Here are a couple of examples of syslog messages that could be seen depending on the configuration of the MD5 passwords on each side: Troubleshooting Examples If BGP neighbor authentication is incorrectly configured (for example, it is either configured on only one peer or the MD5 shared secret (password) does not match on both peers), the following types of syslog messages will be generated: No Password Set on Remote Peer Dec 3 15:01:52: %TCP-6-BADAUTH: No MD5 digest from 192.0.2.2(179) to 192.0.2.1(51954) Incorrect Password Set on Remote Peer Dec 3 15:01:57: %TCP-6-BADAUTH: Invalid MD5 digest from 192.0.2.2(22285) to 192.0.2.1(179) Thanks, John "We can't help everyone, but everyone can help someone." John Stuppi, CISSP Technical Leader Strategic Security Research jstuppi@cisco.com Phone: +1 732 516 5994 Mobile: 732 319 3886 CCIE, Security - 11154 Cisco Systems Mail Stop INJ01/2/ 111 Wood Avenue South Iselin, New Jersey 08830 United States Cisco.com Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html -----Original Message----- From: Daniel Rohan [mailto:drohan@gmail.com] Sent: Monday, November 25, 2013 1:56 PM To: Eric A Louie Cc: nanog@nanog.org Subject: Re: BGP neighbor/configuration testing Seems like:
Nov 25 06:28:34.837 pacific: %BGP-3-NOTIFICATION: received from neighbor xxx.118.92.149 2/5 (authentication failure) 0 bytes
should be a good starting place. I'm assuming you've already discussed auth keys with your provider and if everyone is putting that in correctly, I'd suggest turning on debugging to see what exactly that message is all about. Dan