Nexus 9k: NTP works only as v2 and not v3/v4

Nadav · ‎02-27-2020

Hi all,

I have a Nexus 9k switch running the latest 9.3.3 NX-OS software. It's querying a modern Cisco router which is acting as an NTP server. This NTP server communicates with dozens of various other devices at either NTP v3 or v4 depending on their capability.

The Nexus 9k works as NTPv2 with the NTP server for some reason. I tried it with an ACL and without, with authentication and without... very odd stuff. I've determined that it's NTPv2 via packet capture which shows that the server and client are communicating in v2 even though the server is also communicating with other devices in v3 and v4.

Any ideas what might be causing it? Is the N9k platform really limited to NTPv2?

David Castro F. · ‎02-29-2020

Hello Nadav,

I hope you are doing great,

So far NTPv3 and NTPv4 which is an extension of NTPv3 itself is not supported by any NX-OS version. This is usually supported by IOS-XE, IOS, IOS-XR. You can verify if the feature is supported in the below link:

https://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp

I tried to find the NTPv4 and the below images support it:

If you try to find basic NTP, it will show all the images including NX-OS:

Usually it takes a while for them (Cisco) to update this site, but usually has what you need,

If I answered your question, please proceed to rate and mark the question as answered,

Regards,

David castro,

Nadav · ‎03-05-2020

Thanks David,

Is NTPv2 not supported because the software on the switch is antiquated? I remember v3 being supported on Catalyst switches 15 years ago, and it was likely supported even before that.

David Castro F. · ‎03-06-2020

Hey Nadav,

I hope you are doing great,

So NTPv4 retains backwards compatibility with the older versions of NTP, including NTPv3 and NTPv2 but excluding NTPv1, which has been discontinued due to security vulnerabilities. So NTPv2/v3 are the official supported as the feature itself, but it can work with NTPv4 servers.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/fundamentals/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_chapter_01.h...

If you check the above link shows that for NX-OS the supported NTP standard as per IEEEE, now the way it is behaving, is to have backwards compatibility.

NTP has undergone a number of changes since its debut more than 30 years ago. NTP version 0 was defined in RFC 958 in September of 1985. NTPv0 was able to achieve time accuracy in the tens of milliseconds. In 1988, RFC 1059 defined NTPv1, which defined tuning of NTP for client server and peer to peer mode. In 1989, RFC 1119 defined NTPv2, which added things like a management protocol and an authentication scheme, which are still used in today’s version. RFC 1305, which came out in 1992, defined NTPv3. NTPv3 added additional error detection and analysis, which helps the client to choose between different tie sources. A broadcast mode was also introduced to help ease the distribution of time on a multi-access network. In 2010, RFC 5905 was published with the specifications for NTPv4 but was enhanced by RFC 7822 in March of 2016. NTPv4 is the current version of NTP. It maintains a lot of the same features of NTPv3 but adds support for IPv6 as the underlying network protocol. Authentication is also enhanced and gives the protocol greater security.

Really NTPv2 and V3 are pretty much the same only that V3 has other features, below some explanation on it:

In 1989, RFC 1119 was published defining NTPv2 by means of a state machine, with pseudocode to describe its operation. It introduced a management protocol and cryptographic authentication scheme which have both survived into NTPv4, along with the bulk of the algorithm. However the design of NTPv2 was criticized for lacking formal correctness by the DTSS community, and the clock selection procedure was modified to incorporate Marzullo's algorithm for NTPv3 onwards.

In 1992, RFC 1305 defined NTPv3. The RFC included an analysis of all sources of error, from the reference clock down to the final client, which enabled the calculation of a metric that helps choose the best server where several candidates appear to disagree. Broadcast mode was introduced.

Keep us posted if you have any question, please rate all helpful answers and select this as validated answer if I answered your question,

David Castro,

gabriel.oliva · ‎02-23-2022

hello all

i have the same problem

ntp server XX.XX.XX.XX use-vrf management
ntp source-interface mgmt0

NEXUS9K# ping XX.XX.XX.XX vrf management

64 bytes from XX.XX.XX.XX: icmp_seq=0 ttl=121 time=1.093 ms
64 bytes from XX.XX.XX.XX: icmp_seq=1 ttl=121 time=0.601 ms
64 bytes from XX.XX.XX.XX: icmp_seq=2 ttl=121 time=0.482 ms
64 bytes from XX.XX.XX.XX: icmp_seq=3 ttl=121 time=0.489 ms
64 bytes from XX.XX.XX.XX: icmp_seq=4 ttl=121 time=0.557 ms
^C
--- XX.XX.XX.XX ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.482/0.644/1.093 ms

the ping is OK but the server is NTPV3, and we could see than the nexus send NTPV2 packet

NEXUS9K# show ntp session status
Last Action Time Stamp : None
Last Action : None
Last Action Result : None
Last Action Failure Reason : none

NEXUS9K# show ntp status
Distribution : Disabled
Last operational state: No session

So Any know how can fix this?

thank you