Home > Ticket 1 – OSPF Authentication

Ticket 1 – OSPF Authentication

May 6th, 2018 in TSHOOT v2 Go to comments

1.Client is unable to ping R1’s serial interface from the client.

Problem was disable authentication on R1, check where authentication is not given under router ospf of R1. (use ipv4 Layer 3)

Configuration of R1:

interface Serial0/0/0
 description Link to R2
 ip address 10.1.1.1 255.255.255.252
 ip nat inside
 encapsulation frame-relay
 ip ospf message-digest-key 1 md5 TSHOOT
 ip ospf network point-to-point
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 10.1.2.0 0.0.0.255 area 12
 network 10.1.10.0 0.0.0.255 area 12
 default-information originate always
!

Configuration of R2:
interface Serial0/0/0.12 point-to-point
 ip address 10.1.1.2 255.255.255.252
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 TSHOOT
!

Answer: on R1 need command ip ospf authentication message-digest”

Ans1) R1
Ans2) IPv4 OSPF Routing
Ans3) Enable OSPF authentication on the s0/0/0 interface using the “ip ospf authentication message-digest” command.

Note:

There are two ways of configuring OSPF authentication:

interface Serial0/0/0
  ip ospf message-digest-key 1 md5 TSH00T
!
router ospf 1
  area 12 authentication message-digest

OR

interface Serial0/0/0
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 TSH00T

So you have to check carefully in both interface mode and “router ospf 1”. If none of them has authentication then it is a fault.

Comments (50) Comments
Comment pages
1 2 3 29 38
  1. Naveed
    September 4th, 2010

    Replace the ‘Answer’ with following statement
    On R1 need the command in interface configuration mode of S0/0/0 (not in router mode)

    Symptoms of above ticket are as below:-
    1- No one is able to ping 10.1.1.1 (R1’s S0/0/0 int) except R2.
    2- Client 1 is able to ping upto 10.1.1.2 (R2’s S0/0.12 int).
    3- ‘Sh ip ospf neighbor’ command on R1 will not show any neighbor
    4- ‘sh ip route ospf’ command on R1 will not show any OSPF route

  2. mema
    September 4th, 2010

    Until now this problem appeared only on R2? what i mean is : R1 has correct config but not R2.
    the config missing was about the “ip ospf authentication message-digest” in all cases?

  3. Cisco TAC
    September 5th, 2010

    Great Job uTut. Well revise the exam again. Will make it easier so everyone will have chance to take CCIE.

  4. mema
    September 5th, 2010

    @CiscoTAC

    sorry mate but i didn’t understood it. can you please explain.

    Mema

  5. DingDong
    September 7th, 2010

    @mema

    Cisco TAC is very much interested in seeing all of us as CCIE. That’s his aim. Special thanks Cisco TAC

  6. Noel
    September 7th, 2010

    I dont see the problem in this ticket, i think that the command “area 12 authentication message-digest” is required just when you are using different authentication type in a specific area… The authentication type is already defined in the command “ip ospf message-digest-key 1 md5 TSHOOT”, BTW when you execute that command this is applied for all the areas where that interface belong, by default.

    Please tell me if i am wrong.

  7. Naveed
    September 8th, 2010

    @Noel
    On R1’s S0/0/0 interface in the TSHOOT topology technically we can enable MD5 authentication by using one of the two ways
    1- by giving command ‘ip ospf authentication message-digest’ under interface configuration mode of S0/0/0 or
    2- by giving ‘area 0 authentication message-digest’ command in the router ospf mode. (as u said, but for TSHOOT exam they didn’t used this and i think option 1 is more appropriate for TSHOOT topology, since R1 is having only one interface in Area 12 and there is no point to enable authentication on all the R1’s interfaces lying inside Area 12(which is the purpose of this command). Just think if you will add any other interface of R1 in area 12 then authentication will automatically be applied on that which you may not intend to configure resulting in extra troubleshooting steps)

    In addition to that we need ‘ip ospf message-digest-key 1 md5 TSHOOT’ to define that we will use which key for MD authentication, in above example its ‘TSHOOT’. This command is not serving the purpose of enabling MD5 authentication and only used to set the key.

    Please let me know if you require any further clarification.

  8. Naveed
    September 8th, 2010

    Correction in above post
    2- by giving ‘area 12 authentication message-digest’ (Since this is for R1)

  9. Dirk
    September 8th, 2010

    I think the correct answer is ip ospf authentication message-digest command must be given on s0/0.12 of R1. This command enable the authentication using message-digest, this
    related command is also needed when using clear text authentication.

