<div dir="ltr">LIfetime is an hour / 4608000KB. Group 2, PFS, NAT-T, fairly boring policy and proposals. It's dropping every half hour more or less on the half hour and comes back up a few seconds later. The reason I was staring at the NTP shift is it's obviously something happening on a very regular schedule and the drops are very regular too.<div>
<br></div><div>G<br><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jan 6, 2014 at 3:13 PM, Colin Stubbs <span dir="ltr"><<a href="mailto:colin.stubbs@equatetechnologies.com.au" target="_blank">colin.stubbs@equatetechnologies.com.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div>Very unlikely to be directly a time/NTP issue if it's that small a difference.</div><div><br>
</div><div>Encryption and authentication with basic IPSec PSK type configurations isn't dependent on time synchronisation with peers. </div>
<div><br></div><div>Expiry of negotiated phase 1/2 parameters might happen if there was a larger skew, e.g. minutes/hours.</div><div class="gmail_extra"><div><div dir="ltr"><br></div></div>
I'd lean towards a phase 2 renegotiation failure. Or software bug triggered by time skew and adjustment.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div>What are the phase 1 and 2 parameters for each side of the tunnel ? e.g. lifetime in seconds and/or bytes ?</div>
<div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On 6 January 2014 13:09, Geordie Guy <span dir="ltr"><<a href="mailto:elomis@gmail.com" target="_blank">elomis@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">G'day NOGgers,<div>
<br></div><div>We have an IPSEC peer that keeps dropping the tunnel and renegotiating. The only events in the logs on their side that look like they could be related are a fairly constant NTP update which is causing their Netscreen to adjust by between 3 and 13 milliseconds every ten minutes. Would this cause the tunnel to renegotiate when the clock changed? It seems to happen on the half hour every half hour, or every three NTP updates.</div>
<span><font color="#888888">
<div><br></div><div>- Geordie</div></font></span></div>
<br></div></div>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div></div>
</blockquote></div><br></div></div></div></div>