02-22-2006 02:35 AM - edited 03-03-2019 11:49 AM
Hi
I have a problem with BGP authentication with Back to Back Link.
I am getting Feb 21 17:54:27: %TCP-6-BADAUTH: Invalid MD5 digest from 172.28.14.126(57800) to 172.28.14.125(179)
I am sure that both routers has exactly same password as I have removed the service password encryption to check the password. But still getting the bad authentication..
IOS version is 11T7
Has anybody seen this problem? Any suggestions?
02-22-2006 02:41 AM
hi
did you check the clock of both side, must be using same clock system. use show clock.
02-22-2006 02:49 AM
yes.. We have configured following command on both routers.
clock summer-time utc recurring
There is same NTP server for both Routers.. When We Cleared the BGP again we had the same MD5 problem
02-22-2006 03:20 AM
hi
I have no idea exactly whats problem with that. why don't you try number as password like "1234". dont' forget to reset the BGP session.
02-22-2006 03:25 AM
Hello,
Have you tried removing and re-adding the password to ensure there isn't an white character like a space at the end of one of the passwords? Are both routers running the same version of IOS?
Regards,
James
02-22-2006 03:29 AM
Hello,
Also verify that the MTU settings for the TCP connections are the same between both routers.
Regards,
James
02-22-2006 04:54 AM
Hello,
First time I have ever heard that BGP peers need to be running same clock to authenticate ..... I could be wrong though.
I have had this message lead me astray in the past. I have seen the router complain about authentication when really the issue was with the TCP connection or source interface. If you are sure the passwords are the same then check other settings. Perhaps remove the password on both ends and see if the peer comes up. Once you have the peer up add authentication to it.
HTH
-Rob
02-22-2006 07:25 AM
Hi
MTU is default 1500..
No spaces at the end..That why we removed the service password encryption..
We removed the password and configure the exact password in clear text and still we were seeing the bad auth.
This was really confusing..
Will the following lines could create any problem?
service tcp-keepalives-in
service tcp-keepalives-out
02-22-2006 01:22 PM
Hi
Are you using the same IOS version at both ends ? I'm just wondering whether one router is using the old method of BGP authentication (which used BGP option 1 and carried authentication information in the Marker field) and the other is using the new way of doing authentication (using TCP MD5)
Paresh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide