<div dir="ltr"><div><div><div><div><div><div><div><div>Hi There,<br><br></div>Sorry could not get back on this earlier,<br><br>> Great, glad it's fixed! Are these VMs? If not, you may wish to<br>> (re?)configure automatic syncing.<br></div> yes these are AWS instances. How do I reconfigure auto syncing . Is there a documentation I can follow.<br></div><div>Sorry, haven't done this before and not much info on that part<br></div><div><br></div><br></div>Apart from this , I also have a correlation between the "Clock skew" issue and an earlier issue that I posted in another thread.<br></div>Basically , noticed that whenver I see clock skew errors, I see a lot of connections in SYNC_RECV state.<br><br></div>this is the list of SYNC_RECV connections<br><br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.30.49:42695">10.0.30.49:42695</a> SYN_RECV<br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.15.72:44991">10.0.15.72:44991</a> SYN_RECV<br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.2.82:53265">10.0.2.82:53265</a> SYN_RECV<br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.31.253:57682">10.0.31.253:57682</a> SYN_RECV<br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.34.208:53488">10.0.34.208:53488</a> SYN_RECV<br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.27.17:47245">10.0.27.17:47245</a> SYN_RECV<br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.17.53:54504">10.0.17.53:54504</a> SYN_RECV<br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.24.78:47796">10.0.24.78:47796</a> SYN_RECV<br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.4.246:33607">10.0.4.246:33607</a> SYN_RECV<br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.27.91:34190">10.0.27.91:34190</a> SYN_RECV<br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.27.248:38012">10.0.27.248:38012</a> SYN_RECV<br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.15.139:51319">10.0.15.139:51319</a> SYN_RECV<br>tcp 0 0 <a href="http://10.0.8.45:88">10.0.8.45:88</a> <a href="http://10.0.15.175:41188">10.0.15.175:41188</a> SYN_RECV<br><br><br></div>Thanks,<br></div>Rakesh <br><div><div><div><div><div><div><div><div><br><br></div></div></div></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 10, 2017 at 12:48 AM, Robbie Harwood <span dir="ltr"><<a href="mailto:rharwood@redhat.com" target="_blank">rharwood@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Rakesh Rajasekharan <<a href="mailto:rakesh.rajasekharan@gmail.com">rakesh.rajasekharan@gmail.com</a><wbr>> writes:<br> <br> > There were about 1500 hosts that were alerting for "clock skew" and the<br> > issue went away only after I did a resync using ntpdate on all those hosts<br> <br> </span>Great, glad it's fixed! Are these VMs? If not, you may wish to<br> (re?)configure automatic syncing.<br> <span class=""><br> > Is it possible that so many higher number of minor offsets adds up and<br> > causes it. Coz from the individual offset it looks much below the 5min limit<br> <br> </span>Not as such, if I understand you correctly? This should only be a<br> problem between any two machines that need to communicate (including the<br> freeipa KDC).<br> <span class=""><br> > Or, is there a way to tell whats the offset limit its actually looking for.<br> <br> </span>5 minutes almost certainly. The parameter to configure it is<br> "clockskew" in the config files, but I don't think IPA touches that.<br> <br> Hope that helps,<br> --Robbie<br> </blockquote></div><br></div>