Page 1 of 1

OSPF - Invalid sequence number / MD5 authentication failed

Posted: Tue Oct 29, 2013 11:33 am
by SwissWISP
Hi all,

there is something strange happening on our Routers (CCR). Several times per day, the router logs a "Invalid sequence number / MD5 authentication failed" message. (see attached Picture)
It looks like the router receives an OSPF packet that is too "old" and the problem gets worse if I lower the hello times. So I first thought, there must be packet loss or something, but if I disable MD5, everything works like a charm.

The funny thing is that this happens only between Mikrotik routers. Sessions between Cisco and Mikrotik work as expected.
Any Ideas from you guys?

Many Thanks!
- Mat

Re: OSPF - Invalid sequence number / MD5 authentication fail

Posted: Mon Jan 12, 2015 1:16 pm
by leonix
Had the same message (and not working OSPF): Reason was not enough RAM. My older omnitik shows 7Mib free of 32Mib total RAM, this seems not enough for our 500 routes. My solution was adding an RB2011 with more RAM and switching the omnitik to bridge mode.

Another messages (beside the MD5 error) in the log were
"Database Description packet has init bit set in middle of an exchange"
"invalid sequence number"
and always
"11:36:31 route,ospf,info OSPFv2 neighbor 192.168.xx.xx: state change from Loading to 2-Way "
"11:37:17 route,ospf,info OSPFv2 neighbor 192.168.xx.xx: state change from Loading to 2-Way "
"11:38:03 route,ospf,info OSPFv2 neighbor 192.168.xx.xx: state change from Loading to 2-Way "

Hope this is useful for others... :-)
Leo.

Re: OSPF - Invalid sequence number / MD5 authentication fail

Posted: Mon Jan 12, 2015 2:07 pm
by SwissWISP
Thanks for your reply Leo.
In my case it's most likely not a memory issue. My CCR has over 1.5GB of free memory space.

- Mat

Re: OSPF - Invalid sequence number / MD5 authentication fail

Posted: Mon Jan 12, 2015 2:10 pm
by nz_monkey
Hi Mat,

We are seeing the same issue with our CCR's running OSPF + MD5. We see this issue occurring 2-3 times each day.

We use RouterOS 6.5 and 6.19 on CCR1036 and RouterOS 6.19 on CCR1009.

Re: OSPF - Invalid sequence number / MD5 authentication failed

Posted: Mon Nov 16, 2015 2:58 pm
by gilljr
I have now begun seeing this same error between 2 of my CCR (1009 and 1016) routers at random times (a handful of times every 3 days) in Point-to-Point OSPF mode. The errors are showing on both sides of the link but not at the same time. The routers are both running 6.30.4 and are connected via a Metro Ethernet connection about 30miles from each other. The errors are odd because I don't recall seeing these errors on either side of the link when I first set it up a couple months ago.

I will try turning off md5 and see if it resolves the issue for me as well. Is turning off MD5 still working as a solution for you or did the errors come back?

Thanks,
Gilbert

Re: OSPF - Invalid sequence number / MD5 authentication failed

Posted: Thu Dec 03, 2015 5:07 pm
by jrudrow
Any solution ever come from anything? I just found this exact issue in my network, CCR1036-12G-4S connected to a RB912/RB912 Station-bridge wireless connection, on the other side another CCR1036-12G-4S. All CCR's and RB912's running v6.30 on Firmware 3.24.

Re: OSPF - Invalid sequence number / MD5 authentication failed

Posted: Mon Feb 12, 2018 4:15 pm
by sri2007
Hello guys... here is the real answer for the OSPF & MD5 authentication error, this one is a reply to a Mikrotik Support mail:
Hello,

problem may arise if one peer looses connectivity and reestablish adjacency. In this case sequence numbers are not reset and your mentioned error may appear.

Unfortunately there are no fix for this problem in ROS v6, instead I would suggest to use simple authentication untill we finish work on new OSPF code which should fix the problem.