03-10-2024 02:18 PM
Evening all. I have a project that I am doing and I am trying to get ntp set up but it just wont do it, despite multiple configuration attempts. I have a router (2911) connected to a switch (2960) thats connected to the NTP server. I set the NTP server to on, made the authentication-key 1 with password cisco1234, and set the time correctly. Then went to the switch and router and did the "ntp server 172.16.0.3 key 1" command along with the "ntp authentication-key 1 md5 cisco1234" command, and then did the "ntp authenticate" command. After all that, running the show ntp associations and show ntp status commands, the clock is still unsynchronized, and the router is not showing anything in the "when" field. I turned on "debug ntp packets" on the router and its not showing anything. What would be the reason its not receiving packets? I did find an access list in there, but I removed it completely just to see and nothing. Here are some outputs:
Router ntp associations:
address ref clock st when poll reach delay offset disp
~172.16.0.3 0.0.0.5 16 - 64 0 0.00 0.00 16000.00
Router ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is 2**24
reference time is 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1990)
clock offset is 0.00 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec.
loopfilter state is 'FSET' (Drift set from file), drift is - 0.000001193 s/s system poll interval is 4, never updated.
Router show run:
Building configuration...
Current configuration : 1492 bytes
!
version 15.3
service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname LAN_Router
!
login block-for 60 attempts 3 within 120
!
boot system flash c2900-universalk9-mz.SPA.155-3.M4a.bin
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
username admin privilege 15 secret 5 $1$mERr$Z2.xxrML0Ex6XfMInGpq/0
!
!
license udi pid CISCO2911/K9 sn FTX1524IZ6N
license boot module c2900 technology-package FoundationSuiteK9
!
!
!
!
!
!
!
!
!
ip ssh version 2
no ip domain-lookup
ip domain-name ttc.com
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/1
ip address 172.16.0.1 255.255.240.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
description CONNETION TO ISP GATEWAY
ip address 13.13.13.2 255.255.255.252
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router rip
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip flow-export version 9
line con 0
exec-timeout 20 0
password 7 0822455D0A16
login
!
line aux 0
!
line vty 0 4
login local
line vty 5 15
login local
ntp authentication-key 1 md5 0822455D0A165445415F 7
ntp authenticate
ntp server 172.16.0.3 key 1
!
end
Switch run
Building configuration...
Current configuration : 2005 bytes
!
version 15.0
service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname S1
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
ip ssh version 2
no ip domain-lookup
ip domain-name ttc.com
!
username admin privilege 1 password 7 0822455D0A16
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface FastEthernet0/1
switchport port-security mac-address sticky
!
interface FastEthernet0/2
switchport port-security mac-address sticky
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4
switchport port-security mac-address sticky
!
interface FastEthernet0/5
switchport port-security mac-address sticky
!
interface FastEthernet0/6
switchport port-security mac-address sticky
!
interface FastEthernet0/7
switchport port-security mac-address sticky
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown
!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
shutdown
!
interface GigabitEthernet0/1
switchport trunk allowed vlan 1-1001
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 172.16.0.2 255.255.240.0
!
ip default-gateway 172.16.0.1
!
banner motd ^CUnauthorized Access is Prohibited^C
!
!
!
line con 0
password 7 0822455D0A16
logging synchronous
login
exec-timeout 15 0
!
line vty 0 4
exec-timeout 15 0
login local
transport input ssh
line vty 5 15
exec-timeout 15 0
login local
transport input ssh
!
!
!
!
end
03-10-2024 02:45 PM
Can you share
Debug ntp packet
MHM
03-11-2024 12:17 AM
Before I was getting nothing. I finally did the ntp trusted-key 1 command mentioned below and that atleast got me a line that sent the packet, but no receipt.
*Mar 10, 16:54:25.5454: ar 10 16:54:25.009: NTP: xmit packet to 172.16.0.3
03-11-2024 11:19 PM
debug ntp validity
share this also
MHM
03-12-2024 02:57 PM
I am interested in this output in the original post:
Router ntp associations:
address ref clock st when poll reach delay offset disp
~172.16.0.3 0.0.0.5 16 - 64 0 0.00 0.00 16000.00
So your router believes that the device at 172.16.0.3 is stratum 16, which indicates that it does not have authoritative time. What device is at 172.16.0.3?
Can you confirm connectivity to 172.16.0.3? If you do show arp does that address show up in the output? Can you ping that address?
03-11-2024 12:24 AM - edited 03-11-2024 12:25 AM
This was running debug ip packet and debug ntp packets. 172.16.0.3 is the NTP server and 172.16.0.1 is the router.
*Mar 10, 03:21:36.2121: IP: s=172.16.0.1 (local), d=172.16.0.3 (GigabitEthernet0/1), len 217, sending
*Mar 10, 03:21:36.2121: IP: tableid=0, s=172.16.0.3 (GigabitEthernet0/1), d=172.16.0.1 (GigabitEthernet0/1), routed via RIB
*Mar 10, 03:21:36.2121: IP: s=172.16.0.3 (GigabitEthernet0/1), d=172.16.0.1 (GigabitEthernet0/1), len 217, rcvd 3
03-10-2024 03:40 PM
Hello,
Did you also enter the command ntp trusted-key 1 on the devices?
Can you provide the output of the command sh run | i ntp
-David
03-11-2024 12:18 AM
So I ran that and it atleast started transmitting packets where it didnt before, but no receipts.
LAN_Router#show run | include ntp
ntp authentication-key 1 md5 0822455D0A165445415F 7
ntp authenticate
ntp trusted-key 1
ntp server 172.16.0.3 key 1
03-11-2024 08:24 AM
If you are sending packets but not receiving any make sure you have reachability between the NTP source and destination and make sure port UDP 123 is not being blocked.
NTP will use the exit interface IP in the routing table to get to the NTP destination unless you specify one. Try to ping from your exit interface IP to your time server. If the ping works it may be something blocking NTP or the NTP server not sending packets.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide