Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Time synch

To: [email protected]
Subject: Re: [FW-1] Time synch
From: Alexander Hoogerhuis <[email protected]>
Date: Sun, 27 Jul 2003 02:14:38 +0200
In-reply-to: <B7210DA662AACF4AB819B485A2B37CDD6BB638@tmexbridge.hammersmith.t-motion.co.uk>
References: <B7210DA662AACF4AB819B485A2B37CDD6BB638@tmexbridge.hammersmith.t-motion.co.uk>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3

"La Coursiere, Jeff" <[email protected]> writes:

> Hi All,
>
> Noticed today that our office firewall was not setup to synch its
> time to our NTP server, and was off by about 7 minutes.  When we
> setup xntpd a number of our VPNs crashed.  Assumed this was due to
> SAs expiring or something, and they came back to life on their own a
> while later.
>
> Since then I did a quick inventory on the remote firewalls and one
> that has not been touched in almost two years is actually off by 1.5
> hours!  I am now very afraid to touch its clock, let alone setup
> time synch on it.  Has anyone any experience resetting clocks on VPN
> boxes?  Some advice, please :)
>

Assuming this is a sensible UNIX setup, it should only run ntpdate on
boot, and not if started at runtime. What probably happened was that
your machine did a "rdate" or "ntpdate" while starting the service,
and this cause time to reverse, which would trigger all kinds of
wonderous fun with regards to anti-replay functions in IPSec.

If it had started without forcing the time right time on the machine,
and let it drift into sync, time would be continuous and increasing;
it would have slowed or sped the machine's time to slowly concur with
actual time.

> Thanks,
>
> Jeff LaCoursiere
> Infrastructure Specialist
> TMIUK
>

mvh,
A
--
Alexander Hoogerhuis                               | [email protected]
CCNP - CCDP - MCNE - CCSE                          | +47 908 21 485
"You have zero privacy anyway. Get over it."  --Scott McNealy

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] Time synch
  - From: "La Coursiere, Jeff" <[email protected]>

Prev by Date: Re: [FW-1] "th_flags 2 message_info SYN for established connection" Message
Next by Date: Re: [FW-1] NG newbie
Previous by thread: Re: [FW-1] Time synch
Next by thread: [FW-1] Trouble with external certifate auth for VPN Tunneling!! Any help would be very much appreciated!!! extended message
Index(es):
- Date
- Thread