eigrp authentication

Unanswered Question
Mar 31st, 2007

hi, i m a bit confused regarding eigrp authentication, see i have 2 routers A and B, now i have set this key chain on A

key chain cisco

key 2

key-string test2

on B..

key chain test

key 1

key-string test1

key 2

key-string test2



it said that 1 auth packet is sent, and the keys are examined from low to high and the first valid key that is encountered its used,,, but RA is not authenticating !!! why ??? when it receives the packet from B it will ignore key 1 since A doesnot have it but why not its accepting key 2 ???? plz some1 help me

thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Sat, 03/31/2007 - 13:45

The keys are sent in numerical order and only one key can be sent at the time while you can receive multiple keys at the same time.

For this to work, you need to configure RouterB with a send time value that is past due, so only key 2 can be sent to RouterA.

shaila_rox Sun, 04/01/2007 - 10:19

sorry but i didnt get it, u said one key can be sent at a time while i can receive multi keys at the same time ??? how can i receive when multi keys while a router can send 1 at a time ??? in my case key 1 was sent first right which was not valid for RtrB, so wat will happen next ?? key 2 will be sent right ??? i m confused plz explain it

thanks in advance

Edison Ortiz Sun, 04/01/2007 - 14:07

This link you posted, explains it in details

"Router A will accept and attempt to verify the MD5 digest of any EIGRP packet with a key equal to 1. It will also accept a packet with a key equal to 2. All other MD5 packets will be dropped. Router A will send all EIGRP packets with key 2.

Router B will accept key 1 or key 2, and will use key 1 to send MD5 authentication, since key 1 is the first the first valid key off the key-chain. Key 1 will no longer be valid to be used for sending after December 4, 2006. After this date, key 2 would be used to send MD5 authentication., since it is valid until January 4, 2007. "

You have to make key 1 on Router B invalid in order for Router A to receive key 2 from the chain. You can change this behavior by inserting a time in the past as the start and end time for key 1.

shaila_rox Sun, 04/01/2007 - 23:51

hi sorry edison i m not getting it, see this is how i have configured now,


key chain ciscoa

key 1

key-string keya1

key 2

key-string cisco


key chain ciscob

key 1

key-string keyb1

key 2

key-string cisco

even now they r not authenticating but why ??? when key 1 is invalid why r they not agreeing upon key 2 ??? u said

"Router A will accept and attempt to verify the MD5 digest of any EIGRP packet with a key equal to 1. It will also accept a packet with a key equal to 2" so why dosent it accepting key 2 in my case ??? i know i m being stupid but i m really not getting it plz explain it


This Discussion