  10. Naveed
    September 9th, 2010

    @Dirk
    Yes Dirk you are 100% right. But we were discussing the other alternatives which are also used to do the same job for per area basis while this is per interface basis, personally I’ll prefer per interface basis option but there can be scenarios where per area basis authentication configuration is more appropriate.
    But as far as TSHOOT exam topology and above TT is concerned, they used configuration for per interface basis and the correct answer for above TT is:-
    ‘ip ospf authentication message-digest command must be given on s0/0/0’

  11. cisco_connect
    September 9th, 2010

    Hi All,
    Asl per my understanding for each TT there will be 3 ques. 1. to locate where the problem exist. 2. Problem exists in which technology 3. How to resolve the problem. Now my question is for point no 3 ( How to resolve the problem ) do i need to put the appropriate command from console ? or I need to choose from option list like cisco demo.

  12. Naveed
    September 11th, 2010

    @cisco_connect
    U need to choose from options like cisco demo. You even can’t access the config mode on exam routers.

  13. networktut
    September 13th, 2010

    Yes, the interface should be s0/0.12 of R1. I updated this page!

  14. Max
    September 14th, 2010

    @Naveed
    I downloaded the Packet Tracer config file from https://www.networktut.com/download/TSHOOT_LAB.pkt

    I try to figure out the following symptoms, but failed.
    1. PC1 can ping 10.1.1.1
    2. PC1 can ping 10.1.1.2
    3. R1#show ip ospf neighbor

    Neighbor ID Pri State Dead Time Address Interface
    10.1.1.5 0 FULL/ – 00:00:34 10.1.1.2 Serial0/3/0.12
    4. R1#sh ip route ospf
    10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
    O IA 10.1.1.4 [110/128] via 10.1.1.2, 00:18:46, Serial0/3/0.12
    O IA 10.1.1.8 [110/192] via 10.1.1.2, 00:18:46, Serial0/3/0.12

    How to practice or how to figure out symptoms with TSHOOT_LAB.pkt on Packet Tracer, thanks.

    ##########################
    Symptoms of above ticket are as below:-
    1- No one is able to ping 10.1.1.1 (R1’s S0/0/0 int) except R2.
    2- Client 1 is able to ping upto 10.1.1.2 (R2’s S0/0.12 int).
    3- ‘Sh ip ospf neighbor’ command on R1 will not show any neighbor
    4- ‘sh ip route ospf’ command on R1 will not show any OSPF route

  15. ahmed-fouad
    September 15th, 2010

    dear all
    the question format is wrong i think
    the right question format is : the client can’t ping the extrnal serial interface on R1 (209.65.200.226)
    cause many peoble understand it as the internal serial interface (10.1.1.1 )
    if i worng please correct my answer
    thanks

  16. Naveed
    September 17th, 2010

    @Max
    1- Don’t expect the packet tracer lab working and behaving perfectly. Many configurations are not done there as per exam topology.
    2- Packet tracer is a simulator, for beginners it is good enough but for CCNP candidates I’ll recommend to use GNS3.
    3- I can tell you the logical reasons of above mentioned symptoms but can’t tell you why you are not getting the required results on a config which i didn’t make.
    Logic of symptoms:-
    1- No one is able to ping 10.1.1.1 (R1’s S0/0/0 int) except R2.
    In order to ping 10.1.1.1 (R1’s S0/0/0 int) our routing should work properly on R1 but R2 can ping R1 without routing since it is directly connected and rosters doesn’t refer to routing tables for directly connected routes. But the rest of the network devices should know exactly about 10.1.1.0 network.

    2- Client 1 is able to ping upto 10.1.1.2 (R2’s S0/0.12 int).
    Since up to here routing information is available to all network devices in the above TT.

    3- ‘Sh ip ospf neighbor’ command on R1 will not show any neighbor
    Since authentication is not succeed so neighbor relation will not achieve a Full mode with R2, and keep on attempting.

    4- ‘sh ip route ospf’ command on R1 will not show any OSPF route.
    Since there is no OSPF neighbor so routes are not coming from anywhere (R2 in our topology).
    Hope it is clear.

  17. Pedram
    September 18th, 2010

    why do we have three answers
    Ans1) R1
    Ans2) ipv4 OSPF
    Ans3) ip ospf authentication message-digest command must be given on s0/0.12

    each ticket consist of three questions or the story is sth else.

