I'm pretty new to Juniper and I'm trying to troubleshoot a pretty weird problem between an MX960 running 9.6R4.4 and a CRS-8 running XR 4.0.4. It's a very straightforward ISIS configuration for IPv6. We have MD5 authentication configured on both sides. The adjacency comes up, but the Juniper doesn't learn any routes from the CRS and the logs complain about packets unexpectedly having a message digest. I'm not sure why they'd be unexpected.
The CRS is learning routes from the MX960, but it's critical that the reverse happen, as well. I just checked the logs and now I'm seeing messages about LSPs being ignored because they're missing authentication. I have a suspicion about what is happening, but I'm not sure. I think the CRS is only authenticating the hello packets but is not authenticating the LSPs, whereas the MX960 is expecting everything to have md5 headers. I'm not ever sure that it's possible to configure IOS XR to only add md5 to the hellos but not the LSPs. This is really just a guess based on what I'm seeing. To enable md5 authentication in IOS XR, you add "hello-password hmac-md5 encrypted ##hashed text##" on the neighbor. That seems like it might actually be specific to the hellos and not necessarily the LSPs. On the MX960, we have an authentication-key and authentication-type md5 configured. On a different router in our network, I see that someone has configured a different MX960 the same way, but they also added a hello-authentication-key and hello-authentication-type md5 to a specific neighbor. This is all a little confusing because in that latter case I mentioned, the mix of routers is the same and the configuration between the two is the same as what I have, but the software is a little different. I'm wondering if I'm running into a bug or at least some quirky behavior. My MX960 is setting up the adjacency but dropping the other LSPs, but the other MX960 is not even though they're both connected to CRS. Have any of you had any weird authentication issues like this? _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp