Home > Ticket 1 – OSPF Authentication

Ticket 1 – OSPF Authentication

May 6th, 2018 in TSHOOT v2 Go to comments

1.Client is unable to ping R1’s serial interface from the client.

Problem was disable authentication on R1, check where authentication is not given under router ospf of R1. (use ipv4 Layer 3)

Configuration of R1:

interface Serial0/0/0
 description Link to R2
 ip address
 ip nat inside
 encapsulation frame-relay
 ip ospf message-digest-key 1 md5 TSHOOT
 ip ospf network point-to-point
router ospf 1
 network area 12
 network area 12
 default-information originate always

Configuration of R2:
interface Serial0/0/0.12 point-to-point
 ip address
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 TSHOOT

Answer: on R1 need command ip ospf authentication message-digest”

Ans1) R1
Ans2) IPv4 OSPF Routing
Ans3) Enable OSPF authentication on the s0/0/0 interface using the “ip ospf authentication message-digest” command.


There are two ways of configuring OSPF authentication:

interface Serial0/0/0
  ip ospf message-digest-key 1 md5 TSH00T
router ospf 1
  area 12 authentication message-digest


interface Serial0/0/0
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 TSH00T

So you have to check carefully in both interface mode and “router ospf 1”. If none of them has authentication then it is a fault.

Comments (30) Comments
Comment pages
1 2 3 50 38
  1. Naveed
    September 4th, 2010

    Replace the ‘Answer’ with following statement
    On R1 need the command in interface configuration mode of S0/0/0 (not in router mode)

    Symptoms of above ticket are as below:-
    1- No one is able to ping (R1’s S0/0/0 int) except R2.
    2- Client 1 is able to ping upto (R2’s S0/0.12 int).
    3- ‘Sh ip ospf neighbor’ command on R1 will not show any neighbor
    4- ‘sh ip route ospf’ command on R1 will not show any OSPF route

  2. mema
    September 4th, 2010

    Until now this problem appeared only on R2? what i mean is : R1 has correct config but not R2.
    the config missing was about the “ip ospf authentication message-digest” in all cases?

  3. Cisco TAC
    September 5th, 2010

    Great Job uTut. Well revise the exam again. Will make it easier so everyone will have chance to take CCIE.

  4. mema
    September 5th, 2010


    sorry mate but i didn’t understood it. can you please explain.


  5. DingDong
    September 7th, 2010


    Cisco TAC is very much interested in seeing all of us as CCIE. That’s his aim. Special thanks Cisco TAC

  6. Noel
    September 7th, 2010

    I dont see the problem in this ticket, i think that the command “area 12 authentication message-digest” is required just when you are using different authentication type in a specific area… The authentication type is already defined in the command “ip ospf message-digest-key 1 md5 TSHOOT”, BTW when you execute that command this is applied for all the areas where that interface belong, by default.

    Please tell me if i am wrong.

  7. Naveed
    September 8th, 2010

    On R1’s S0/0/0 interface in the TSHOOT topology technically we can enable MD5 authentication by using one of the two ways
    1- by giving command ‘ip ospf authentication message-digest’ under interface configuration mode of S0/0/0 or
    2- by giving ‘area 0 authentication message-digest’ command in the router ospf mode. (as u said, but for TSHOOT exam they didn’t used this and i think option 1 is more appropriate for TSHOOT topology, since R1 is having only one interface in Area 12 and there is no point to enable authentication on all the R1’s interfaces lying inside Area 12(which is the purpose of this command). Just think if you will add any other interface of R1 in area 12 then authentication will automatically be applied on that which you may not intend to configure resulting in extra troubleshooting steps)

    In addition to that we need ‘ip ospf message-digest-key 1 md5 TSHOOT’ to define that we will use which key for MD authentication, in above example its ‘TSHOOT’. This command is not serving the purpose of enabling MD5 authentication and only used to set the key.

    Please let me know if you require any further clarification.

  8. Naveed
    September 8th, 2010

    Correction in above post
    2- by giving ‘area 12 authentication message-digest’ (Since this is for R1)

  9. Dirk
    September 8th, 2010

    I think the correct answer is ip ospf authentication message-digest command must be given on s0/0.12 of R1. This command enable the authentication using message-digest, this
    related command is also needed when using clear text authentication.

