[70022] in North American Network Operators' Group
Re: More MD5 fun: Cisco uses wrong MD5 key for old session after key change
daemon@ATHENA.MIT.EDU (Simon Lockhart)
Sun Apr 25 19:50:41 2004
Date: Sat, 24 Apr 2004 21:25:46 +0100
From: Simon Lockhart <simon.lockhart@bbc.co.uk>
To: sthaug@nethelp.no
Cc: nanog@merit.edu
In-Reply-To: <60845.1082838063@bizet.nethelp.no>
Errors-To: owner-nanog-outgoing@merit.edu
On Sat Apr 24, 2004 at 10:21:03PM +0200, sthaug@nethelp.no wrote:
> Meanwhile, the new session (with the new MD5 key) is up and all is
> well *on that session*. But because the Cisco side keeps logging
> these messages, it *looks* like the new session is somehow not
> working.
>
> As far as I can see, the bug here is clearly on the Cisco side. We
> will definitely be logging a TAC case about this.
Yes - I've noticed this when configuring MD5 on sessions. If I let the
old session timeout due to md5 mismatch, and then let it re-establish,
then the session seems to work, but continues to log the MD5 errors.
Doing a "clear ip bgp <nei>" on my side removes the problem.
Simon
--
Simon Lockhart | Tel: +44 (0)1628 407720 (x(01)37720) | Si fractum
Technology Manager | Fax: +44 (0)1628 407701 (x(01)37701) | non sit, noli
BBC Internet Ops | Email: Simon.Lockhart@bbc.co.uk | id reficere
BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
