After messing a lot more with this, I decided to remove my IS-IS config completely on both routers and start over. I found that when using a key chain in IOS-XR, it seems to have trouble attaching the key to CSNP packets:
SEND L2 PSNP on TenGigabitEthernet0/0/0/19: Add of Key Chain authentication failed While I was able to get the adjacency established and accept LSPs, their acceptance by the neighbor is failing. I couldn't find anything in my debug file on Junos to indicate there was any authentication error or any 'adding new LSP to database', but it's possible I don't have the right traceoptions flag enabled: May 27 18:39:30.242356 Received L2 PSN, source 1071.3820.2192, interface xe-0/0/0.0 May 27 18:39:31.259319 Received L2 PSN, source 1071.3820.2192, interface xe-0/0/0.0 I'm not sure if this is due to a misconfiguration on my end (entirely possible), as I wasn't even consciously aware of separate authentication of IIH, CSNP and PSNP until I re-read Junos docs. I can't find if separate settings are even possible on IOS-XR, though I know it's available in Junos to disable one or all three. Unless I get suggestions otherwise, I suppose I'll just not use keys, which seems prohibitive, particularly if a password needs changing at some point. The 'lsp-password' without a key chain seems to work just fine. :-/ -evt On 5/27/20, 7:47 AM, "cisco-nsp on behalf of Eric Van Tol" <[email protected] on behalf of [email protected]> wrote: Sorry if this is a duplicate – Outlook chose the ‘bounces’ address as the one to send to and I didn’t notice. Hi all, I’m testing out an NCS540 for use in our network and this is my first foray into IOS-XR. We have a mix of Juniper and Cisco IOS/IOS-XE devices that the NCS needs to interoperate with. I’m having some minor trouble with IS-IS authentication and it’s kind of driving me nuts because I can’t get IS-IS to come up when authentication is configured. I keep getting this error: BAD P2P IIH rcvd from TenGigE0/0/0/19 SNPA 5c5e.abde.1e00: dropped because cryptographic password mismatch Seems pretty obvious, but my keychain key password is configured and verified to match on both sides: key chain isis-chain key 1 accept-lifetime 00:00:00 january 01 1993 infinite key-string password <password> send-lifetime 00:00:00 january 01 1993 infinite cryptographic-algorithm HMAC-MD5 ! accept-tolerance infinite I’ve tried both MD5 and HMAC-MD5, neither works. Here is my IS-IS config on the NCS540: router isis rtr1 set-overload-bit on-startup wait-for-bgp is-type level-2-only net 49.0001.1071.3820.2192.00 log adjacency changes lsp-mtu 1497 lsp-password keychain isis-chain address-family ipv4 unicast metric-style wide level 2 ! address-family ipv6 unicast metric-style wide level 2 single-topology ! interface Loopback1 passive address-family ipv4 unicast ! address-family ipv6 unicast ! ! interface TenGigE0/0/0/19 circuit-type level-2-only point-to-point hello-password keychain isis-chain address-family ipv4 unicast metric 3500 ! address-family ipv6 unicast metric 3500 ! ! traceoptions on the Juniper shows something similar: ERROR: IIH from 1071.3820.2192 on xe-0/0/0.0 failed authentication Here’s the Juniper key config and isis stanza: authentication-key-chains { key-chain isis-chain { key 1 { secret "<password>"; ## SECRET-DATA start-time "1993-1-1.00:00:00 +0000"; algorithm md5; } } } protocols { isis { level 1 disable; level 2 { authentication-key-chain isis-chain; wide-metrics-only; } interface xe-0/0/0.0 { point-to-point; level 2 { metric 3500; hello-authentication-key-chain isis-chain; } level 1 disable; } } I know it’s got to be something simple, but it’s not clicking for me today. It seems like any step forward I take with IOS-XR, I end up taking two steps back on the next thing that ‘just works’ everywhere else. -evt _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