  18. networktut
    September 21st, 2010

    Page updated: Ans3) ip ospf authentication message-digest command must be given on s0/0/0 (not s0/0.12)

  19. Lemon
    September 21st, 2010

    @networktut
    Pls reply me, thx a lot.
    I will take it next Monday.

  20. Pedram
    September 21st, 2010

    @ Navid

    Each trouble ticket is consist of three questions right ?
    means 12 TT * 3 = 36 plus 3 or 4 multiple choise ?
    Is this how exam gonna be ? no concept questions at all ?

  21. Anonymous
    September 22nd, 2010

    I took exam today.

    And no the answer is incorrect.
    I choose
    Ans1) R1
    Ans2) ipv4 OSPF
    Ans3) ip ospf authentication message-digest command must be given on s0/0/0
    It was no option s0/0/0.12 or s0/0.12 on R1 I tell you more there no interface s0/0/0.12 or s0/0.12 it doesn’t exist on r1.

    On R2 you have an option
    area 12 authentication message-digest(this maybe correct answer)

  22. gazza
    September 26th, 2010

    Naveed and Network tut…thanks to u guys..i have been doing self study reading the materials and the video mentor….i just want to know if configurations will be required or we are just to detect the network problem and perform the necessary IOS commands to get the right answer..Your quick response is really appreciated…

  23. Jake
    September 28th, 2010

    experiences?

  24. deva
    September 28th, 2010

    hi guys i am going to take tshoot exam on 6 oct and i am trying all TTs in GNS3

    so for regading this TT my observations are

    ip ospf authentication message-digest command should be given under sub interface s0/0.12
    or

    under router ospf 1 ( area 12 authentication message-digest)

    but Not under Physical interface s0/0 pls take note

  25. deva
    September 28th, 2010

    so wha i will do in exam if i get this TT

    1.client 1 can ping up to R2 but not R1

    2.sh ip ospf nei on R2 (may be ill see only 3.3.3.3 but not 1.1.1.1)

    3. sh ip ospf ( check authentication is configured for (area 12) if not check sh ip ospf interface (s0/0.12) on both R1 and R2

    4. May be ill see in R1 or R2 ip ospf authentication message-digest

    5. then ill choose ip ospf authentication message-digest whether under router config mode or under subinterface

  26. Naveed
    September 28th, 2010

    @Deva
    You are right if R1 is configured with a sub-interface S0/0/0.12, but what if we don’t create sub-interface on R1? Yes, its a nice practice in real world to always use a sub-interface to make the room available for smooth future expansion but our frame-relay configuration can also work without creating sub-interface if we need only one link, same is the case with R1.
    Since here we are discussing the exam, so let me give you a update, as per exam official topology (the diagram) they used S0/0/0/0.12 but in the exam configuration they even didn’t used the sub-interfaces and all configuration is done on S0/0/0 (this case is only with R1).

    @Pedram
    Yes, exactly.

    @gazza
    You even can not access the global configuration mode. All you have to do is to find out the problem through show/ping/traceroute commands and select the right options in the answers. I’ll advice you to have a look to the demo exam of TSHOOT.

  27. ipmasters
    September 28th, 2010

    hi everyone, I’d like to appreciate everyone for their contributions on this website. I am about to write my tshoot exam in a couple of days. I’d like to know how we can easily know which topology applies to which trouble ticket on the real exam since the trouble tickets will be provided in a random order and all have the same general baseline question like ‘client 1 is unable to ping the server’ and I dont know if it will be specified that ‘use IPv4 Layer 3 or Layer 2/3 topology for this ticket’ as is done in here.

  28. deva
    September 28th, 2010

    hi Naveed ……yes u r correct , i understand, so for i thought in exam topology we have sub-interface but now i understand ,thanks for your info

  29. deva
    September 28th, 2010

    @ipmaster

    A you already passed 2 exams of CCNP it might not be a problem for u…….. what u will do if topology changes in exam so use this forum as a guide and practice every TT by your own in GNS3

  30. ipmasters
    September 29th, 2010

    @ deva
    thank you for the advice, I am tryin my best to do that

    @ Naveed
    I’d like to hear from you on this subject matter

    more suggestions from anyone else are very welcome.

  31. ipmasters
    September 29th, 2010

    I found an anwser from a post similar to my question.
    thanks to all contributors on this helpful site.

  32. Hi, I have taken all the screen captures of the exam
    September 29th, 2010

    Hi,

    I have taken all the screen capture of full exam and i need the answer for the same.

    who can help me so that i can post all question here.

