Save the approximated date-and-time in NVRAM

In certificate-based IPSec deployments, the router has to establish an approximately valid date and time before it can use a certificate to establish IPSec session (as most certificates were issued after March 1st 2002, which is the default initial value, they are not valid until the router has acquired an approximately correct date-and-time).

This requirement is not a problem for most router models, as they have battery-backed hardware clock that continues running even when a router is reloaded or powered down. The low-end models, though, have a problem, as they always start with the default date/time after the reload. These devices have to get their time from an NTP/SNTP server before being able to establish the IPSec session. If the (S)NTP server is only accessible across the VPN, you have a nice chicken-and-egg problem. Cisco solved this problem in IOS release 12.3(2)T with the clock save interval hours configuration command. This command saves the NTP-acquired date and time in NVRAM every x hours (from 8 to 24 hours), making sure the router will have an approximated time that is good enough to get a valid certificate after the reload.
Add comment
Sidebar