EIGRP key chains

MrXpert

I've only just started learning CCNP stuff but having problems with key chains. They do seem to work partiall. For example I connected R1 and R2 UPTO together using the serial interfaces then implement a keychain,key number and key-string. I kept the names all the same but did read somewhere that only the key number and string need to match. Anyway I got it working and adj was up.
I then added another router R3 and tried the same thing but adjaceny failed. I ran a rebug and it told me I had a mismatched authentication. So i then created a different keychain and ensured the parameters matched between R2 and R3. Still keep getting a failure. I have looked over the running config but can't see where I am going wrong.

any suggestions?


R1
!
!
!
!
key chain MRBUMP
key 1
key-string PRASH
key chain MRNOISY
key 1
key-string PRASH
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback1
ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 172.16.0.1 255.255.255.252
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 MRBUMP
serial restart-delay 0
!
interface Serial1/1
ip address 172.30.0.1 255.255.255.252
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 MRNOISY
serial restart-delay 0



R2
key chain MRBUMP
key 1
key-string PRASH
key chain MRSMALL
key 1
key-string PRASH1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Serial0/0
ip address 172.16.0.2 255.255.255.252
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 MRBUMP
serial restart-delay 0
!
interface Serial0/1
ip address 192.168.0.1 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 MRSMALL
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 1
network 172.16.0.0
network 192.168.0.0
no auto-summary
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!

R3

!
!
key chain MRBUMP
key 1
key-string PRASH
key chain MRNOISY
key 1
key-string PRASH
key chain MRSMALL
key 1
key-string PRASH1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Serial0/0
ip address 192.168.0.2 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 MRSMALL
serial restart-delay 0
!
interface Serial0/1
ip address 172.30.0.2 255.255.255.252
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 MRNOISY
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 1
network 172.30.0.0 0.0.0.3
network 192.168.0.0
no auto-summary

blindrox

From what I can see - the configs do seem to match up.

Next thing I would check is that the cabling correct between R2 and R3


Can you post your debug messages from R2 and R3?

SharkDiver

Did the adjacency between R1 and R3 come up and only the one from R3 to R2 failed, or did all adjacencies to R3 fail?

I looked over the config and even made a little network drawing and don't see a problem with the config.

MrXpert

I, ve attempted to set it up again but so far have connected R1 TO R2 AND R2 TO R3. I have enabled EIGRP,no auto summary on every router but not added the key chains yet. While looking in the show ip route command on each router, i saw something very strange and not something i'd seen before while using packet tracer
take a look please at the connected routes. There's two of them for the same network. I don't understand how two networks can be directly connected to one interface?

show ip route,run on R2


172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/30 is directly connected, Serial1/0
C 172.16.0.1/32 is directly connected, Serial1/0
D 10.0.0.0/8 [90/2297856] via 172.16.0.1, 00:00:51, Serial1/0
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/28 is directly connected, Serial1/1
C 192.168.0.2/32 is directly connected, Serial1/1




R3#SHOW IP ROUTE


172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/30 [90/2681856] via 192.168.0.1, 00:01:44, Serial1/0
D 172.16.0.1/32 [90/2681856] via 192.168.0.1, 00:01:44, Serial1/0
D 10.0.0.0/8 [90/2809856] via 192.168.0.1, 00:01:44, Serial1/0
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/28 is directly connected, Serial1/0
C 192.168.0.1/32 is directly connected, Serial1/0





R1#SHOW IP ROUTE

Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/30 is directly connected, Serial1/0
C 172.16.0.2/32 is directly connected, Serial1/0
C 10.0.0.0/8 is directly connected, Loopback1
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
D 192.168.0.0/28 [90/2681856] via 172.16.0.2, 00:01:34, Serial1/0
D 192.168.0.2/32 [90/2681856] via 172.16.0.2, 00:01:34, Serial1/0

I will include the gns3 file and the diagram for clarity.

basic network eigrp 29th feb.rar

eigrp network 29th feb.jpg

chmorin

The /32 is the interface IP address, Recall that /32 is explicit to only the specific IP address.
The /30 is the subnet attached to the interface.