    Thke

  33. nf9
    September 29th, 2010

    to naveed and everybody
    first of all thanks for all the input you are great !
    about ospf authentication,the command that turns it on may be applied at the interface or on
    the router ospf mode ,works either way .
    Although , watch out , Cisco says it uses IOS ver 12.4 in the exam , I am not 100% sure that
    in that version it is possible to apply command under the ospf process , I know for sure that it is possible in 12.3 IOS . I would look in the exam in which router the problem is and than choose to fix the problem in interface-config mode , if I dont have such choise in the exam then I would choose to apply it under ospf.
    good luck everybody

  34. nf9
    September 30th, 2010

    correction from last post!
    I use IOS 12.4
    its possible to configure ospf authentication either way
    1. under interface config mode
    2. under ospf process

    watch out

  35. Tim
    October 2nd, 2010

    Post your capture questions here, i will help you to get those answers.

  36. abebe
    October 3rd, 2010

    why is possible such a scenario if R2 able top ping 10.1.1.1 and if the others able to ping R2 why the others cant able to ping R2. if the problem is on the other side of R1 yes authentication need to match so that R1 informs R2 but in the case you bring R2 doesnt R1 to tell the route and R2 able to ping 10.1.1.1 so why not not the others.
    as to me if the problem is on R2 not R 1.

  37. abebe
    October 3rd, 2010

    as to me if the R3 and soon are authenticated using md5 the soloution will be
    answer R2
    answer ospf authentication
    answer 3 remove the Athuthetntication from sub interface in r2 and add it to interface mode or with out removing add area 12 ospf authetntication md5

  38. Anonymous
    October 3rd, 2010

    with what ip addresses should i configure the clients 1 and 2 using packet tracer so that i can do th e troubleshooting

    Regards

  39. networktut
    October 6th, 2010

    Yes, could you please send me the screen captures to support@9tut.com

  40. JJ
    October 9th, 2010

    @Naveed and Everyone else

    Guys, I’d like to provide you with the config details from my home lab (please see below) as i have built the full lab from the TSHOOT Topology and can confirm that the following config is fully working.

    Basically you can have the *area 12 authentication message-digest* command in router config mode as you can see from my Router 2 Config and Router 1 has the *ip ospf authentication message-digest* command under its Serial0/0/0/0.12 Interface as opposed to its Router ospf 1 process Config, so the command is valid either under the Interface without the area 12 specified or under the router ospf 1 process with the area 12 command, hope this helps.

    JJ

    ***Router 1 Config***

    R1#sh run int Serial0/0/0/0.12
    Building configuration…
    !
    interface Serial0/0/0/0.12 point-to-point
    ip address 10.1.1.1 255.255.255.252
    ***ip ospf authentication message-digest***
    ip ospf message-digest-key 1 md5 cisco
    end
    !
    R1#
    R1#sh run | sec router ospf 1
    router ospf 1
    router-id 1.1.1.1
    network 1.1.1.1 0.0.0.0 area 12 ***R1 Loopback 0 Interface***
    network 10.1.1.0 0.0.0.3 area 12 ***Net between Routers 1 and 2***
    !
    R1#
    !
    !
    R1#sh ip ospf neighbor

    Neighbor ID Pri State Dead Time Address Interface
    2.2.2.2 0 FULL/ – 00:00:32 10.1.1.2 Serial0/0/0/0.12 ***Router 2***
    R1#
    R1#sh ip route ospf | ex E2

    2.0.0.0/32 is subnetted, 1 subnets
    O 2.2.2.2 [110/65] via 10.1.1.2, 00:10:32, Serial0/0/0/0.12
    ***Router 2 Loopback 0 Interface***

    10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
    O IA 10.1.1.8/30 [110/192] via 10.1.1.2, 00:10:32, Serial0/0/0/0.12
    ***Inter Area Net between Routers 3 and 4***

    O IA 10.1.1.4/30 [110/128] via 10.1.1.2, 00:10:32, Serial0/0/0/0.12
    ***Inter Area Net between Routers 2 and 3***

    C 10.1.1.0/30 is directly connected, Serial0/0/0/0.12
    ***Connected Net between Routers 1 and 2***

    ***Router 2 Config***

    R2#sh run int Serial0/0/0/0.12
    !
    interface Serial0/0/0/0.12 point-to-point
    ip address 10.1.1.2 255.255.255.252
    ip ospf message-digest-key 1 md5 cisco
    end
    !
    R2#
    !
    R2#sh run | sec router ospf 1
    router ospf 1
    router-id 2.2.2.2
    ***area 12 authentication message-digest***
    network 2.2.2.2 0.0.0.0 area 12 ***R2 Loopback 0 Interface***
    network 10.1.1.0 0.0.0.3 area 12 ***Net between Routers 1 and 2***
    network 10.1.1.4 0.0.0.3 area 0 ***Net between Routers 2 and 3***
    end
    !
    !
    R2#sh ip route ospf | exclude E2|IA

