03-31-2007 12:57 AM - edited 03-05-2019 03:12 PM
hi, i m a bit confused regarding eigrp authentication, see i have 2 routers A and B, now i have set this key chain on A
key chain cisco
key 2
key-string test2
on B..
key chain test
key 1
key-string test1
key 2
key-string test2
now
it said that 1 auth packet is sent, and the keys are examined from low to high and the first valid key that is encountered its used,,, but RA is not authenticating !!! why ??? when it receives the packet from B it will ignore key 1 since A doesnot have it but why not its accepting key 2 ???? plz some1 help me
thanks in advance
03-31-2007 01:45 PM
The keys are sent in numerical order and only one key can be sent at the time while you can receive multiple keys at the same time.
For this to work, you need to configure RouterB with a send time value that is past due, so only key 2 can be sent to RouterA.
04-01-2007 10:19 AM
sorry but i didnt get it, u said one key can be sent at a time while i can receive multi keys at the same time ??? how can i receive when multi keys while a router can send 1 at a time ??? in my case key 1 was sent first right which was not valid for RtrB, so wat will happen next ?? key 2 will be sent right ??? i m confused plz explain it
thanks in advance
04-01-2007 02:07 PM
This link you posted, explains it in details
"Router A will accept and attempt to verify the MD5 digest of any EIGRP packet with a key equal to 1. It will also accept a packet with a key equal to 2. All other MD5 packets will be dropped. Router A will send all EIGRP packets with key 2.
Router B will accept key 1 or key 2, and will use key 1 to send MD5 authentication, since key 1 is the first the first valid key off the key-chain. Key 1 will no longer be valid to be used for sending after December 4, 2006. After this date, key 2 would be used to send MD5 authentication., since it is valid until January 4, 2007. "
You have to make key 1 on Router B invalid in order for Router A to receive key 2 from the chain. You can change this behavior by inserting a time in the past as the start and end time for key 1.
04-01-2007 11:51 PM
hi sorry edison i m not getting it, see this is how i have configured now,
RtrA
key chain ciscoa
key 1
key-string keya1
key 2
key-string cisco
RTrB
key chain ciscob
key 1
key-string keyb1
key 2
key-string cisco
even now they r not authenticating but why ??? when key 1 is invalid why r they not agreeing upon key 2 ??? u said
"Router A will accept and attempt to verify the MD5 digest of any EIGRP packet with a key equal to 1. It will also accept a packet with a key equal to 2" so why dosent it accepting key 2 in my case ??? i know i m being stupid but i m really not getting it plz explain it
04-02-2007 02:34 PM
here is a config example
suggestion:
turn on debug - "debug eigrp packets" you will see the behavior.
good luck
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: