Keychain for XR would help too.. key chain ISIS-DOMAIN key 1 accept-lifetime 00:00:00 january 01 2020 infinite key-string password <PASSWORD> send-lifetime 00:00:00 january 01 2020 infinite cryptographic-algorithm HMAC-MD5
On Wed, 27 May 2020 at 12:58, Dave Bell <[email protected]> wrote: > We've just turned up something similar. The difference is we are not using > a keychain for the P2P password. > > >show configuration protocols isis > topologies ipv6-unicast; > overload timeout 300; > level 1 disable; > level 2 { > authentication-key-chain ISIS_DOMAIN; > wide-metrics-only; > } > interface ae6.0 { > ldp-synchronization; > lsp-interval 50; > point-to-point; > link-protection; > level 2 { > metric 10000; > ipv6-unicast-metric 10000; > hello-authentication-key "<password>"; ## SECRET-DATA > hello-authentication-type md5; > } > } > > > show configuration security > authentication-key-chains { > key-chain ISIS_DOMAIN { > key 1 { > secret "<PASSWORD>; ## SECRET-DATA > start-time "2019-1-1.00:00:00 +0000"; > algorithm md5; > } > } > } > > > > router isis ISIS > set-overload-bit on-startup wait-for-bgp > is-type level-2-only > net 49.0001.0511.4807.2051.00 > lsp-password keychain ISIS-DOMAIN > address-family ipv4 unicast > metric-style wide level 2 > maximum-paths 8 > segment-routing mpls > ! > address-family ipv6 unicast > metric-style wide level 2 > maximum-paths 8 > ! > interface Bundle-Ether1 > hello-password hmac-md5 encrypted <PASSWORD> > address-family ipv4 unicast > metric 10000 > > On Wed, 27 May 2020 at 12:46, Eric Van Tol <[email protected]> wrote: > >> Sorry if this is a duplicate – Outlook chose the ‘bounces’ address as the >> one to send to and I didn’t notice. >> >> Hi all, >> I’m testing out an NCS540 for use in our network and this is my first >> foray into IOS-XR. We have a mix of Juniper and Cisco IOS/IOS-XE devices >> that the NCS needs to interoperate with. I’m having some minor trouble with >> IS-IS authentication and it’s kind of driving me nuts because I can’t get >> IS-IS to come up when authentication is configured. I keep getting this >> error: >> >> BAD P2P IIH rcvd from TenGigE0/0/0/19 SNPA 5c5e.abde.1e00: dropped >> because cryptographic password mismatch >> >> Seems pretty obvious, but my keychain key password is configured and >> verified to match on both sides: >> >> key chain isis-chain >> key 1 >> accept-lifetime 00:00:00 january 01 1993 infinite >> key-string password <password> >> send-lifetime 00:00:00 january 01 1993 infinite >> cryptographic-algorithm HMAC-MD5 >> ! >> accept-tolerance infinite >> >> I’ve tried both MD5 and HMAC-MD5, neither works. Here is my IS-IS config >> on the NCS540: >> >> router isis rtr1 >> set-overload-bit on-startup wait-for-bgp >> is-type level-2-only >> net 49.0001.1071.3820.2192.00 >> log adjacency changes >> lsp-mtu 1497 >> lsp-password keychain isis-chain >> address-family ipv4 unicast >> metric-style wide level 2 >> ! >> address-family ipv6 unicast >> metric-style wide level 2 >> single-topology >> ! >> interface Loopback1 >> passive >> address-family ipv4 unicast >> ! >> address-family ipv6 unicast >> ! >> ! >> interface TenGigE0/0/0/19 >> circuit-type level-2-only >> point-to-point >> hello-password keychain isis-chain >> address-family ipv4 unicast >> metric 3500 >> ! >> address-family ipv6 unicast >> metric 3500 >> ! >> ! >> >> traceoptions on the Juniper shows something similar: >> >> ERROR: IIH from 1071.3820.2192 on xe-0/0/0.0 failed authentication >> >> Here’s the Juniper key config and isis stanza: >> >> authentication-key-chains { >> key-chain isis-chain { >> key 1 { >> secret "<password>"; ## SECRET-DATA >> start-time "1993-1-1.00:00:00 +0000"; >> algorithm md5; >> } >> } >> } >> protocols { >> isis { >> level 1 disable; >> level 2 { >> authentication-key-chain isis-chain; >> wide-metrics-only; >> } >> interface xe-0/0/0.0 { >> point-to-point; >> level 2 { >> metric 3500; >> hello-authentication-key-chain isis-chain; >> } >> level 1 disable; >> } >> } >> >> I know it’s got to be something simple, but it’s not clicking for me >> today. It seems like any step forward I take with IOS-XR, I end up taking >> two steps back on the next thing that ‘just works’ everywhere else. >> >> -evt >> _______________________________________________ >> cisco-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
