BAD P2P IIH rcvd from TenGigE0/0/0/19 SNPA 5c5e.abde.1e00: dropped because
> cryptographic password mismatch
>
> Seems pretty obvious, but my keychain key password is configured and
> verified to match on both sides:
>
> key chain isis-chain
> key 1
> accept-lifetime 00:00:00 january 01 1993 infinite
> key-string password <password>
> send-lifetime 00:00:00 january 01 1993 infinite
> cryptographic-algorithm HMAC-MD5
> !
> accept-tolerance infinite
>
> I’ve tried both MD5 and HMAC-MD5, neither works. Here is my IS-IS config
> on the NCS540:
>
> router isis rtr1
> set-overload-bit on-startup wait-for-bgp
> is-type level-2-only
> net 49.0001.1071.3820.2192.00
> log adjacency changes
> lsp-mtu 1497
> lsp-password keychain isis-chain
> address-family ipv4 unicast
> metric-style wide level 2
> !
> address-family ipv6 unicast
> metric-style wide level 2
> single-topology
> !
> interface Loopback1
> passive
> address-family ipv4 unicast
> !
> address-family ipv6 unicast
> !
> !
> interface TenGigE0/0/0/19
> circuit-type level-2-only
> point-to-point
> hello-password keychain isis-chain
> address-family ipv4 unicast
> metric 3500
> !
> address-family ipv6 unicast
> metric 3500
> !
> !
>
> traceoptions on the Juniper shows something similar:
>
> ERROR: IIH from 1071.3820.2192 on xe-0/0/0.0 failed authentication
>
> Here’s the Juniper key config and isis stanza:
>
> authentication-key-chains {
> key-chain isis-chain {
> key 1 {
> secret "<password>"; ## SECRET-DATA
> start-time "1993-1-1.00:00:00 +0000";
> algorithm md5;
> }
> }
> }
> protocols {
> isis {
> level 1 disable;
> level 2 {
> authentication-key-chain isis-chain;
> wide-metrics-only;
> }
> interface xe-0/0/0.0 {
> point-to-point;
> level 2 {
> metric 3500;
> hello-authentication-key-chain isis-chain;
> }
> level 1 disable;
> }
> }
>
> I know it’s got to be something simple, but it’s not clicking for me
> today. It seems like any step forward I take with IOS-XR, I end up taking
> two steps back on the next thing that ‘just works’ everywhere else.
>
> -evt
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Keychain for XR would help too..

key chain ISIS-DOMAIN
key 1
accept-lifetime 00:00:00 january 01 2020 infinite
key-string password <PASSWORD>
send-lifetime 00:00:00 january 01 2020 infinite
cryptographic-algorithm HMAC-MD5

On Wed, 27 May 2020 at 12:58, Dave Bell <dave@geordish.org> wrote:

> We've just turned up something similar. The difference is we are not using
> a keychain for the P2P password.
>
> >show configuration protocols isis
> topologies ipv6-unicast;
> overload timeout 300;
> level 1 disable;
> level 2 {
> authentication-key-chain ISIS_DOMAIN;
> wide-metrics-only;
> }
> interface ae6.0 {
> ldp-synchronization;
> lsp-interval 50;
> point-to-point;
> link-protection;
> level 2 {
> metric 10000;
> ipv6-unicast-metric 10000;
> hello-authentication-key "<password>"; ## SECRET-DATA
> hello-authentication-type md5;
> }
> }
>
> > show configuration security
> authentication-key-chains {
> key-chain ISIS_DOMAIN {
> key 1 {
> secret "<PASSWORD>; ## SECRET-DATA
> start-time "2019-1-1.00:00:00 +0000";
> algorithm md5;
> }
> }
> }
>
>
>
> router isis ISIS
> set-overload-bit on-startup wait-for-bgp
> is-type level-2-only
> net 49.0001.0511.4807.2051.00
> lsp-password keychain ISIS-DOMAIN
> address-family ipv4 unicast
> metric-style wide level 2
> maximum-paths 8
> segment-routing mpls
> !
> address-family ipv6 unicast
> metric-style wide level 2
> maximum-paths 8
> !
> interface Bundle-Ether1
> hello-password hmac-md5 encrypted <PASSWORD>
> address-family ipv4 unicast
> metric 10000
>
> On Wed, 27 May 2020 at 12:46, Eric Van Tol <eric@atlantech.net> wrote:
>
>> Sorry if this is a duplicate – Outlook chose the ‘bounces’ address as the
>> one to send to and I didn’t notice.
>>
>> Hi all,
>> I’m testing out an NCS540 for use in our network and this is my first
>> foray into IOS-XR. We have a mix of Juniper and Cisco IOS/IOS-XE devices
>> that the NCS needs to interoperate with. I’m having some minor trouble with
>> IS-IS authentication and it’s kind of driving me nuts because I can’t get
>> IS-IS to come up when authentication is configured. I keep getting this
>> error:
>>
>> BAD P2P IIH rcvd from TenGigE0/0/0/19 SNPA 5c5e.abde.1e00: dropped
>> because cryptographic password mismatch
>>
>> Seems pretty obvious, but my keychain key password is configured and
>> verified to match on both sides:
>>
>> key chain isis-chain
>> key 1
>> accept-lifetime 00:00:00 january 01 1993 infinite
>> key-string password <password>
>> send-lifetime 00:00:00 january 01 1993 infinite
>> cryptographic-algorithm HMAC-MD5
>> !
>> accept-tolerance infinite
>>
>> I’ve tried both MD5 and HMAC-MD5, neither works. Here is my IS-IS config
>> on the NCS540:
>>
>> router isis rtr1
>> set-overload-bit on-startup wait-for-bgp
>> is-type level-2-only
>> net 49.0001.1071.3820.2192.00
>> log adjacency changes
>> lsp-mtu 1497
>> lsp-password keychain isis-chain
>> address-family ipv4 unicast
>> metric-style wide level 2
>> !
>> address-family ipv6 unicast
>> metric-style wide level 2
>> single-topology
>> !
>> interface Loopback1
>> passive
>> address-family ipv4 unicast
>> !
>> address-family ipv6 unicast
>> !
>> !
>> interface TenGigE0/0/0/19
>> circuit-type level-2-only
>> point-to-point
>> hello-password keychain isis-chain
>> address-family ipv4 unicast
>> metric 3500
>> !
>> address-family ipv6 unicast
>> metric 3500
>> !
>> !
>>
>> traceoptions on the Juniper shows something similar:
>>
>> ERROR: IIH from 1071.3820.2192 on xe-0/0/0.0 failed authentication
>>
>> Here’s the Juniper key config and isis stanza:
>>
>> authentication-key-chains {
>> key-chain isis-chain {
>> key 1 {
>> secret "<password>"; ## SECRET-DATA
>> start-time "1993-1-1.00:00:00 +0000";
>> algorithm md5;
>> }
>> }
>> }
>> protocols {
>> isis {
>> level 1 disable;
>> level 2 {
>> authentication-key-chain isis-chain;
>> wide-metrics-only;
>> }
>> interface xe-0/0/0.0 {
>> point-to-point;
>> level 2 {
>> metric 3500;
>> hello-authentication-key-chain isis-chain;
>> }
>> level 1 disable;
>> }
>> }
>>
>> I know it’s got to be something simple, but it’s not clicking for me
>> today. It seems like any step forward I take with IOS-XR, I end up taking
>> two steps back on the next thing that ‘just works’ everywhere else.
>>
>> -evt
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On Wed, 27 May 2020 at 14:49, Eric Van Tol <eric@atlantech.net> wrote:

> protocols {
> isis {
> level 2 {
> authentication-key-chain isis-chain;
> }
> interface xe-0/0/0.0 {
> level 2 {
> hello-authentication-key-chain isis-chain;
> }

What is the intended behaviour? As far as I know hello packets are
covered by the main level authentication. You'd only really want to
configure the interface level if you want to ONLY authenticate hellos
or if you want to have separate authentication for hellos.

--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On 5/27/20, 8:21 AM, "Saku Ytti" <saku@ytti.fi> wrote:

> What is the intended behaviour? As far as I know hello packets are
> covered by the main level authentication. You'd only really want to
> configure the interface level if you want to ONLY authenticate hellos
> or if you want to have separate authentication for hellos.

