ISIS_1.3.6.1.3.37.2.0.10 isisAuthenticationFailure

Description

ISIS/3/AUTH_FAIL:OID [oid] The authentication password of received PDU is different from local configuration. (sysInstance=[integer], sysInstanceofLevel=[integer], sysLevel=[integer], sysInstanceofCircIfIndex=[integer], circIndex=[integer], ifIndex=[integer], circIfIndex=[integer], pduFrag=[opaque], ifName=[string])

The received packet, including the LSP, CSNP, PSNP, and Hello packet, contained the authentication information and the same authentication type carried in the packet was the same as that configured on the local switch, however, the authentication password in the packet was different from that configured on the local switch. For example, both ends were configured with either MD5 authentication or simple authentication, whereas the configured authentication passwords were different.

Attribute

Alarm ID	Alarm Severity	Alarm Type
1.3.6.1.3.37.2.0.10	Minor	environmentalAlarm(6)

Parameters

Name	Meaning
oid	Indicates the MIB object ID of the alarm.
sysInstance	Indicates the ID of the IS-IS process.
sysInstanceofLevel	Indicates the ID of the IS-IS process.
sysLevel	Indicates the IS-IS level: 1: Level-1 2: Level-2
sysInstanceofCircIfIndex	Indicates the ID of the IS-IS process.
circIndex	Indicates the index of the interface.
ifIndex	Indicates the index of the interface.
circIfIndex	Indicates the IF index of the interface.
pduFrag	Indicates the fragment of 64-byte PDU header.
ifName	Indicates the name of the interface.

Impact on the System

1. If Hello packet authentication fails, IS-IS neighbors cannot be established.

2. If LSP or SNP packet authentication fails, LSDBs cannot be synchronized; however, IS-IS neighbors can be established.

Possible Causes

Authentication was configured for the interface or process on the local end. The authentication types configured on both ends were the same, whereas the authentication passwords were different.

Procedure

Through the parameter in the trap, check the ID of the IS-IS process that receives the packet and check the level that the packet belongs to. The value 1 indicates Level-1 packets; the value 2 indicates Level-2 packets; the value 3 indicates P2P Hello packets. Based on the IS-IS packet format defined in ISO10589, search for the if-index field (in decimal) in the trap and convert the decimal value into a hexadecimal value. Run the display rm interface command on the interface and search the command output for the information about the interface that receives the packet. The value of IfnetIndex in the interface information is the same as the hexadecimal if-index. Then, find the pdu-fragment field in the trap and fetch the system ID of the source switch that sends the packet and packet type.

If the type of the packet is Hello, go to Step 2.
If the type of the packet is LSP or SNP, go to Step 4.

**Table 1** Methods of searching for system IDs and types of IS-IS packets
Searching for the Packet Type	Searching for the System ID
Hello: the 5th byte in the pdu-fragment field being 0f, 10, or 11	The system ID is continuous 6 bytes after the 10th byte in the pdu-fragment field
LSP: the 5th byte in the pdu-fragment field being 12 or 14	The system ID is continuous 6 bytes after the 13th byte in the pdu-fragment field
SNP: the 5th byte in the pdu-fragment field being 18, 19, 1A, or 1B	The system ID is continuous 6 bytes after the 11th byte in the pdu-fragment field

Run the display isis peer command in the source switch to check the interface that sends the packet. Enter the interface view and run the display this command to check the password used for authentication is the same as that configured on the local switch.
- If so, go to Step 6.
- If not, go to Step 3.
Run the isis authentication-mode command in the interface view of the source switch to configure the same authentication password as the local switch. Then check whether the trap is cleared.
- If so, go to Step 7.
- If not, go to Step 6.
Run the display current-configuration configuration isis command on the source switch to check whether the IS-IS process is configured with the same area authentication password or domain authentication password as the local switch.
- If so, go to Step 6.
- If not, go to Step 5.
Run the area-authentication-mode (for Level-1 packets) command or the domain-authentication-mode (for Level-2 packets) command in the IS-IS view of the source switch to configure the same authentication password as the local switch. Then check whether the trap is cleared.
- If so, go to Step 7.
- If not, go to Step 6.
Collect alarm information and configuration information, and then contact technical support personnel.
End.

Related Information

None