[AusNOG] IPSEC time skew renegotiate?
Geordie Guy
elomis at gmail.com
Mon Jan 6 16:32:05 EST 2014
LIfetime is an hour / 4608000KB. Group 2, PFS, NAT-T, fairly boring policy
and proposals. It's dropping every half hour more or less on the half hour
and comes back up a few seconds later. The reason I was staring at the NTP
shift is it's obviously something happening on a very regular schedule and
the drops are very regular too.
G
On Mon, Jan 6, 2014 at 3:13 PM, Colin Stubbs <
colin.stubbs at equatetechnologies.com.au> wrote:
>
> Very unlikely to be directly a time/NTP issue if it's that small a
> difference.
>
> Encryption and authentication with basic IPSec PSK type configurations
> isn't dependent on time synchronisation with peers.
>
> Expiry of negotiated phase 1/2 parameters might happen if there was a
> larger skew, e.g. minutes/hours.
>
> I'd lean towards a phase 2 renegotiation failure. Or software bug
> triggered by time skew and adjustment.
>
> What are the phase 1 and 2 parameters for each side of the tunnel ? e.g.
> lifetime in seconds and/or bytes ?
>
>
> On 6 January 2014 13:09, Geordie Guy <elomis at gmail.com> wrote:
>
>> G'day NOGgers,
>>
>> We have an IPSEC peer that keeps dropping the tunnel and renegotiating.
>> The only events in the logs on their side that look like they could be
>> related are a fairly constant NTP update which is causing their Netscreen
>> to adjust by between 3 and 13 milliseconds every ten minutes. Would this
>> cause the tunnel to renegotiate when the clock changed? It seems to happen
>> on the half hour every half hour, or every three NTP updates.
>>
>> - Geordie
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140106/1f5c6a62/attachment.html>
More information about the AusNOG
mailing list