Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kumarh
Staff
Staff

Created on ‎01-21-2024 10:41 AM Edited on ‎11-21-2024 08:21 AM By Community Manager

Article Id 295168

Troubleshooting Tip: OSPF Cryptographic Authentication Error

Description

This article describes the reasons why a user may receive the 'Cryptographic Authentication Error' message if md-5 authentication is enabled in OSPF, and offers solutions.
Scope Any supported version of FortiGate.
Solution

If authentication is enabled in OSPF and the error 'Cryptographic Authentication Error' is received, follow these steps:


First, run the following command to check whether OSPF neighborship is up:

 

get router info ospf neighbor

 

If neighbors are not showing, run the sniffer below. This will display the traffic flow and check whether 'Hello' packets are being received from the neighbor.

 

diagnose sniffer packet [intf] " host x.x.x.x and proto 89 " 6 0 l

 

If packets are being received, run the following OSPF debug commands. This will obtain information on why FortiGate is not forming neighborship.


diagnose ip router ospf all enable
diagnose ip router ospf level info
diagnose debug console timestamp enable
diagnose debug enable

 

In some cases, debugs may show the following error:

 

Non-Working:


2024-01-17 20:47:14 OSPF: LSA[Refresh]: timer expired
2024-01-17 20:47:14 OSPF: LSA[MaxAge]: Maxage walker finished (0.000000 sec)
2024-01-17 20:47:14 OSPF: RECV[Hello]: From 192.168.80.66 via RL-FW-OUT-PTP:10.47.66.137 (10.47.66.141 -> 224.0.0.5)
2024-01-17 20:47:14 OSPF: -----------------------------------------------------
2024-01-17 20:47:14 OSPF: Header
2024-01-17 20:47:14 OSPF: Version 2
2024-01-17 20:47:14 OSPF: Type 1 (Hello)
2024-01-17 20:47:14 OSPF: Packet Len 44
2024-01-17 20:47:14 OSPF: Router ID 192.168.80.66
2024-01-17 20:47:14 OSPF: Area ID 0.0.0.33
2024-01-17 20:47:14 OSPF: Checksum 0x0
2024-01-17 20:47:14 OSPF: AuType 2
2024-01-17 20:47:14 OSPF: Cryptographic Authentication
2024-01-17 20:47:14 OSPF: Key ID 1
2024-01-17 20:47:14 OSPF: Auth Data Len 16
2024-01-17 20:47:14 OSPF: Sequence number 1704577685
2024-01-17 20:47:14 OSPF: Hello
2024-01-17 20:47:14 OSPF: NetworkMask 255.255.255.248
2024-01-17 20:47:14 OSPF: HelloInterval 10
2024-01-17 20:47:14 OSPF: Options 0x12 (*|-|-|L|-|-|E|-)
2024-01-17 20:47:14 OSPF: RtrPriority 5
2024-01-17 20:47:14 OSPF: RtrDeadInterval 40
2024-01-17 20:47:14 OSPF: DRouter 10.47.66.141
2024-01-17 20:47:14 OSPF: BDRouter 0.0.0.0
2024-01-17 20:47:14 OSPF: # Neighbors 0
2024-01-17 20:47:14 OSPF: -----------------------------------------------------
2024-01-17 20:47:14 OSPF: RECV[Hello]: From 192.168.80.66 via RL-FW-OUT-PTP:10.47.66.137: Cryptographic authentication error
2024-01-17 20:47:15 OSPF: RECV[Hello]: From 192.168.80.98 via RL-FW-OUT-PTP:10.47.66.137 (10.47.66.140 -> 224.0.0.5)


This error means that authentication parameters are not matched.

 

  1. Verify whether both devices are sharing the same authentication method. FortiGate supports plaintext or md-5 only.
  2. Check the md5-key-string value. It should be configured the same way in both devices. If the key string value is not identical, 'Cryptographic Authentication Error' will appear.

Make the two configurations identical by running the following commands.

 

In 6.4 or earlier versions:

 

config router ospf

config ospf-interface

edit <>

set interface <>
set authentication md5

config md5-keys

edit 1

set key-string <>

next

end

 

In 7.0 or later versions:

 

config router ospf

config ospf-interface

edit <>

set interface <>
set authentication message-digest

config md5-keys

edit 1

set key-string <>

next

end

 

Once the authentication type and key-string values are the same in both of the neighbors, the authentication error will no longer appear.

 

Verify by checking the OSPF neighbor and running the OSPF debug again. Both should exchange LSA packets.

 

Debug output when the neighborship functions correctly:

 

2024-01-17 21:08:01 OSPF: IFSM[RL-FW-OUT-PTP:10.47.66.137]: Hello timer expire
2024-01-17 21:08:01 OSPF: SEND[Hello]: To 224.0.0.5 via RL-FW-OUT-PTP:10.47.66.137, length 68
2024-01-17 21:08:01 OSPF: -----------------------------------------------------
2024-01-17 21:08:01 OSPF: Header
2024-01-17 21:08:01 OSPF: Version 2
2024-01-17 21:08:01 OSPF: Type 1 (Hello)
2024-01-17 21:08:01 OSPF: Packet Len 52
2024-01-17 21:08:01 OSPF: Router ID 10.32.133.132
2024-01-17 21:08:01 OSPF: Area ID 0.0.0.33
2024-01-17 21:08:01 OSPF: Checksum 0x0
2024-01-17 21:08:01 OSPF: AuType 2
2024-01-17 21:08:01 OSPF: Cryptographic Authentication
2024-01-17 21:08:01 OSPF: Key ID 1
2024-01-17 21:08:01 OSPF: Auth Data Len 16
2024-01-17 21:08:01 OSPF: Sequence number 6064058
2024-01-17 21:08:01 OSPF: Hello
2024-01-17 21:08:01 OSPF: NetworkMask 255.255.255.248
2024-01-17 21:08:01 OSPF: HelloInterval 10
2024-01-17 21:08:01 OSPF: Options 0x2 (*|-|-|-|-|-|E|-)
2024-01-17 21:08:01 OSPF: RtrPriority 1
2024-01-17 21:08:01 OSPF: RtrDeadInterval 40
2024-01-17 21:08:01 OSPF: DRouter 10.47.66.141
2024-01-17 21:08:01 OSPF: BDRouter 10.47.66.137
2024-01-17 21:08:01 OSPF: # Neighbors 2
2024-01-17 21:08:01 OSPF: Neighbor 192.168.80.98
2024-01-17 21:08:01 OSPF: Neighbor 192.168.80.66
2024-01-17 21:08:01 OSPF: -----------------------------------------------------
2024-01-17 21:08:04 OSPF: LSA[MaxAge]: Maxage walker finished (0.000000 sec)
2024-01-17 21:08:04 OSPF: LSA[Refresh]: timer expired
2024-01-17 21:08:04 OSPF: LSA[-:Type5:10.174.32.128:(self)]: Install AS-external-LSA, 11, 0x7fa2e9ed3500
2024-01-17 21:08:04 OSPF: LSA[-:Type5:10.174.32.128:(self)]: LSA refresh scheduled at LS age 1793
2024-01-17 21:08:04 OSPF: LSA[-:Type5:10.174.32.128:(self)]: Flooding via interface[RL-FW-OUT-PTP:10.47.66.137]
2024-01-17 21:08:04 OSPF: LSA[-:Type5:10.174.32.128:(self)]: Flooding to neighbor[192.168.80.98]
2024-01-17 21:08:04 OSPF: LSA[-:Type5:10.174.32.128:(self)]: Flooding to neighbor[192.168.80.66]
2024-01-17 21:08:04 OSPF: LSA[-:Type5:10.174.32.128:(self)]: Added to neighbor[192.168.80.66]'s retransmit-list
2024-01-17 21:08:04 OSPF: LSA[-:Type5:10.174.32.128:(self)]: Sending update to interface[RL-FW-OUT-PTP:10.47.66.137]
2024-01-17 21:08:04 OSPF: LSA[-:Type5:10.174.32.128:(self)]: AS-external-LSA refreshed
2024-01-17 21:08:04 OSPF: LSA Header
2024-01-17 21:08:04 OSPF: LS age 0
2024-01-17 21:08:04 OSPF: Options 0x2
2024-01-17 21:08:04 OSPF: LS type 5 (AS-external-LSA)
2024-01-17 21:08:04 OSPF: Link State ID 10.174.32.128
2024-01-17 21:08:04 OSPF: Advertising Router 10.32.133.132
2024-01-17 21:08:04 OSPF: LS sequence number 0x80000004
2024-01-17 21:08:04 OSPF: LS checksum 0xea9
2024-01-17 21:08:04 OSPF: length 36
2024-01-17 21:08:04 OSPF: SEND[LS-Upd]: 1 LSAs to destination 224.0.0.5
2024-01-17 21:08:04 OSPF: SEND[LS-Upd]: To 224.0.0.5 via RL-FW-OUT-PTP:10.47.66.137, length 80
2439
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.