A little while ago, I was mucking about with some EIGRP authentication in a lab. Because when I party, I party hard. Rock and roll is an integral part of my soul.
So, EIGRP was running. Neighbors were formed. And then I added a keychain, and applied it to my interfaces. The neighborship dropped, tried to re-establish – and failed. Why?
Take a look at the two configs. See if you can spot it.
key chain TESTCHAIN1 key 1 key-string BEEFBOY accept-lifetime 00:00:00 Jan 1 1993 infinite send-lifetime 00:00:00 Jan 1 1993 infinite interface FastEthernet0/0 ip address 184.108.40.206 255.255.255.252 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 TESTCHAIN
key chain TESTCHAIN2 key 1 key-string BEEFBOY accept-lifetime 00:00:00 Jan 1 1993 infinite send-lifetime 00:00:00 Jan 1 1993 infinite interface FastEthernet0/0 ip address 220.127.116.11 255.255.255.252 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 TESTCHAIN2
The configs look okay, right? I’ve got a keychain mentioning a password of BEEFBOY (a highly secure password that is practically invulnerable to even the most sophisticated dictionary attacks), starting way in the past, lasting forever. I haven’t shown the EIGRP config, but that’s all okay – the AS numbers match and the interfaces are activated.
I was a little new to keychain logic at the time, and I wasn’t entire sure how to troubeshoot. So, I tried some EIGRP debugging:
Router2#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) Router2# Jan 1 00:00:17.743: EIGRP: pkt key id = 1, authentication mismatch Jan 1 00:00:17.747: EIGRP: FastEthernet0/0: ignored packet from 18.104.22.168, opcode = 5 (invalid authentication) Router2#
Hmm, seems there’s definitely an authentication problem – but exactly what the problem is, the debug doesn’t say. And sadly, there isn’t a magic debug option that just tells you precisely why.
How frustrating! The times are identical, the passwords clearly match – what’s going on?
Luckily there’s one more tool up our sleeve: the show key chain command. Let’s just triple-check that everything is as it seems:
Router1#show key chain Key-chain TESTCHAIN: key 1 -- text "BEEFBOY" accept lifetime (00:00:00 UTC Jan 1 1993) - (infinite) [valid now] send lifetime (00:00:00 UTC Jan 1 1993) - (infinite) [valid now]
Router2#show key chain Key-chain 1: Key-chain TESTCHAIN2: key 1 -- text "BEEFBOY " accept lifetime (00:00:00 UTC Jan 1 1993) - (infinite) [valid now] send lifetime (00:00:00 UTC Jan 1 1993) - (infinite) [valid now]
Wait a second – why is there a space on Router 2’s key, between the key itself and the closing quotation mark?
It turns out that somehow I’d typed an extra space when I put in the password!
But what’s truly frustrating is the fact that if you copy and paste the config into a text editor, the space isn’t there!! Another high-quality design choice by the makers of everyone’s favourite router operating system. Anyway, I fixed the password, and it was all good.
The show key chain command. A nice, quick, simple way to make sure your keys are all in order, even when your configuration has your convinced that everything is fine. Thank you, Cisco, for this truly glorious and magical command.