Hello guys,

I am going through CCNP ROUTE and I have some problem with EIGRP autentication problem. Can somebody explain me why this configuration not working?

R5 ROUTER

R5#show key chain
Key-chain KLUCENKA:
key 1 -- text "JAHODA1"
accept lifetime (10:25:00 UTC May 1 2012) - (10:35:00 UTC May 1 2012)
send lifetime (10:35:00 UTC May 1 2012) - (infinite) [valid now]
key 2 -- text "JAHODA2"
accept lifetime (10:35:00 UTC May 1 2012) - (10:45:00 UTC May 1 2012) [valid now]
send lifetime (10:45:00 UTC May 1 2012) - (infinite)


R5#show running-config interface fastEthernet 1/0
Building configuration...

Current configuration : 185 bytes
!
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 KLUCENKA
duplex auto
speed auto
!
end


R6 ROUTER
R6#show key chain
Key-chain KLUCENKA:
key 1 -- text "JAHODA1"
accept lifetime (10:25:00 UTC May 1 2012) - (10:35:00 UTC May 1 2012)
send lifetime (10:35:00 UTC May 1 2012) - (infinite) [valid now]
key 2 -- text "JAHODA2"
accept lifetime (10:35:00 UTC May 1 2012) - (10:45:00 UTC May 1 2012) [valid now]
send lifetime (10:45:00 UTC May 1 2012) - (infinite)
R6#sh running-config interface fastEthernet 1/0
Building configuration...

Current configuration : 185 bytes
!
interface FastEthernet1/0
ip address 192.168.1.2 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 KLUCENKA
duplex auto
speed auto
!
end

DEBUG OUTPUT
R6#debug eigrp packets
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R6#
*May 1 10:36:16.329: EIGRP: pkt authentication key id = 1, key not defined or not live
*May 1 10:36:16.329: EIGRP: FastEthernet1/0: ignored packet from 192.168.1.1, opcode = 5 (invalid authentication)
*May 1 10:36:16.909: EIGRP: Sending HELLO on FastEthernet1/0 nbr 192.168.1.1
*May 1 10:36:16.909: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

Why I have invalid authentication there?

Thanks for any answer,
TheTechnic

What is the output of the clock on both devices?

_________________
---
David
CCIE R&S #38338, CCIP, CCNP

http://networkbroadcast.co.uk - My Blog
http://twitter.com/davidrothera

Clock time:
R6#show clock
*11:24:23.872 UTC Tue May 1 2012

R5#sh clock
*11:24:13.888 UTC Tue May 1 2012

I figured out that I must change key 1 send lifetime not to infinity, but to correct time for example from: 10:35:00 UTC May 1 2012 to 10:35:30 UTC May 1 2012. After that period key 2 should be activated.

I am trying to figured the best answer for this question:
http://desmond.imageshack.us/Himg213/sc ... es=landing
I think that aswer is 1st option based on my output in debug: authentication key id = 1, key not defined or not live
The router is trying still encrypt messages with only key string in key 1, because it has infinity lifetime.

What do you think about it?

i would also maybe have some over lap between keys 1 and 2 with the accept part. since the way i am thinking is if the router was under heavy load and it took more than a minute to process it, it might reject it

I was going to say that I suspected that your clock was after 10:35 because you would have been sending Key1 but only accepting Key2.

As DavidR says, make sure that you always have a few hours/days overlap when it sends both keys and accepts both keys to stop this kind of issue occurring.

_________________
---
David
CCIE R&S #38338, CCIP, CCNP

http://networkbroadcast.co.uk - My Blog
http://twitter.com/davidrothera

I am studying for the CCNP Route as well. I think the issue is that you are sending key 1 and accepting key 2. When you did the debug it was at 10:36. At that time key 1 is no longer accepted but it is still being sent. Key 2 is accepted but won't be sent until 10:45.