Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
270
Views
0
Helpful
3
Replies

Cisco 827, VPN, Certificates and Time

lukebutcher
Level 1
Level 1

‎12-08-2002 04:57 PM - edited ‎02-21-2020 12:13 PM

Current situation where we have a central Pix setup handling multiple VPNs using Digital certificates and that is all working fine.

We now have a branch office wanting to use VPN over DSL, this is setup and working OK, but we have the following problem:

Whenever the 827 is rebooted/loses power it's time resets. This of course poses no end of problems with the certificates when it comes back up again.

I looked into SNTP but as it comes up about 9 years off the current date the time taken to drift back is approximately forever. Also I thought about pre-shared keys but this defeats the whole purpose or the security side and also we lose the certificate revoke ability.

I was wondering if anyone had any ideas ideally how to make SNTP work better or any other solution that would allow us to use certificates correctly after a power loss.

Thanks.

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎12-08-2002 09:12 PM

I'm a little confused about NTP not working properly. If you simply configure NTP on the router and point it to a valid stratum peer, then the clock on the router should be changed very soon after it comes up, it shouldn't need to "drift back". When dealing with certificates NTP is a necessity, otherwise, as you've seen, you'll run inot problems when the routers without battery backups reboot.

0 Helpful

lukebutcher
Level 1
Level 1
In response to gfullage

‎12-08-2002 09:40 PM

That would've been my thoughts as well, the NTP server is definitely working as it syncs all our other times here on the network.

I confirmed I am able to ping through to the server to test connectivity. All is well on that side.

I left the router on for 2 days to test that in that time it had managed to "recover" about a day.

The interesting thing to note was a show sntp, says last receive never yet debug sntp packets

clearly shows sntp packets being received with the correct time/date.

I feel there is something inherently wrong with the way SNTP is implemented. I have never had a problem using NTP on higher end routers.

Interestingly it also doesn't work on a 1720 I have here as well. Hmmmmmm

0 Helpful

lukebutcher
Level 1
Level 1

‎12-08-2002 09:59 PM

Solved!!

It seems it's a problem with our time server here. As said it does sync other devices/routers here.

I pointed the 827 at an internet time source and it happily synced away. Point it back to our server and no joy, even though it is actually getting a response back. I believe it has something to do with stratums, peers, etc.

Anyway as long as it works my problem is solved and I can deal with why it didn't work when I have more time. (i.e. never).

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents