Courseiva
RIPCCNA 200-301

RIPv2 Authentication Mismatch — No Route Updates

Presenting Symptom

Routers configured for RIPv2 authentication do not exchange routing updates, resulting in missing routes in the routing table.

Network Context

Two Cisco routers (R1 and R2) are connected via a serial link in a small branch office. Both run IOS 15.x and are configured for RIPv2 with MD5 authentication. The network uses a single area, and all interfaces are up/up. The problem is that R1's routing table lacks routes from R2's LAN, and vice versa.

Diagnostic Steps

1

Check RIPv2 configuration on both routers

show ip protocols
Routing Protocol is "rip"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Sending updates every 30 seconds, next due in 16 seconds
  Invalid after 180 seconds, hold down 180, flushed after 240
  Redistributing: rip
  Default version control: send version 2, receive version 2
  Interface             Send  Recv   Key-chain
  Serial0/0/0           2     2      RIPKEY
  Routing for Networks:
    192.168.1.0
    10.0.0.0
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: (default is 120)

Verify that RIPv2 is enabled, version 2 is used, and a key-chain is applied. If no key-chain is shown, authentication is not configured. If key-chain is missing, that's the problem.

2

Verify key-chain configuration

show key chain
Key-chain RIPKEY:
    key 1 -- text "cisco123"
        accept lifetime (00:00:00 UTC Jan 1 2000) - (infinite)
        send lifetime (00:00:00 UTC Jan 1 2000) - (infinite)

Ensure the key-chain name matches the one applied to the interface. Check that the key string is present and that send/accept lifetimes are valid. If the key string is missing or lifetimes are expired, authentication will fail.

3

Check interface authentication configuration

show running-config interface serial0/0/0
interface Serial0/0/0
 ip address 10.0.0.1 255.255.255.252
 ip rip authentication mode md5
 ip rip authentication key-chain RIPKEY

Confirm that both 'ip rip authentication mode md5' and 'ip rip authentication key-chain <name>' are present. If either is missing, authentication is not properly configured. Also verify that the key-chain name matches exactly on both ends.

4

Debug RIPv2 packets to see authentication errors

debug ip rip
RIP: received packet with mismatched authentication key
RIP: ignored v2 packet from 10.0.0.2 (invalid authentication)

If you see 'mismatched authentication key' or 'invalid authentication', the key strings differ between routers. If you see no RIP updates at all, authentication may be missing on one side or the key-chain is not applied.

Root Cause

The RIPv2 MD5 authentication key string is mismatched between R1 and R2. R1 has key 'cisco123' while R2 has key 'cisco456'. Since the keys do not match, R2 rejects R1's updates and vice versa, causing no routes to be exchanged.

Resolution

On R2, change the key string to match R1: R2(config)# key chain RIPKEY R2(config-keychain)# key 1 R2(config-keychain-key)# key-string cisco123 Alternatively, update both to a common key. Ensure the key-chain name and key ID are identical on both routers.

Verification

After applying the fix, run 'show ip route' on R1: R1# show ip route Codes: C - connected, S - static, R - RIP, ... 10.0.0.0/30 is subnetted, 1 subnets C 10.0.0.0 is directly connected, Serial0/0/0 R 192.168.2.0/24 [120/1] via 10.0.0.2, 00:00:16, Serial0/0/0 Also run 'show ip rip database' to confirm routes are learned.

Prevention

1. Use a consistent key string across all routers in the RIP domain, ideally managed via a secure key management system. 2. Document key-chain configurations and include them in change management. 3. Use 'show key chain' during audits to verify key consistency.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why RIPv2 routes are not being exchanged. The exam tests your ability to verify authentication configuration using 'show ip protocols', 'show key chain', and 'debug ip rip'. Key fact: RIPv2 authentication requires matching key strings and key-chain names on both ends.

Exam Tips

1.

Remember that 'ip rip authentication mode md5' and 'ip rip authentication key-chain <name>' must be configured on the interface.

2.

The key string is case-sensitive; a common mistake is a typo in the key string.

3.

Use 'debug ip rip' to see authentication errors; look for 'invalid authentication' or 'mismatched authentication key'.

Commands Used in This Scenario

debug ip rip

Enables real-time debugging of RIP routing updates to troubleshoot routing issues by displaying sent and received RIP updates.

show ip protocols

Displays the current state of all IP routing protocols running on the router, including timers, filters, and network advertisements.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions