We've just turned up something similar. The difference is we are not using a keychain for the P2P password.
>show configuration protocols isis topologies ipv6-unicast; overload timeout 300; level 1 disable; level 2 { authentication-key-chain ISIS_DOMAIN; wide-metrics-only; } interface ae6.0 { ldp-synchronization; lsp-interval 50; point-to-point; link-protection; level 2 { metric 10000; ipv6-unicast-metric 10000; hello-authentication-key "<password>"; ## SECRET-DATA hello-authentication-type md5; } } > show configuration security authentication-key-chains { key-chain ISIS_DOMAIN { key 1 { secret "<PASSWORD>; ## SECRET-DATA start-time "2019-1-1.00:00:00 +0000"; algorithm md5; } } } router isis ISIS set-overload-bit on-startup wait-for-bgp is-type level-2-only net 49.0001.0511.4807.2051.00 lsp-password keychain ISIS-DOMAIN address-family ipv4 unicast metric-style wide level 2 maximum-paths 8 segment-routing mpls ! address-family ipv6 unicast metric-style wide level 2 maximum-paths 8 ! interface Bundle-Ether1 hello-password hmac-md5 encrypted <PASSWORD> address-family ipv4 unicast metric 10000 On Wed, 27 May 2020 at 12:46, Eric Van Tol <e...@atlantech.net> wrote: > Sorry if this is a duplicate – Outlook chose the ‘bounces’ address as the > one to send to and I didn’t notice. > > Hi all, > I’m testing out an NCS540 for use in our network and this is my first > foray into IOS-XR. We have a mix of Juniper and Cisco IOS/IOS-XE devices > that the NCS needs to interoperate with. I’m having some minor trouble with > IS-IS authentication and it’s kind of driving me nuts because I can’t get > IS-IS to come up when authentication is configured. I keep getting this > error: > > BAD P2P IIH rcvd from TenGigE0/0/0/19 SNPA 5c5e.abde.1e00: dropped because > cryptographic password mismatch > > Seems pretty obvious, but my keychain key password is configured and > verified to match on both sides: > > key chain isis-chain > key 1 > accept-lifetime 00:00:00 january 01 1993 infinite > key-string password <password> > send-lifetime 00:00:00 january 01 1993 infinite > cryptographic-algorithm HMAC-MD5 > ! > accept-tolerance infinite > > I’ve tried both MD5 and HMAC-MD5, neither works. Here is my IS-IS config > on the NCS540: > > router isis rtr1 > set-overload-bit on-startup wait-for-bgp > is-type level-2-only > net 49.0001.1071.3820.2192.00 > log adjacency changes > lsp-mtu 1497 > lsp-password keychain isis-chain > address-family ipv4 unicast > metric-style wide level 2 > ! > address-family ipv6 unicast > metric-style wide level 2 > single-topology > ! > interface Loopback1 > passive > address-family ipv4 unicast > ! > address-family ipv6 unicast > ! > ! > interface TenGigE0/0/0/19 > circuit-type level-2-only > point-to-point > hello-password keychain isis-chain > address-family ipv4 unicast > metric 3500 > ! > address-family ipv6 unicast > metric 3500 > ! > ! > > traceoptions on the Juniper shows something similar: > > ERROR: IIH from 1071.3820.2192 on xe-0/0/0.0 failed authentication > > Here’s the Juniper key config and isis stanza: > > authentication-key-chains { > key-chain isis-chain { > key 1 { > secret "<password>"; ## SECRET-DATA > start-time "1993-1-1.00:00:00 +0000"; > algorithm md5; > } > } > } > protocols { > isis { > level 1 disable; > level 2 { > authentication-key-chain isis-chain; > wide-metrics-only; > } > interface xe-0/0/0.0 { > point-to-point; > level 2 { > metric 3500; > hello-authentication-key-chain isis-chain; > } > level 1 disable; > } > } > > I know it’s got to be something simple, but it’s not clicking for me > today. It seems like any step forward I take with IOS-XR, I end up taking > two steps back on the next thing that ‘just works’ everywhere else. > > -evt > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/