
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<style>

<!--

@font-face

        {font-family:Wingdings}

@font-face

        {font-family:"Cambria Math"}

@font-face

        {font-family:Calibri}

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0cm;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif"}

a:link, span.MsoHyperlink

        {color:blue;

        text-decoration:underline}

a:visited, span.MsoHyperlinkFollowed

        {color:purple;

        text-decoration:underline}

span.EmailStyle17

        {font-family:"Calibri","sans-serif";

        color:#1F497D}

.MsoChpDefault

        {font-family:"Calibri","sans-serif"}

@page WordSection1

        {margin:72.0pt 72.0pt 72.0pt 72.0pt}

div.WordSection1

        {}

-->

</style>

</head>

<body lang="EN-AU" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Hi there,</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">What’s the debugs showing on the cisco end?  Assuming you can put the debugs on without killing the device..</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">debug cry isa</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">debug cry ipsec</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">When the disconnection occurs there should be a reason sitting in the debug output.  Hopefully it isn’t too cryptic to work out

</span><span style="font-size:11.0pt; font-family:Wingdings; color:#1F497D">J</span><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Brad</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>

<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif""> AusNOG [mailto:ausnog-bounces@lists.ausnog.net]

<b>On Behalf Of </b>Geordie Guy<br>

<b>Sent:</b> Monday, 6 January 2014 3:32 PM<br>

<b>To:</b> Colin Stubbs<br>

<b>Cc:</b> <ausnog@lists.ausnog.net><br>

<b>Subject:</b> Re: [AusNOG] IPSEC time skew renegotiate?</span></p>

<p class="MsoNormal"> </p>

<div>

<p class="MsoNormal">LIfetime is an hour / 4608000KB.  Group 2, PFS, NAT-T, fairly boring policy and proposals.  It's dropping every half hour more or less on the half hour and comes back up a few seconds later.  The reason I was staring at the NTP shift is

 it's obviously something happening on a very regular schedule and the drops are very regular too.</p>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<p class="MsoNormal">G</p>

<div>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"> </p>

<div>

<p class="MsoNormal">On Mon, Jan 6, 2014 at 3:13 PM, Colin Stubbs <<a href="mailto:colin.stubbs@equatetechnologies.com.au" target="_blank">colin.stubbs@equatetechnologies.com.au</a>> wrote:</p>

<blockquote style="border:none; border-left:solid #CCCCCC 1.0pt; padding:0cm 0cm 0cm 6.0pt; margin-left:4.8pt; margin-right:0cm">

<div>

<p class="MsoNormal"> </p>

<div>

<p class="MsoNormal">Very unlikely to be directly a time/NTP issue if it's that small a difference.</p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<p class="MsoNormal">Encryption and authentication with basic IPSec PSK type configurations isn't dependent on time synchronisation with peers. </p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<p class="MsoNormal">Expiry of negotiated phase 1/2 parameters might happen if there was a larger skew, e.g. minutes/hours.</p>

</div>

<div>

<div>

<div>

<p class="MsoNormal"> </p>

</div>

</div>

<p class="MsoNormal">I'd lean towards a phase 2 renegotiation failure. Or software bug triggered by time skew and adjustment.</p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<div>

<p class="MsoNormal">What are the phase 1 and 2 parameters for each side of the tunnel ? e.g. lifetime in seconds and/or bytes ?</p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

</div>

<div>

<p class="MsoNormal"> </p>

<div>

<div>

<div>

<p class="MsoNormal">On 6 January 2014 13:09, Geordie Guy <<a href="mailto:elomis@gmail.com" target="_blank">elomis@gmail.com</a>> wrote:</p>

</div>

</div>

<blockquote style="border:none; border-left:solid #CCCCCC 1.0pt; padding:0cm 0cm 0cm 6.0pt; margin-left:4.8pt; margin-right:0cm">

<div>

<div>

<div>

<p class="MsoNormal">G'day NOGgers,</p>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<p class="MsoNormal">We have an IPSEC peer that keeps dropping the tunnel and renegotiating. The only events in the logs on their side that look like they could be related are a fairly constant NTP update which is causing their Netscreen to adjust by between

 3 and 13 milliseconds every ten minutes.  Would this cause the tunnel to renegotiate when the clock changed?  It seems to happen on the half hour every half hour, or every three NTP updates.</p>

</div>

<div>

<p class="MsoNormal"><span style="color:#888888"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:#888888">- Geordie</span></p>

</div>

</div>

<p class="MsoNormal"> </p>

</div>

</div>

<p class="MsoNormal" style="margin-bottom:12.0pt">_______________________________________________<br>

AusNOG mailing list<br>

<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>

<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a></p>

</blockquote>

</div>

<p class="MsoNormal"> </p>

</div>

</div>

</blockquote>

</div>

<p class="MsoNormal"> </p>

</div>

</div>

</div>

</div>

</div>

<style>

<!--

@font-face

        {font-family:"Cambria Math"}

@font-face

        {font-family:Calibri}

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin-top:0cm;

        margin-right:0cm;

        margin-bottom:10.0pt;

        margin-left:0cm;

        line-height:115%;

        font-size:11.0pt;

        font-family:"Calibri","sans-serif"}

p.MsoNoSpacing, li.MsoNoSpacing, div.MsoNoSpacing

        {margin-right:0cm;

        margin-left:0cm;

        font-size:12.0pt;

        font-family:"Times New Roman","serif"}

.MsoPapDefault

        {margin-bottom:10.0pt;

        line-height:115%}

@page Section1

        {margin:72.0pt 72.0pt 72.0pt 72.0pt}

-->

</style>

<div class="Section1">

<p class="MsoNoSpacing" style="margin:0cm; margin-bottom:.0001pt"><span style="font-family:"Calibri","sans-serif"">_____________________________________________________________________</span></p>

<p class="MsoNoSpacing" style="margin:0cm; margin-bottom:.0001pt"><span style="font-family:"Calibri","sans-serif"">IMPORTANT - This email and any attachments may be confidential and privileged. 

</span></p>

<p class="MsoNoSpacing" style="margin:0cm; margin-bottom:.0001pt"><span style="font-family:"Calibri","sans-serif"">If received in error, please contact Thiess and delete all copies.  You may not

</span></p>

<p class="MsoNoSpacing" style="margin:0cm; margin-bottom:.0001pt"><span style="font-family:"Calibri","sans-serif"">rely on advice and documents received by email unless confirmed by a signed Thiess</span></p>

<p class="MsoNoSpacing" style="margin:0cm; margin-bottom:.0001pt"><span style="font-family:"Calibri","sans-serif"">letter.  This restriction on reliance will not apply to the extent that the above email

</span></p>

<p class="MsoNoSpacing" style="margin:0cm; margin-bottom:.0001pt"><span style="font-family:"Calibri","sans-serif"">communication is between parties to a contract and is authorised under that contract.</span></p>

<p class="MsoNoSpacing" style="margin:0cm; margin-bottom:.0001pt"><span style="font-family:"Calibri","sans-serif"">Before opening or using attachments, check them for viruses and defects.  Thiess'

</span></p>

<p class="MsoNoSpacing" style="margin:0cm; margin-bottom:.0001pt"><span style="font-family:"Calibri","sans-serif"">liability is limited to resupplying any affected attachments.</span></p>

<p class="MsoNormal"> </p>

</div>

</body>

</html>