ISIS area authentication problem

Problem Description

Topology

Symptom

When R3 with ISIS configuration has been connected to the existing network, PC1 and PC2 cannot communicate with each other.

Handling Process 

1. ISIS configuration（R3, R1 and R2 are similar.）:

#

isis 1

 is-level level-2

 network-entity 10.0030.0300.3003.00

#

interface GigabitEthernet0/0/0

 ip address 10.0.0.3 255.255.255.0

 isis enable 1

 isis circuit-level level-2

 isis authentication-mode md5 cipher XXXXXX

#

2. display ISIS peer and display ISIS route, it can be seen that ISIS peering is being established but no ISIS routes are received,

3. display ISIS interface, it shows that the R3 is selected as the DIS.

4. display ISIS peer, it could be observed that there are some ISIS error messages regarding authentication.

[R1]dis isis error

                    Statistics of error packets for ISIS(1)

                    ---------------------------------------

LSP packet errors:

Longer LSP           : 0         Smaller LSP           : 0          

Mismatched Level        : 0         Invalid Sysid             : 0          

Zero Sequence Number    : 0         Illegal IS Type            : 0          

Zero Checksum         : 0         Incorrect Checksum          : 0          

Bad Authentication      : 6         Bad Auth Count            : 0          

More Protocol TLV       : 0         Bad Nbr TLV              : 0        

5. After changing the ISIS domain authentication password of R3, the fault is rectified.

Root Cause

When the new IS-IS router is connected to the live network and the circuit type is broadcast, the DIS election will be triggered. In this case, all ISIS routers on the network have a default dis-priority of 64. Because the G0/0/0 of R3 has the highest MAC address, R3 becomes the DIS on the network segment. As it has the incorrect domain authentication password, it established ISIS peering but did not accept any routing information. As a result, other IS-IS routers on the network also clear the IS-IS routing table because they could not accept routing updates from R3.

Solution

Increase the DIS priority of existing ISIS routers so that the newly added router will not become DIS and cause network failure.

Suggestions and Summary

There are two levels of ISIS password configuration:
- Hello packet level (configured under interface)

Command：ISIS authentication-mode

- LSDB level (configured under ISIS process)

Command：area-authentication-mode (Level-1 area authentication)

domain-authentication-mode (Level-2 area authentication)

When connecting new ISIS router on the broadcast network with a password, extreme caution needs to be taken as whole ISIS routing can be impacted when the wrong LSDB password is set.