MrBrian

Just glancing at the configs I'm not sure. There must be reason though. One thing I would check is that for your key-strings make sure that you hit enter right after the last letter of the password when configuring it. One time I was doing this and was using question marks after everything just to make sure that was it... and on one of the key-strings I hit space at the end, then entered it. In doing this, the router thought the password was the word plus an invisible space at the end. The other side didn't have this space. When looking at the configs, I couldn't see that there was an invisible space at the end of one of the passwords, so they appeared to match. It took me forever to figure out and I was going crazy lol! Just a thought..

As for the connected interfaces appearing twice. Honestly I can't think of why of the top of my head.. I can't remember what the routing table looks like when you apply a secondary IP to an interface, so I was gonna suggest that.. but then again the IP's overlap so it probably wouldn't take it anyway. Reminds me of the ipv6 routing table.. which shows both their Local /128 IP's plus the connected subnet in the routing table.

MrXpert

Hi,
I managed to get eigrp key chains working but the routing table has me confused as I'm sure this is nothing i saw during my CCNA.
I ran the show ip route command and debug ip icmp on R1 and got this


Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/30 is directly connected, Serial1/0
C 172.16.0.2/32 is directly connected, Serial1/0
172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.30.0.2/32 is directly connected, Serial1/1
C 172.30.0.0/30 is directly connected, Serial1/1
C 10.0.0.0/8 is directly connected, Loopback1
192.168.0.0/24 is variably subnetted, 3 subnets, 2 masks
D 192.168.0.0/28 [90/2681856] via 172.30.0.2, 00:00:08, Serial1/1
[90/2681856] via 172.16.0.2, 00:00:08, Serial1/0
D 192.168.0.1/32 [90/2681856] via 172.30.0.2, 00:00:08, Serial1/1
D 192.168.0.2/32 [90/2681856] via 172.16.0.2, 00:00:08, Serial1/0
R1#DEBUG IP IMCP
^
% Invalid input detected at '^' marker.

R1#DEBUG IP ICMP
ICMP packet debugging is on
R1#PING 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/43/56 ms
R1#
*Mar 1 00:04:04.635: ICMP: echo reply rcvd, src 192.168.0.1, dst 172.30.0.1
*Mar 1 00:04:04.687: ICMP: echo reply rcvd, src 192.168.0.1, dst 172.30.0.1
*Mar 1 00:04:04.727: ICMP: echo reply rcvd, src 192.168.0.1, dst 172.30.0.1
*Mar 1 00:04:04.767: ICMP: echo reply rcvd, src 192.168.0.1, dst 172.30.0.1
*Mar 1 00:04:04.807: ICMP: echo reply rcvd, src 192.168.0.1, dst 172.30.0.1

I would have thought that if I was pinging 192.168.0.1, the router replying should be R2 not R3. It's like its taking the longer way around

networker050184

The /32 comes from using PPP. It allows the router to communicate if they are not on the same subnet. You can disable it with the "no peer neighbor-route" (I think thats the command).

MrXpert

networker050184 wrote: »

The /32 comes from using PPP. It allows the router to communicate if they are not on the same subnet. You can disable it with the "no peer neighbor-route" (I think thats the command).

Thanks, I didn't know this. Will give it a shot

I just now also ran the show ip eigrp topology table and got a few more strange things


Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 10.0.0.0/8, 1 successors, FD is 2297856
via 172.16.0.1 (2297856/128256), Serial1/0
P 192.168.0.0/28, 1 successors, FD is 2169856
via Connected, Serial1/1
P 192.168.0.1/32, 0 successors, FD is Inaccessible
via 192.168.0.2 (2681856/2169856), Serial1/1
via 172.16.0.1 (3193856/2681856), Serial1/0
P 192.168.0.2/32, 1 successors, FD is 2169856
via Rconnected (2169856/0)
P 172.30.0.2/32, 1 successors, FD is 2681856
via 172.16.0.1 (2681856/2169856), Serial1/0
P 172.30.0.0/30, 2 successors, FD is 2681856
via 172.16.0.1 (2681856/2169856), Serial1/0
via 192.168.0.2 (2681856/2169856), Serial1/1
P 172.30.0.1/32, 1 successors, FD is 2681856
via 192.168.0.2 (2681856/2169856), Serial1/1
P 172.16.0.0/30, 1 successors, FD is 2169856
via Connected, Serial1/0

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 172.16.0.1/32, 1 successors, FD is 2169856
via Rconnected (2169856/0)
P 172.16.0.2/32, 0 successors, FD is Inaccessible
via 192.168.0.2 (3193856/2681856), Serial1/1
via 172.16.0.1 (2681856/2169856), Serial1/0

networker050184

What are you thinking is strange about this output?

