[AusNOG] IPSEC time skew renegotiate?

Ben Dale bdale at comlinx.com.au
Mon Jan 6 15:08:02 EST 2014


Hi Geordie,

On 06/01/2014, at 1:09 PM, Geordie Guy <elomis at gmail.com> wrote:

> G'day NOGgers,
> 
> We have an IPSEC peer that keeps dropping the tunnel and renegotiating. The only events in the logs on their side that look like they could be related are a fairly constant NTP update which is causing their Netscreen to adjust by between 3 and 13 milliseconds every ten minutes.  Would this cause the tunnel to renegotiate when the clock changed?  It seems to happen on the half hour every half hour, or every three NTP updates.
> 
It's unlikely to be NTP related unless you're using PKI for authentication (and even then the skew would need to be a lot bigger than a few ms), but more likely P1/P2 timer mismatch.  

Double check the settings as Cisco and Netscreen defaults are reversed eg: 3600 seconds for Phase 1 on Netscreen, but 86400 for Cisco and vice-versa for Phase 2 (or it could be the other way around).

Ben




More information about the AusNOG mailing list