key chains
Setting up the keys/key chains for EIGRP seems to be a new topic for ROUTE vs. the BCSI
I think it is covered for OSPF too, but I haven't got to OSPF studies yet
Anyway, I've labbed up keys and today spent almost an hour troubleshooting an authentication failure. The lab had worked flawlessly for about a month and I could not figure out why it was now failing.
All keys matched so I could not figure out why I was not authenticating.
Solution: One of the routers had lost connectivity to my NTP server and was not using the proper keys timewise.
Thought I would post this on the chance it would save someone the same troubleshooting snafu that I went through.
Moral of the story is to do a show clock on the routers to make sure they match.
I think it is covered for OSPF too, but I haven't got to OSPF studies yet
Anyway, I've labbed up keys and today spent almost an hour troubleshooting an authentication failure. The lab had worked flawlessly for about a month and I could not figure out why it was now failing.
All keys matched so I could not figure out why I was not authenticating.
Solution: One of the routers had lost connectivity to my NTP server and was not using the proper keys timewise.
Thought I would post this on the chance it would save someone the same troubleshooting snafu that I went through.
Moral of the story is to do a show clock on the routers to make sure they match.
Comments
-
chmorin
Member Posts: 1,446 ■■■■■□□□□□
Setting up the keys/key chains for EIGRP seems to be a new topic for ROUTE vs. the BCSI
I think it is covered for OSPF too, but I haven't got to OSPF studies yet
Anyway, I've labbed up keys and today spent almost an hour troubleshooting an authentication failure. The lab had worked flawlessly for about a month and I could not figure out why it was now failing.
All keys matched so I could not figure out why I was not authenticating.
Solution: One of the routers had lost connectivity to my NTP server and was not using the proper keys timewise.
Thought I would post this on the chance it would save someone the same troubleshooting snafu that I went through.
Moral of the story is to do a show clock on the routers to make sure they match.
I didn't realize timestamps had anything to do with authentication. Wow, thanks for the info!Currently PursuingWGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)mikej412 wrote:Cisco Networking isn't just a job, it's a Lifestyle. -
Netwurk
Member Posts: 1,155 ■■■■■□□□□□
I didn't realize timestamps had anything to do with authentication. Wow, thanks for the info!
From the Cisco book:
Neighboring EIGRP routers that use authentication should be configured to use NTP to synchronize their time-of-day clocks. For quick tests in a lab, you can just set the time using the clock set exec command
Anyhow, I use NTP in my network. The reason the time needs to be synched has to do with the start/stop dates for the keys.
So if your range is
accept-lifetime 18:00:00 Jun 1 2010 20:00:00 Apr 1 2011
send-lifetime 18:00:00 Jun 1 2010 20:00:00 Apr 1 2011
on both routers and your clock is off, then they will not agree on the key's timeframe and you can't authenticate
Cool stuff, the ROUTE is much more interesting to lab up compared to BCMSN or SWITCH -
networker050184
Mod Posts: 11,962 Mod
Key chains for EIGRP were covered in the BSCI also.An expert is a man who has made all the mistakes which can be made.