Hi,
I am running NTPv4.2.4p on 2 servers and any clients configured for
autokey. I have system stats running on the server and as you can see
I get a little more than 20% 'bad authentication' pegs compared to
'packets received' pegs. ('packets received' is 4th field while
bad_auth is 2nd to last field). This happens on both servers.

54739 588.978 290 848 15 848 0 0 0 0 224 0
54739 4188.977 291 1082 13 1082 0 0 0 0 228 0
54739 7788.978 292 826 12 826 0 0 0 0 191 0
54739 11388.978 293 1054 13 1054 0 0 0 0 240 0
54739 14988.977 294 893 15 893 0 0 0 0 221 0
54739 18588.977 295 1038 12 1038 0 0 0 0 261 0
54739 22188.977 296 821 14 821 0 0 0 0 205 0
54739 25788.977 297 924 13 924 0 0 0 0 241 0
54739 29388.976 298 771 15 771 0 0 0 0 229 0
54739 32988.977 299 950 13 950 0 0 0 0 270 0
54739 36588.977 300 755 14 755 0 0 0 0 215 0
54739 40188.977 301 954 13 954 0 0 0 0 269 0
54739 43788.978 302 902 15 902 0 0 0 0 234 0
54739 47388.977 303 1128 13 1128 0 0 0 0 282 0
54739 50988.978 304 1092 15 1092 0 0 0 0 230 0
54739 54588.977 305 1131 13 1131 0 0 0 0 264 0

I isolated a single Autokey client against a single server and thru
wireshark traces found that the bad auth peg seems to happen when the
pre-generated session key list runs out. When this happens the client
and server go thru the autokey startup states again (looks like the
autokey protocol is restarted). Is this normal behavior? This gives me
two issues in my environment where I must support customers with boxes
using NTP and back office servers servinf NTP.

1) On client side this behavior means the client NTP has to resync
every (slightly less than) 2 hours starting with 64 sec polls again.
This means I see up/down pattern for NTP, where a sys.peer means up. I
want to and should see a near 100% up (sys.peer) status. I see this
even with 2 servers.

2) My server monitoring can not use the bad auth stat for anything
useful. With roughly 20% bad_auth pegs, I can not tell when there is a
real issue with rogue (or mis-provisioned) clients.

Any idea what is causing the bad auth pegs? Is it normal for the
client to re-start the autokey protocol when the session keys runout?
Any other explanation for what I am seeing.

Obviously I am hoping for some kind of NTP configuration tweak to
solve my issues. There is no issue per-say with the time...it is
really monitoring and support I am concerned with.

Thanks very much for your help as this is the only place to find NTP
experts out there.

Steve