[AusNOG] IPSEC time skew renegotiate?
Brad McGinn
bmcginn at thiess.com.au
Mon Jan 6 16:36:36 EST 2014
Hi there,
What's the debugs showing on the cisco end? Assuming you can put the debugs on without killing the device..
debug cry isa
debug cry ipsec
When the disconnection occurs there should be a reason sitting in the debug output. Hopefully it isn't too cryptic to work out :)
Brad
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Geordie Guy
Sent: Monday, 6 January 2014 3:32 PM
To: Colin Stubbs
Cc: <ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] IPSEC time skew renegotiate?
LIfetime is an hour / 4608000KB. Group 2, PFS, NAT-T, fairly boring policy and proposals. It's dropping every half hour more or less on the half hour and comes back up a few seconds later. The reason I was staring at the NTP shift is it's obviously something happening on a very regular schedule and the drops are very regular too.
G
On Mon, Jan 6, 2014 at 3:13 PM, Colin Stubbs <colin.stubbs at equatetechnologies.com.au<mailto:colin.stubbs at equatetechnologies.com.au>> wrote:
Very unlikely to be directly a time/NTP issue if it's that small a difference.
Encryption and authentication with basic IPSec PSK type configurations isn't dependent on time synchronisation with peers.
Expiry of negotiated phase 1/2 parameters might happen if there was a larger skew, e.g. minutes/hours.
I'd lean towards a phase 2 renegotiation failure. Or software bug triggered by time skew and adjustment.
What are the phase 1 and 2 parameters for each side of the tunnel ? e.g. lifetime in seconds and/or bytes ?
On 6 January 2014 13:09, Geordie Guy <elomis at gmail.com<mailto:elomis at gmail.com>> wrote:
G'day NOGgers,
We have an IPSEC peer that keeps dropping the tunnel and renegotiating. The only events in the logs on their side that look like they could be related are a fairly constant NTP update which is causing their Netscreen to adjust by between 3 and 13 milliseconds every ten minutes. Would this cause the tunnel to renegotiate when the clock changed? It seems to happen on the half hour every half hour, or every three NTP updates.
- Geordie
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
_____________________________________________________________________
IMPORTANT - This email and any attachments may be confidential and privileged.
If received in error, please contact Thiess and delete all copies. You may not
rely on advice and documents received by email unless confirmed by a signed Thiess
letter. This restriction on reliance will not apply to the extent that the above email
communication is between parties to a contract and is authorised under that contract.
Before opening or using attachments, check them for viruses and defects. Thiess'
liability is limited to resupplying any affected attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140106/9d036918/attachment.html>
More information about the AusNOG
mailing list