ISIS hello MD5 authentication

[sergeyrar]

Hi,

I'm trying to establish an MD5 authenticated ISIS session between MX and ASR routers.

ASR9k configuration:

Code Select Expand


router isis 1
net 49.0001.0030.0300.3003.00
nsf ietf
nsf lifetime 120
address-family ipv4 unicast
  metric-style wide
  mpls traffic-eng level-2-only
  mpls traffic-eng router-id 3.3.3.3
!
interface Loopback0
  passive
  address-family ipv4 unicast
  !
!
interface TenGigE0/0/2/3
  circuit-type level-2-only
  point-to-point
  lsp-interval 1
  hello-interval 3
  hello-password keychain exa-key
  address-family ipv4 unicast
  !
!
!
key chain exa-key
key 0
  accept-lifetime 00:00:00 january 01 2000 infinite
  key-string password 060317205B4F1B1C
  cryptographic-algorithm MD5
!
!



MX configuration:

Code Select Expand


show protocols isis
reference-bandwidth 1000g;
spf-options delay 100;
graceful-restart restart-duration 120;

interface xe-2/0/3.0 {
    lsp-interval 1;
    point-to-point;
    level 2 {
        metric 100;
        hello-authentication-key-chain exa-key;
        hello-interval 3;
        hold-time 9;
    }
}
interface lo0.0 {
    passive;
}

show security
authentication-key-chains {
    key-chain exa-key {
        key 0 {
            secret "$9$.P5Fp0IEhrBIEyeK7Ns24"; ## SECRET-DATA
            start-time "2000-1-1.00:00:00 +0200";
            algorithm md5;
        }
    }
}




From isis adjacency debug of ASR9k I get the following error -

Code Select Expand


RP/0/RSP0/CPU0:ASR9K-R3#debug isis adjacencies interface tenGigE 0/0/2/3
Tue Aug 15 05:51:17.741 Jerusalem
RP/0/RSP0/CPU0:ASR9K-R3#RP/0/RSP0/CPU0:Aug 15 05:51:18.522 : isis[1006]: SEND P2P IIH (L2) on TenGigE0/0/2/3: Holdtime 9s, Length 1497
RP/0/RSP0/CPU0:Aug 15 05:51:20.638 : isis[1006]: BAD P2P IIH rcvd from TenGigE0/0/2/3 SNPA 44f4.771f.954d: dropped because authentication TLV not found



It is as if authentication is not even enabled on MX.


Please help 

[srg]

Probably need

set level 2 authentication-type md5

inside router isis.