Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Time synch

from Alexander Hoogerhuis [Permanent Link]
Subject: Re: [FW-1] Time synch
From: Alexander Hoogerhuis <alexh AT IHATENT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Sun, 27 Jul 2003 02:14:38 +0200 
"La Coursiere, Jeff" <Jeff.LaCoursiere AT T-MOBILE DOT NET> writes:

> Hi All,
>
> Noticed today that our office firewall was not setup to synch its
> time to our NTP server, and was off by about 7 minutes.  When we
> setup xntpd a number of our VPNs crashed.  Assumed this was due to
> SAs expiring or something, and they came back to life on their own a
> while later.
>
> Since then I did a quick inventory on the remote firewalls and one
> that has not been touched in almost two years is actually off by 1.5
> hours!  I am now very afraid to touch its clock, let alone setup
> time synch on it.  Has anyone any experience resetting clocks on VPN
> boxes?  Some advice, please :)
>

Assuming this is a sensible UNIX setup, it should only run ntpdate on
boot, and not if started at runtime. What probably happened was that
your machine did a "rdate" or "ntpdate" while starting the service,
and this cause time to reverse, which would trigger all kinds of
wonderous fun with regards to anti-replay functions in IPSec.

If it had started without forcing the time right time on the machine,
and let it drift into sync, time would be continuous and increasing;
it would have slowed or sped the machine's time to slowly concur with
actual time.

> Thanks,
>
> Jeff LaCoursiere
> Infrastructure Specialist
> TMIUK
>

mvh,
A
--
Alexander Hoogerhuis                               | alexh AT ihatent DOT com
CCNP - CCDP - MCNE - CCSE                          | +47 908 21 485
"You have zero privacy anyway. Get over it."  --Scott McNealy

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] "th_flags 2 message_info SYN for established connection" Message, Cihan Subasi (Garanti Teknoloji)
Next by Date:  Re: [FW-1] NG newbie, rrutherford
Previous by Thread:  Re: [FW-1] Time synch, Hannu Liljemark
Next by Thread:  [FW-1] Trouble with external certifate auth for VPN Tunneling!! Any help would be very much appreciated!!! extended message, Carlos Santos
Indexes:  [Date] [Thread] [Top] [All Lists]