It was a hold-over from when there were separate levels with authenticating hellos and just hasn't changed since transitioning to a single level-2-only area. Irrespective of this, removing the hello-authentication at the interface level doesn't resolve the issue with the key chain not authenticating.

-evt

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On Wed, 27 May 2020 at 15:40, Eric Van Tol <eric@atlantech.net> wrote:

> It was a hold-over from when there were separate levels with authenticating hellos and just hasn't changed since transitioning to a single level-2-only area. Irrespective of this, removing the hello-authentication at the interface level doesn't resolve the issue with the key chain not authenticating.

I've not used key-chains, only the classical one-line config. But it
would seem like your IOS-XR is hmac-md5 (Safe) Junos is md5 (Unsafe).
Perhaps try to change IOS-XR to MD5 instead of HMAC-MD5.

--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On Wed, 27 May 2020 at 12:58, Dave Bell <dave@geordish.org<mailto:dave@geordish.org>> wrote:
>We've just turned up something similar. The difference is we are not using a keychain for the P2P password.

I changed the interface-level hello-password to just use the password only (no key chain) and while the adjacency comes up, I kept getting this in the logs:

%ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from 1071.3820.2072.00 due to cryptographic password mismatch

Using plain ‘MD5’ authentication on the key chain causes the adjacency to drop entirely, so I returned it to HMAC-MD5. Thinking maybe there’s a character in my password that is messing things up (for some reason), I changed it to just ‘password’ and it was still bitching about a ‘cryptographic password mismatch’.

If I remove the key chain entirely and just use a single ‘lsp-password’ with hmac-md5, everything appears to come up and no complaints from the NCS about password mismatches. LSPs are installed, along with routes. I cannot imagine that key chains simply do not work. Juniper states that the encryption algorithm is HMAC-MD5 (https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/routing-configuring-is-is-authentication.html
), which makes sense since changing to just ‘MD5’ on the Cisco breaks the adjacency completely, so I don’t think it’s an issue with the algorithm.

-evt
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

After messing a lot more with this, I decided to remove my IS-IS config completely on both routers and start over. I found that when using a key chain in IOS-XR, it seems to have trouble attaching the key to CSNP packets:

SEND L2 PSNP on TenGigabitEthernet0/0/0/19: Add of Key Chain authentication failed

While I was able to get the adjacency established and accept LSPs, their acceptance by the neighbor is failing. I couldn't find anything in my debug file on Junos to indicate there was any authentication error or any 'adding new LSP to database', but it's possible I don't have the right traceoptions flag enabled:

May 27 18:39:30.242356 Received L2 PSN, source 1071.3820.2192, interface xe-0/0/0.0
May 27 18:39:31.259319 Received L2 PSN, source 1071.3820.2192, interface xe-0/0/0.0

I'm not sure if this is due to a misconfiguration on my end (entirely possible), as I wasn't even consciously aware of separate authentication of IIH, CSNP and PSNP until I re-read Junos docs. I can't find if separate settings are even possible on IOS-XR, though I know it's available in Junos to disable one or all three.

Unless I get suggestions otherwise, I suppose I'll just not use keys, which seems prohibitive, particularly if a password needs changing at some point. The 'lsp-password' without a key chain seems to work just fine. :-/

-evt

?On 5/27/20, 7:47 AM, "cisco-nsp on behalf of Eric Van Tol" <cisco-nsp-bounces@puck.nether.net on behalf of eric@atlantech.net> wrote:

Sorry if this is a duplicate – Outlook chose the ‘bounces’ address as the one to send to and I didn’t notice.

Hi all,
I’m testing out an NCS540 for use in our network and this is my first foray into IOS-XR. We have a mix of Juniper and Cisco IOS/IOS-XE devices that the NCS needs to interoperate with. I’m having some minor trouble with IS-IS authentication and it’s kind of driving me nuts because I can’t get IS-IS to come up when authentication is configured. I keep getting this error:

BAD P2P IIH rcvd from TenGigE0/0/0/19 SNPA 5c5e.abde.1e00: dropped because cryptographic password mismatch

Seems pretty obvious, but my keychain key password is configured and verified to match on both sides:

key chain isis-chain
key 1
accept-lifetime 00:00:00 january 01 1993 infinite
key-string password <password>
send-lifetime 00:00:00 january 01 1993 infinite
cryptographic-algorithm HMAC-MD5
!
accept-tolerance infinite

