Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Joe_Kanaszka
Advisor

Could gateway time change break site to site VPN?

Morning guys and gals. 

I upgraded my standalone open server in our disaster recovery site (DR) in New Jersey (NJ)  from R80.30 to R81.20 JHF 26 two weeks ago.  All was good. It is one end of a site to site VPN to our site in New York (NY). The gateway in NY is still on R80.40 take 176? (I’m on the bus so I can’t check). 
Last week we had the stanalone server at our DR site go down due to a power issue in our rack.  We needed to reconfigure the BIOS but forgot to set the correct time. It was off by like 5/6 hours - so GAIA OS was obviously also skewed. Still everything seemed ok until a few days ago. 
I was making some mobile VPN authentication changes on the standalone in DR while sitting in our site in NY and during my changes the server seemed to become unresponsive. I thought the server went down again but it did not. There seemed to have been a flap in the site to site tunnel. Yesterday I noticed the time difference on the gateway in DR and changed it in the GAIA portal. Afterwords, I was creating a backup in GAIA portal of the gateway in DR while in my office in NY and shortly after the backup completed successfully the gateway in NJ seemed to go down again. I ran a ping to an IP at our DR site and it was unresponsive. I then ran a continuous ping to the same IP at our DR site from NY preparing to take the 20 minute Lyft ride to our DR site and the ping became responsive again. I was like “What?!”  According to the GAIA portal in NJ (DR site) the server did not go down as the uptime was showing the correct last scheduled boot.  Now here’s where it gets even weirder. I can ping a server in NJ from our site in NY. However I cannot ping a server in NY from NJ. According to the logs in NJ, I’m not getting any ICMP replies. When I look at the logs in NY, it does not appear that I am decrypting an VPN traffic from NJ to NY. 
I have a case opened up with TAC but I wanted to get your guys opinions. 
Could my time change on the gateway in NJ “confused” the site to site since it had been running fine until I changed the time yesterday?

I have pushed policy in DR - no change. I have not rebooted the gateway in DR yet. Perhaps a “reset” of the tunnel?
Thanks for any help guys. 

0 Kudos
1 Reply
Chris_Atkinson
Employee Employee
Employee

NTP is recommended to keep time synced for a host of reasons. You'd need to dig further into it to determine the relevance but as far as possible factors go and implications for VPN reliability yes.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events