  10. Naveed
    September 9th, 2010

    Yes Dirk you are 100% right. But we were discussing the other alternatives which are also used to do the same job for per area basis while this is per interface basis, personally I’ll prefer per interface basis option but there can be scenarios where per area basis authentication configuration is more appropriate.
    But as far as TSHOOT exam topology and above TT is concerned, they used configuration for per interface basis and the correct answer for above TT is:-
    ‘ip ospf authentication message-digest command must be given on s0/0/0’

  11. cisco_connect
    September 9th, 2010

    Hi All,
    Asl per my understanding for each TT there will be 3 ques. 1. to locate where the problem exist. 2. Problem exists in which technology 3. How to resolve the problem. Now my question is for point no 3 ( How to resolve the problem ) do i need to put the appropriate command from console ? or I need to choose from option list like cisco demo.

  12. Naveed
    September 11th, 2010

    U need to choose from options like cisco demo. You even can’t access the config mode on exam routers.

  13. networktut
    September 13th, 2010

    Yes, the interface should be s0/0.12 of R1. I updated this page!

  14. Max
    September 14th, 2010

    I downloaded the Packet Tracer config file from https://www.networktut.com/download/TSHOOT_LAB.pkt

    I try to figure out the following symptoms, but failed.
    1. PC1 can ping
    2. PC1 can ping
    3. R1#show ip ospf neighbor

    Neighbor ID Pri State Dead Time Address Interface 0 FULL/ – 00:00:34 Serial0/3/0.12
    4. R1#sh ip route ospf is variably subnetted, 5 subnets, 2 masks
    O IA [110/128] via, 00:18:46, Serial0/3/0.12
    O IA [110/192] via, 00:18:46, Serial0/3/0.12

    How to practice or how to figure out symptoms with TSHOOT_LAB.pkt on Packet Tracer, thanks.

    Symptoms of above ticket are as below:-
    1- No one is able to ping (R1’s S0/0/0 int) except R2.
    2- Client 1 is able to ping upto (R2’s S0/0.12 int).
    3- ‘Sh ip ospf neighbor’ command on R1 will not show any neighbor
    4- ‘sh ip route ospf’ command on R1 will not show any OSPF route

  15. ahmed-fouad
    September 15th, 2010

    dear all
    the question format is wrong i think
    the right question format is : the client can’t ping the extrnal serial interface on R1 (
    cause many peoble understand it as the internal serial interface ( )
    if i worng please correct my answer

  16. Naveed
    September 17th, 2010

    1- Don’t expect the packet tracer lab working and behaving perfectly. Many configurations are not done there as per exam topology.
    2- Packet tracer is a simulator, for beginners it is good enough but for CCNP candidates I’ll recommend to use GNS3.
    3- I can tell you the logical reasons of above mentioned symptoms but can’t tell you why you are not getting the required results on a config which i didn’t make.
    Logic of symptoms:-
    1- No one is able to ping (R1’s S0/0/0 int) except R2.
    In order to ping (R1’s S0/0/0 int) our routing should work properly on R1 but R2 can ping R1 without routing since it is directly connected and rosters doesn’t refer to routing tables for directly connected routes. But the rest of the network devices should know exactly about network.

    2- Client 1 is able to ping upto (R2’s S0/0.12 int).
    Since up to here routing information is available to all network devices in the above TT.

    3- ‘Sh ip ospf neighbor’ command on R1 will not show any neighbor
    Since authentication is not succeed so neighbor relation will not achieve a Full mode with R2, and keep on attempting.

    4- ‘sh ip route ospf’ command on R1 will not show any OSPF route.
    Since there is no OSPF neighbor so routes are not coming from anywhere (R2 in our topology).
    Hope it is clear.

  17. Pedram
    September 18th, 2010

    why do we have three answers
    Ans1) R1
    Ans2) ipv4 OSPF
    Ans3) ip ospf authentication message-digest command must be given on s0/0.12

    each ticket consist of three questions or the story is sth else.

  18. networktut
    September 21st, 2010

    Page updated: Ans3) ip ospf authentication message-digest command must be given on s0/0/0 (not s0/0.12)

  19. Lemon
    September 21st, 2010

    Pls reply me, thx a lot.
    I will take it next Monday.

  20. Pedram
    September 21st, 2010

    @ Navid

    Each trouble ticket is consist of three questions right ?
    means 12 TT * 3 = 36 plus 3 or 4 multiple choise ?
    Is this how exam gonna be ? no concept questions at all ?

  21. Anonymous
    September 22nd, 2010

    I took exam today.

    And no the answer is incorrect.
    I choose
    Ans1) R1
    Ans2) ipv4 OSPF
    Ans3) ip ospf authentication message-digest command must be given on s0/0/0
    It was no option s0/0/0.12 or s0/0.12 on R1 I tell you more there no interface s0/0/0.12 or s0/0.12 it doesn’t exist on r1.

    On R2 you have an option
    area 12 authentication message-digest(this maybe correct answer)

  22. gazza
    September 26th, 2010

    Naveed and Network tut…thanks to u guys..i have been doing self study reading the materials and the video mentor….i just want to know if configurations will be required or we are just to detect the network problem and perform the necessary IOS commands to get the right answer..Your quick response is really appreciated…

  23. Jake
    September 28th, 2010


  24. deva
    September 28th, 2010

    hi guys i am going to take tshoot exam on 6 oct and i am trying all TTs in GNS3

    so for regading this TT my observations are

    ip ospf authentication message-digest command should be given under sub interface s0/0.12

    under router ospf 1 ( area 12 authentication message-digest)

    but Not under Physical interface s0/0 pls take note

  25. deva
    September 28th, 2010

    so wha i will do in exam if i get this TT

    1.client 1 can ping up to R2 but not R1

    2.sh ip ospf nei on R2 (may be ill see only but not

    3. sh ip ospf ( check authentication is configured for (area 12) if not check sh ip ospf interface (s0/0.12) on both R1 and R2

    4. May be ill see in R1 or R2 ip ospf authentication message-digest

    5. then ill choose ip ospf authentication message-digest whether under router config mode or under subinterface

  26. Naveed
    September 28th, 2010

    You are right if R1 is configured with a sub-interface S0/0/0.12, but what if we don’t create sub-interface on R1? Yes, its a nice practice in real world to always use a sub-interface to make the room available for smooth future expansion but our frame-relay configuration can also work without creating sub-interface if we need only one link, same is the case with R1.
    Since here we are discussing the exam, so let me give you a update, as per exam official topology (the diagram) they used S0/0/0/0.12 but in the exam configuration they even didn’t used the sub-interfaces and all configuration is done on S0/0/0 (this case is only with R1).

    Yes, exactly.

    You even can not access the global configuration mode. All you have to do is to find out the problem through show/ping/traceroute commands and select the right options in the answers. I’ll advice you to have a look to the demo exam of TSHOOT.

  27. ipmasters
    September 28th, 2010

    hi everyone, I’d like to appreciate everyone for their contributions on this website. I am about to write my tshoot exam in a couple of days. I’d like to know how we can easily know which topology applies to which trouble ticket on the real exam since the trouble tickets will be provided in a random order and all have the same general baseline question like ‘client 1 is unable to ping the server’ and I dont know if it will be specified that ‘use IPv4 Layer 3 or Layer 2/3 topology for this ticket’ as is done in here.

  28. deva
    September 28th, 2010

    hi Naveed ……yes u r correct , i understand, so for i thought in exam topology we have sub-interface but now i understand ,thanks for your info

  29. deva
    September 28th, 2010


    A you already passed 2 exams of CCNP it might not be a problem for u…….. what u will do if topology changes in exam so use this forum as a guide and practice every TT by your own in GNS3

  30. ipmasters
    September 29th, 2010

    @ deva
    thank you for the advice, I am tryin my best to do that

    @ Naveed
    I’d like to hear from you on this subject matter

    more suggestions from anyone else are very welcome.

Comment pages
1 2 3 50 38