I'm not discounting a bug. I have submitted a question to the open forum on cco, no responses yet. I know that my config is correct as the ospf neighbors form soon after the isdn link is activated (ie. the keys do match on both sides). The neighbors will stay up, however, the isdn link also stays up. If I filter out 224.0.0.5 from being interesting, something I assumed was done when you code ip ospf demand-circuit, once the isdn link is down, ospf is still sending hello packets, at the dead-interval the neighbors die due to the dead-interval being hit. This is shown in debugs/logs adj-change neighbor down dead interval hit. My understanding of demand-circuit is that there is no dead interval. The hellos should be suppressed. If you issue a show ip ospf interface dialer0, it shows that the hellos are suppressed for 1 neighbor(s). However, if I simply use the dialer-list 1 protocol ip permit the isdn link is brought up by the 224.0.0.5 and stays up. Very strange. I do not have access to an ISDN simuator at my office lab. Hopefully I'll get more time at our local Cisco office. For those with an ISDN simulator see if you can keep you link quiet yet keep your ospf neighbors active over the circuit with area md5 auth. turned on.
Richard >>Are you using the simple password authentication or the MD5 authentication? >>I realized that I assumed MD5 in my previous answer. At 02:20 PM 2/1/02, Richard Newman wrote: >Thanks for all the replies. No clear answer yet. I do know for a fact due to >debugs that there is a periodic key exchange sequence. The debug would show >as OSPF: Send with youngest Key 1. The traffic would come across as >224.0.0.5. That's just a hello. With MD5, the key is used to create the message digest added to the hello. I agree with Peter that it might be a bug (if you're using MD5). If you're not using MD5, this may be normal behavior? But you should use MD5. The other method sends the password as clear text. It's useless as far as security is concerned. Priscilla >The only difference between the demand-circuit peers staying up >or being terminated is no authentication versus authentication. And actually >the area number doesn't matter. Also be aware, I found this out the hard >way, that you can actually have blank spaces after your key value which will >not be visible. This cost me hours of trouble shooting until I deleted and >readded my key statements. Ooops. > >Richard > > >""Richard Newman"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi all. > > I was working on a lab with an ISDN link between two of my OSPF routers. >The > > link would come up if the Frame cloud went away. Normal stuff link would >be > > initiated as usual. However, since area 0 had authentication turned on > > broadcasts from 224.0.0.5 kept the isdn link up all the time. If I >filtered > > out the 224.0.0.5 from being interesting the ospf neighbors would get > > terminated at the dead interval. When I turn off authen. from area 0 all > > worked as normal. > > > > Is this a normal occurrance? When area authentication is turned on do the > > key exchanges still happen even over a demand-circuit? > > > > Thanks... > > Richard Newman ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34367&t=33884 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
