EIGRPCCNA 200-301

EIGRP MD5 Authentication Mismatch

Presenting Symptom

EIGRP neighbors are not forming, and the network engineer sees routes missing from the routing table.

Network Context

A small branch office with two Cisco routers (R1 and R2) connected via a serial link. Both routers run EIGRP with MD5 authentication configured. The routers are running IOS version 15.x. The issue occurs after a recent configuration change on R2.

Diagnostic Steps

Check EIGRP neighbor status

show ip eigrp neighbors

No neighbors displayed (empty output)

If no neighbors are listed, EIGRP is not forming adjacencies. This confirms a neighbor relationship issue.

Check EIGRP interface configuration for authentication

show running-config interface serial0/0/0

interface Serial0/0/0
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 EIGRP-KEY

Verify that MD5 authentication is enabled on the interface. If missing, authentication is not configured.

Check the key chain configuration

show key chain

Key-chain EIGRP-KEY:
    key 1
        key-string (encrypted) 7 0822455D0A16
        accept-lifetime 00:00:00 Jan 1 2020 23:59:59 Dec 31 2025
        send-lifetime 00:00:00 Jan 1 2020 23:59:59 Dec 31 2025

Ensure the key chain exists and has valid lifetimes. If the key string is missing or lifetimes are expired, authentication will fail.

Debug EIGRP authentication packets

debug eigrp packets

EIGRP: received packet with MD5 authentication, key id = 1, mismatch with key id on interface
EIGRP: authentication failed for neighbor 10.0.0.2

The debug output shows authentication failures. Look for key ID mismatches or 'authentication failed' messages.

Root Cause

The EIGRP MD5 authentication key string or key ID does not match between the two routers. On R2, the key chain 'EIGRP-KEY' has key ID 1 with a different key string than R1, or the key ID is mismatched (e.g., R1 uses key ID 1 while R2 uses key ID 2).

Resolution

On R2, configure the same key chain with matching key string and key ID as on R1: R2(config)# key chain EIGRP-KEY R2(config-keychain)# key 1 R2(config-keychain-key)# key-string cisco123 R2(config-keychain-key)# exit R2(config-keychain)# exit R2(config)# interface serial0/0/0 R2(config-if)# ip authentication mode eigrp 100 md5 R2(config-if)# ip authentication key-chain eigrp 100 EIGRP-KEY

Verification

Run 'show ip eigrp neighbors' on both routers. Expected output shows neighbor state as 'Init' then 'Full'. Also run 'show ip route eigrp' to verify routes are learned.

Prevention

1. Use a consistent key chain name and key ID across all routers. 2. Document the key string and ensure it is the same on all devices. 3. Use a network configuration management tool to push consistent authentication configurations.

CCNA Exam Relevance

On the CCNA 200-301 exam, EIGRP authentication questions may appear as troubleshooting scenarios in multiple-choice or drag-and-drop format. The exam tests the ability to identify and fix authentication mismatches. Key facts: MD5 authentication requires matching key strings and key IDs; use 'show ip eigrp neighbors' and 'debug eigrp packets' to diagnose.

Exam Tips

Remember that 'show ip eigrp neighbors' will show nothing if authentication fails.

The most common mistake is mismatched key strings; always verify with 'show key chain'.

Know that 'debug eigrp packets' can show authentication failure messages, but use it carefully in production.

Commands Used in This Scenario

show ip eigrp neighbors

Displays the neighbor table for EIGRP, showing all directly connected EIGRP routers and their status, used to verify EIGRP adjacencies and troubleshoot neighbor relationships.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions