Symptom
A CRS-1 or XR12000 router configured for ISIS LSP MD5 authentication may send LSPs to neighbors that fail the MD5 checksum match. The only LSPs that fail are LSPs that the IOS-XR box received from other ISIS peers that have the Maximum Area Address field in the LSP header set to 3. Cisco IOS-XR and IOS routers set this field to 0 for an LSP that they generate.
The IOS-XR router is always setting this max-area addresses (number of areas allowed in an AS) to be 0 irrespective of the incoming LSP's header value received before flooding the LSP to it's neighbors.
The result is the MD5 checksum check fails and the LSP that the IOS-XR box flooded is not accepted by the peer device.
When this happens the following errors may be seen on an IOS ISIS neighbor.
ISIS-AuthInfo: Packet failed the md5 check, 119 bytes, type 20
%CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
Conditions
This is only happening in ISIS networks with non-Cisco routers that send max-area addresses equal to 3. All other LSP that have max-area addresses set to 0 are unaffected.
Workaround
Disable ISIS LSP MD5 authentication.