MrXpert

networker050184 wrote: »

What are you thinking is strange about this output?

this in particular seems out of place
P 192.168.0.1/32, 0 successors, FD is Inaccessible
P 172.16.0.1/32, 1 successors, FD is 2169856
via Rconnected (2169856/0)
P 172.16.0.2/32, 0 successors, FD is Inaccessible

I've never seen anything like this before and I don't know why it should do that. Makes me think how unprepared I really am as I have been using PT up till now.

networker050184

Those are the /32s that come from using PPP. Use the no neighbor-route command or change the encapsulation and they will go away.

MrBrian

I didn't know about the host routes with PPP either, thanks networker. Googled it and found a nice little article:
Remove unwanted PPP peer route « ipSpace.net by @ioshints

Looks like you gotta clear the routing table or flap the interface after you do the "no peer neighbor-route" command for it to go away..

MrXpert

MrBrian wrote: »

I didn't know about the host routes with PPP either, thanks networker. Googled it and found a nice little article:
Remove unwanted PPP peer route « ipSpace.net by @ioshints

Looks like you gotta clear the routing table or flap the interface after you do the "no peer neighbor-route" command for it to go away..

yeh those host routes are kinda like a bad smell that lingers:) imo

SharkDiver

So what did you find out was wrong with the authentication key chains?

MrXpert

MrBrian wrote: »

Just glancing at the configs I'm not sure. There must be reason though. One thing I would check is that for your key-strings make sure that you hit enter right after the last letter of the password when configuring it. One time I was doing this and was using question marks after everything just to make sure that was it... and on one of the key-strings I hit space at the end, then entered it. In doing this, the router thought the password was the word plus an invisible space at the end. The other side didn't have this space. When looking at the configs, I couldn't see that there was an invisible space at the end of one of the passwords, so they appeared to match. It took me forever to figure out and I was going crazy lol! Just a thought..

excellent! this solved my problem. I was using question marks and unfortunately was doing it on some interfaces but not others. Thanks for your help. Also the command no neighbor-route is also very good to know regarding PPP.

I would like to know what terminal emulators people use in GNS3? i'm using the inherent Putty but find it a bit hard to manage. Is there anything better? ideally one which has tabs at the top? i heard SecureCRT has this. Jeremy from CBT uses this but i think it's hundreds of USD$ to buy.

Is there also anyway to stop those annoying "configured from console" messages keep appearing. I have typed logging synchronous and no exec-timeout to make things a bit easier but any tips would be appreciated.Thanks.

SharkDiver

Wow, that's good to know.
I guess I never thought that the router would think the space was part of the string or key-chain name.
Nice catch.

MrBrian

MrXpert wrote: »

excellent! this solved my problem. I was using question marks and unfortunately was doing it on some interfaces but not others. Thanks for your help. Also the command no neighbor-route is also very good to know regarding PPP.

I would like to know what terminal emulators people use in GNS3? i'm using the inherent Putty but find it a bit hard to manage. Is there anything better? ideally one which has tabs at the top? i heard SecureCRT has this. Jeremy from CBT uses this but i think it's hundreds of USD$ to buy.

Is there also anyway to stop those annoying "configured from console" messages keep appearing. I have typed logging synchronous and no exec-timeout to make things a bit easier but any tips would be appreciated.Thanks.

Wow, awesome. I think this is the first time I've solved someones problem here on the forum.. lol. Or at least the first time they came back and explicitly told me. Anyways, glad I could help you out.

As for stopping the "configured from console" messages, I'm not sure. I guess it doesn't really bug me too much. I use putty to connect to my 2511, which is then hooked up to everything in my lab. No tabs for me, but I'm used to ctrl-shift-6-x to jump around. Not too much of a hassle imo