Cisco ISE 3.0 NTP Setting

shrijan · ‎09-22-2021

Hello Everyone,

I have a bit of difficulty in understanding NTP setting in cisco ISE 3.0.

Below 1) Show NTP output shows NTP is not synchronized but BYOD is working perfectly. Since the time is not synced with x.x.x.1 which is the gateway of this ISE server or cisco core switch 4500s, when i checked gateway i.e. core switch NTP setting then i found out there is NTP authentication key set in core switch. So i created the same authentication key in ISE via GUI then NTP is synced (Leap status: Normal) but then after few minutes like 5-10 minutes suddenly BYOD stopped working. For the synced NTP output i have shown in second output as 2).

1) ISE/admin# show ntp
Configured NTP Servers:
x.x.x.1
x.x.x.12

Reference ID : 00000000 ()
Stratum : 0
Ref time (UTC) : Thu Jan 01 00:00:00 1970
System time : 0.000000000 seconds fast of NTP time
Last offset : +0.000000000 seconds
RMS offset : 0.000000000 seconds
Frequency : 0.000 ppm slow
Residual freq : +0.000 ppm
Skew : 0.000 ppm
Root delay : 1.000000000 seconds
Root dispersion : 1.000000000 seconds
Update interval : 0.0 seconds
Leap status : Not synchronised

210 Number of sources = 2
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^? gateway 0 7 0 - +0ns[ +0ns] +/- 0ns
^? x.x.x.12 0 7 0 - +0ns[ +0ns] +/- 0ns

M indicates the mode of the source.
^ server, = peer, # local reference clock.

S indicates the state of the sources.
* Current time source, + Candidate, x False ticker, ? Connectivity lost, ~ Too much variability

2) ISE/admin# show ntp
Configured NTP Servers:
x.x.x.1
x.x.x.12

Reference ID : 0A9B1801 (gateway)
Stratum : 5
Ref time (UTC) : Wed Sep 22 10:31:33 2021
System time : 0.000319306 seconds fast of NTP time
Last offset : +0.001238093 seconds
RMS offset : 0.000961549 seconds
Frequency : 3.408 ppm slow
Residual freq : +0.810 ppm
Skew : 6.179 ppm
Root delay : 0.564605772 seconds
Root dispersion : 0.109431803 seconds
Update interval : 256.5 seconds
Leap status : Normal

210 Number of sources = 2
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* gateway 4 8 377 105 +747us[+1985us] +/- 393ms
^? x.x.x.12 0 10 0 - +0ns[ +0ns] +/- 0ns

M indicates the mode of the source.
^ server, = peer, # local reference clock.

S indicates the state of the sources.
* Current time source, + Candidate, x False ticker, ? Connectivity lost, ~ Too much variability

Warning: Output results may conflict during periods of changing synchronization.

So the question is

1) when NTP is not synced my BYOD is working and when NTP is synced then BYOD does not work. I have to restart the server then it works without NTP synced.

Thanks.

shrijan

Greg Gibbs · ‎09-22-2021

It sounds like there may be more clock skew between ISE and the BYOD endpoints when NTP is synced vs. when NTP is not synced. Are ISE and the BYOD endpoints configure with the correct timezones?

Have you compared the clocks on both devices with NTP synced vs. not synced to check the difference?

shrijan · ‎09-23-2021

@Greg Gibbs

Today i have found new issue. Though NTP server IP address for ISE server is core switch which is also the gateway for ISE.

1) ISE/admin# show ntp
Configured NTP Servers:
x.x.x.1

but when i checked on Audit report (file is attached for the ref), it is showing 127.0.0.1. So is it because of 127.0.0.1?

Timezone is set correctly but does reflect the real time yet.

hslai · ‎09-24-2021

127.0.0.1 is the localhost. When NTP not working, the system is using its local clock.

No good reason for BYOD stops working when the ISE system clock sync properly to NTP source.
Do check "show clock" and see how close the outputs compared to the real current time. Also, check the date/time on the client devices.