Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

OSPF routers do not form neighbor relationships due to authentication type mismatch

Core Issue

Before exchanging routing information, routers running Open Shortest Path First (OSPF) form neighbor relationships with other OSPF routers on the same segment. This is done by exchanging hello packets. The hello packets contain various parameters, one of which is related to authentication. This specifies the authentication type and authentication information for the originating interface. Authentication is useful for preventing malicious or incorrect routing information from getting introduced into the routing table. OSPF supports two types of authentication: plain text and Message Digest 5 (MD5).

To become neighbors, OSPF routers attached to a segment must be configured for the same authentication type and the same password. If these parameters do not match, the router (which is configured for authentication) ignores the hello packets received from another router and does not consider it as a neighbor.

If a router receiving the hello packets is not configured for authentication, it accepts the hello packets from the other router with authentication information and considers it as a neighbor.

However, it will not see itself listed in the hello packets received. Therefore, it considers the neighbor as in the Init state and the adjacency establishment will not proceed further.

Resolution

To resolve this issue, perform these steps:

  1. Identify the adjacency state with the neighbor by issuing the show ip ospf neighbor command from privileged EXEC mode.
  2. Find the authentication type configured under an interface by issuing the show ip ospf interface command from privileged EXEC mode.

    If the authentication type does not match between two routers on the same segment, you will see a message similar to this:

    OSPF: Rcv pkt from x.x.x.x, Ethernet1/0 : Mismatch Authentication type. Input packet specified type 2, we use type 1

    This occurs when you issue the debug ip ospf adj command from privileged EXEC mode.

    This message indicates this information:

    • Type 0 indicates that no authentication is enabled.
    • Type 1 is for plain text authentication to be enabled.
    • Type 2 means that MD5 authentication is enabled.
  3. Make sure that all the routers connected to the same segment use the same authentication type. This is done by issuing the area authentication command in router configuration mode or the ip ospf authentication command in interface configuration mode.

    The area authentication command configures all the interfaces under a particular area to use the specified authentication type.

    The ip ospf authentication command can be used to individually configure the authentication type for an interface or override the type configured under an interface with thearea authentication command.

For more information, refer to these documents:


Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:32 PM
Updated by:
 
Labels (1)