[AusNOG] IPSEC time skew renegotiate?

Ben Dale bdale at comlinx.com.au
Mon Jan 13 11:33:36 EST 2014


Hi Geordie,

Did you end up getting to the bottom of this? 

> LIfetime is an hour / 4608000KB.  Group 2, PFS, NAT-T, fairly boring policy and proposals.  It's dropping every half hour more or less on the half hour and comes back up a few seconds later.  The reason I was staring at the NTP shift is it's obviously something happening on a very regular schedule and the drops are very regular too.


I just got back in front of a Netscreen/SSG:

SSG default P1 is 28800, default P2 is 3600.

According to Cisco[1]:

ASA default P1 is 86400, default P2 is 28800.
IOS default P1 is 86400, default P2 is 3600.

Not sure if the lifetime you're providing above is ISAKMP or IPSEC (assuming the latter), but having a timer mismatch in configuration will still bring up the tunnel - but cause issues like you describe when the hub side tears down the SA and can't re-establish it because the peer is behind a NAT or similar.

NTP is not used - expiry of P1/P2 in a PSK IPSEC environment is a simple count down timer and not based on a specific timestamp.  

In an PKI-based IPSEC environment, the system clock is used only to confirm certificate validity, so again, minor (or even major) skew won't break anything.  If you let your certificates expire, you might find one end goes invalid before the other, but that's about it.

Feel free to unicast any config/logs if you're stuck.

[1] Assuming you are using Cisco: https://supportforums.cisco.com/docs/DOC-25467

> 
> 
> On Mon, Jan 6, 2014 at 3:13 PM, Colin Stubbs <colin.stubbs at equatetechnologies.com.au> wrote:
> 
> Very unlikely to be directly a time/NTP issue if it's that small a difference.
> 
> Encryption and authentication with basic IPSec PSK type configurations isn't dependent on time synchronisation with peers. 
> 
> Expiry of negotiated phase 1/2 parameters might happen if there was a larger skew, e.g. minutes/hours.
> 
> I'd lean towards a phase 2 renegotiation failure. Or software bug triggered by time skew and adjustment.
> 
> What are the phase 1 and 2 parameters for each side of the tunnel ? e.g. lifetime in seconds and/or bytes ?
> 
> 
> On 6 January 2014 13:09, Geordie Guy <elomis at gmail.com> wrote:
> G'day NOGgers,
> 
> We have an IPSEC peer that keeps dropping the tunnel and renegotiating. The only events in the logs on their side that look like they could be related are a fairly constant NTP update which is causing their Netscreen to adjust by between 3 and 13 milliseconds every ten minutes.  Would this cause the tunnel to renegotiate when the clock changed?  It seems to happen on the half hour every half hour, or every three NTP updates.
> 
> - Geordie
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140113/9fecc6a9/attachment.html>


More information about the AusNOG mailing list