EIGRP: TROUBLESHOOT AUTHENTICATION USING THE SHOW KEY CHAIN COMMAND

A little while ago, I was mucking about with some EIGRP authentication in a lab. Because when I party, I party hard. Rock and roll is an integral part of my soul.

So, EIGRP was running. Neighbors were formed. And then I added a keychain, and applied it to my interfaces. The neighborship dropped, tried to re-establish – and failed. Why?

Take a look at the two configs. See if you can spot it.

ROUTER 1:

key chain TESTCHAIN1
 key 1
 key-string BEEFBOY
 accept-lifetime 00:00:00 Jan 1 1993 infinite
 send-lifetime 00:00:00 Jan 1 1993 infinite

interface FastEthernet0/0
 ip address 80.80.80.1 255.255.255.252
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 TESTCHAIN

ROUTER 2

 key chain TESTCHAIN2
 key 1
 key-string BEEFBOY
 accept-lifetime 00:00:00 Jan 1 1993 infinite
 send-lifetime 00:00:00 Jan 1 1993 infinite

interface FastEthernet0/0
 ip address 80.80.80.2 255.255.255.252
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 TESTCHAIN2

The configs look okay, right? I’ve got a keychain mentioning a password of BEEFBOY (a highly secure password that is practically invulnerable to even the most sophisticated dictionary attacks), starting way in the past, lasting forever. I haven’t shown the EIGRP config, but that’s all okay – the AS numbers match and the interfaces are activated.

I was a little new to keychain logic at the time, and I wasn’t entire sure how to troubeshoot. So, I tried some EIGRP debugging:

Router2#debug eigrp packets
 EIGRP Packets debugging is on
 (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
 Router2#
 Jan 1 00:00:17.743: EIGRP: pkt key id = 1, authentication mismatch
 Jan 1 00:00:17.747: EIGRP: FastEthernet0/0: ignored packet from 80.80.80.1, opcode = 5 (invalid authentication)
 Router2#

Hmm, seems there’s definitely an authentication problem – but exactly what the problem is, the debug doesn’t say. And sadly, there isn’t a magic debug option that just tells you precisely why.

How frustrating! The times are identical, the passwords clearly match – what’s going on?

Luckily there’s one more tool up our sleeve: the show key chain command. Let’s just triple-check that everything is as it seems:

ROUTER 1:

Router1#show key chain
Key-chain TESTCHAIN:
 key 1 -- text "BEEFBOY"
 accept lifetime (00:00:00 UTC Jan 1 1993) - (infinite) [valid now]
 send lifetime (00:00:00 UTC Jan 1 1993) - (infinite) [valid now]

ROUTER 2:

Router2#show key chain
Key-chain 1:
Key-chain TESTCHAIN2:
 key 1 -- text "BEEFBOY "
 accept lifetime (00:00:00 UTC Jan 1 1993) - (infinite) [valid now]
 send lifetime (00:00:00 UTC Jan 1 1993) - (infinite) [valid now]

Wait a second – why is there a space on Router 2’s key, between the key itself and the closing quotation mark?

It turns out that somehow I’d typed an extra space when I put in the password!

But what’s truly frustrating is the fact that if you copy and paste the config into a text editor, the space isn’t there!! Another high-quality design choice by the makers of everyone’s favourite router operating system. Anyway, I fixed the password, and it was all good.

The show key chain command. A nice, quick, simple way to make sure your keys are all in order, even when your configuration has your convinced that everything is fine. Thank you, Cisco, for this truly glorious and magical command.

Leave a Reply

Your email address will not be published. Required fields are marked *