    1.0.0.0/32 is subnetted, 1 subnets
    O 1.1.1.1 [110/65] via 10.1.1.1, 00:10:12, Serial0/0/0/0.21
    ***Intra Area Route to R1 Loopback 0 Interface***

    O IA 10.1.1.8/30 [110/128] via 10.1.1.6, 00:17:30, Serial0/0/0/0.23
    ***Inter Area Route to Routers 3 and 4***

    C 10.1.1.0/30 is directly connected, Serial0/0/0/0.21
    ***Connected Net between Routers 1 and 2***
    !
    R2#sh ip ospf neighbor

    Neighbor ID Pri State Dead Time Address Interface
    3.3.3.3 0 FULL/ – 00:00:39 10.1.1.6 Serial0/0/0/0.23 ***Router 3***
    1.1.1.1 0 FULL/ – 00:00:38 10.1.1.1 Serial0/0/0/0.21 ***Router 1***
    R2#
    !
    ***Pings are working***
    R1#ping 10.1.1.5 ***R2 Serial0/0/0/0.23 Interface***

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 64/69/92 ms
    R1#
    R1#ping 2.2.2.2 ***Router 2 Loopback 0 Interface***

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 64/70/96 ms
    R1#

    R2#ping 209.65.200.241 ***Web Server from Net 209.65.200.240/29 in BGP AS 65002***

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 209.65.200.241, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 120/124/140 ms
    R2#

    Hope this helps

    JJ

  41. Naveed
    October 9th, 2010

    @JJ @nf9 @New TShoot Candidates
    Yes, its important to know all the possible configuration options and the best practices to work confidentially in real world and specially for the people whom are looking towards CCIE. There are situations when one option is better or another. e.g Authentication configuration in router mode is better option if we want to enable authentication on all of our current and future OSPF interfaces while interface configuration is good when we want selective interface(s) to use OSPF authentication and also don’t want our future interfaces to automatically enable for authentication, which can lead to additional troubleshooting steps otherwise. A long debate can be made on the pros and corns of both options but as per my opinion, I ll prefer the one under interface, why…well if you asks me for a single line answer, I’ll prefer more control over the option to configure whole router for OSPF authentication with a single command, of course by keeping the authentication at interfaces basis, I have more control and I’ll not mind giving commands at each interface.
    @New TSHOOT CANDIDATES
    I want to clear one thing that in exam there is only one option to select, the one under interface (i.e. ip ospf authentication message-digest command must be given on s0/0/0).

  42. Naveed
    October 9th, 2010

    Kindly mean the following terms as folloiwng in my above post.
    All interfaces = All interfaces of a specific area
    Selective Interfaces = Selective interfaces in a specific area
    Whole router = Whole router with respect to a specific area

  43. Nexttest
    October 11th, 2010

    What is the best way to study this this exam? I see the TT but there are three toplogies. Do they have set question for each topology?

  44. groucho
    October 13th, 2010

    Networktut
    on the summary page you have put R2 – OSPF Authentication yet the answer here shows R1
    Which one is correct ? Can you please change the summary page to reflect the correct answer
    thanks

  45. Faiz
    October 13th, 2010

    First thanks for our god

    Secondly thank you thank you thank you one million, billion and trillion times networktut and Naveed.

    i passed the exam today and all the questions from this great website

    thank you for all of you about all your comments really it’s help me

    My best Regards

  46. klauss
    October 15th, 2010

    as groucho said ,which router is correct choice? at home page it is R2 but here it is R1 ,which one is correct ?

  47. Marivan
    October 18th, 2010

    Please send the screen capture to my email as well sparkleclean@rogers.com

  48. kiler
    October 18th, 2010

    oh,thx,guys.thx for your help,i got it.i will take the 832 exam in this Friday.i believe i can pass,come on!!!

  49. Andrew
    October 20th, 2010

    Hi all,

    I passed the TSHOOT some days ago with 1000/1000. The answer which I chose is
    *ip ospf authentication message-digest* under interface Serial0/0/0/0.12.

  50. legba
    October 20th, 2010

    hi guys…i going to have my exam this friday and start revising, but i heard tha 6 questions from the tickets were changed, can anyone confirm that please…cheers

Comment pages
1 2 3 29 38