I’ve tried both MD5 and HMAC-MD5, neither works. Here is my IS-IS config on the NCS540:

router isis rtr1
set-overload-bit on-startup wait-for-bgp
is-type level-2-only
net 49.0001.1071.3820.2192.00
log adjacency changes
lsp-mtu 1497
lsp-password keychain isis-chain
address-family ipv4 unicast
metric-style wide level 2
!
address-family ipv6 unicast
metric-style wide level 2
single-topology
!
interface Loopback1
passive
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
interface TenGigE0/0/0/19
circuit-type level-2-only
point-to-point
hello-password keychain isis-chain
address-family ipv4 unicast
metric 3500
!
address-family ipv6 unicast
metric 3500
!
!

traceoptions on the Juniper shows something similar:

ERROR: IIH from 1071.3820.2192 on xe-0/0/0.0 failed authentication

Here’s the Juniper key config and isis stanza:

authentication-key-chains {
key-chain isis-chain {
key 1 {
secret "<password>"; ## SECRET-DATA
start-time "1993-1-1.00:00:00 +0000";
algorithm md5;
}
}
}
protocols {
isis {
level 1 disable;
level 2 {
authentication-key-chain isis-chain;
wide-metrics-only;
}
interface xe-0/0/0.0 {
point-to-point;
level 2 {
metric 3500;
hello-authentication-key-chain isis-chain;
}
level 1 disable;
}
}

I know it’s got to be something simple, but it’s not clicking for me today. It seems like any step forward I take with IOS-XR, I end up taking two steps back on the next thing that ‘just works’ everywhere else.

-evt
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On 27/May/20 21:08, Eric Van Tol wrote:
> Unless I get suggestions otherwise, I suppose I'll just not use keys, which seems prohibitive, particularly if a password needs changing at some point. The 'lsp-password' without a key chain seems to work just fine. :-/

In IOS and IOS XE, we use key chains.

In IOS XR, we use "lsp-password hmac-md5" at the "router isis" level,
and "hello-password hmac-md5" at the "router isis 1 interface" level.

Mark.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

There shouldn't be an issue using keychains for these functions, I have XR and XE devices running IS-IS between each other with keychains on both without an issue.

One thing to always watch out for is inadvertent spaces after you type in a clear text password.

Thanks,
Phil

?On 5/28/20, 3:44 AM, "cisco-nsp on behalf of Mark Tinka" <cisco-nsp-bounces@puck.nether.net on behalf of mark.tinka@seacom.mu> wrote:



On 27/May/20 21:08, Eric Van Tol wrote:
> Unless I get suggestions otherwise, I suppose I'll just not use keys, which seems prohibitive, particularly if a password needs changing at some point. The 'lsp-password' without a key chain seems to work just fine. :-/

In IOS and IOS XE, we use key chains.

In IOS XR, we use "lsp-password hmac-md5" at the "router isis" level,
and "hello-password hmac-md5" at the "router isis 1 interface" level.

Mark.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

I believe the OP was about interop between cisco and juniper using
key-chains.

On Wed, Jun 3, 2020 at 1:56 AM Phil Bedard <philxor@gmail.com> wrote:

> There shouldn't be an issue using keychains for these functions, I have XR
> and XE devices running IS-IS between each other with keychains on both
> without an issue.
>
> One thing to always watch out for is inadvertent spaces after you type in
> a clear text password.
>
> Thanks,
> Phil
>
> ?On 5/28/20, 3:44 AM, "cisco-nsp on behalf of Mark Tinka" <
> cisco-nsp-bounces@puck.nether.net on behalf of mark.tinka@seacom.mu>
> wrote:
>
>
>
> On 27/May/20 21:08, Eric Van Tol wrote:
> > Unless I get suggestions otherwise, I suppose I'll just not use
> keys, which seems prohibitive, particularly if a password needs changing at
> some point. The 'lsp-password' without a key chain seems to work just fine.
> :-/
>
> In IOS and IOS XE, we use key chains.
>
> In IOS XR, we use "lsp-password hmac-md5" at the "router isis" level,
> and "hello-password hmac-md5" at the "router isis 1 interface" level.
>
> Mark.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/