Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 827, VPN, Certificates and Time

Current situation where we have a central Pix setup handling multiple VPNs using Digital certificates and that is all working fine.

We now have a branch office wanting to use VPN over DSL, this is setup and working OK, but we have the following problem:

Whenever the 827 is rebooted/loses power it's time resets. This of course poses no end of problems with the certificates when it comes back up again.

I looked into SNTP but as it comes up about 9 years off the current date the time taken to drift back is approximately forever. Also I thought about pre-shared keys but this defeats the whole purpose or the security side and also we lose the certificate revoke ability.

I was wondering if anyone had any ideas ideally how to make SNTP work better or any other solution that would allow us to use certificates correctly after a power loss.

Thanks.

3 REPLIES
Cisco Employee

Re: Cisco 827, VPN, Certificates and Time

I'm a little confused about NTP not working properly. If you simply configure NTP on the router and point it to a valid stratum peer, then the clock on the router should be changed very soon after it comes up, it shouldn't need to "drift back". When dealing with certificates NTP is a necessity, otherwise, as you've seen, you'll run inot problems when the routers without battery backups reboot.

New Member

Re: Cisco 827, VPN, Certificates and Time

That would've been my thoughts as well, the NTP server is definitely working as it syncs all our other times here on the network.

I confirmed I am able to ping through to the server to test connectivity. All is well on that side.

I left the router on for 2 days to test that in that time it had managed to "recover" about a day.

The interesting thing to note was a show sntp, says last receive never yet debug sntp packets

clearly shows sntp packets being received with the correct time/date.

I feel there is something inherently wrong with the way SNTP is implemented. I have never had a problem using NTP on higher end routers.

Interestingly it also doesn't work on a 1720 I have here as well. Hmmmmmm

New Member

Re: Cisco 827, VPN, Certificates and Time

Solved!!

It seems it's a problem with our time server here. As said it does sync other devices/routers here.

I pointed the 827 at an internet time source and it happily synced away. Point it back to our server and no joy, even though it is actually getting a response back. I believe it has something to do with stratums, peers, etc.

Anyway as long as it works my problem is solved and I can deal with why it didn't work when I have more time. (i.e. never).

Thanks.

118
Views
0
Helpful
3
Replies