cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
26730
Views
10
Helpful
11
Replies

Nexus 5000 as NTP client

robspain2004
Level 1
Level 1

We run 6509 core routers as NTP servers to other IOS routers/switches & servers of several OS flavours.

All good.

Recently added some Nexus 5000s and cannot get them to lock.

No firewalls or ACLs in the path

6509 (1 of 4) state:


LNPSQ01CORR01>sh ntp ass

      address         ref clock     st  when  poll reach  delay  offset    disp
+ 10.0.1.2         131.188.3.220     2   223  1024  377     0.5   -6.23     0.7
+~130.149.17.21    .PPS.             1   885  1024  377    33.7   -0.26     0.8
*~138.96.64.10     .GPS.             1   680  1024  377    22.7   -2.15     1.0
+~129.6.15.29      .ACTS.            1   720  1024  377    84.9   -3.37     0.6
+~129.6.15.28      .ACTS.            1   855  1024  377    84.8   -3.30     2.3
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Nexus state:

BL01R01B10SRVS01# sh ntp peer-status
Total peers : 4
* - selected for sync, + -  peer mode(active),
- - peer mode(passive), = - polled in client mode
    remote               local              st  poll  reach   delay
----------------------------------------------------------------------
=10.0.1.1               10.0.201.11            16   64       0   0.00000
=10.0.1.2               10.0.201.11            16   64       0   0.00000
=10.0.1.3               10.0.201.11            16   64       0   0.00000
=10.0.1.4               10.0.201.11            16   64       0   0.00000

Nexus config:

ntp distribute
ntp server 10.0.1.1
ntp server 10.0.1.2
ntp server 10.0.1.3
ntp server 10.0.1.4
ntp source 10.0.201.11
ntp commit

interface mgmt0
  ip address 10.0.201.11/24

vrf context management
  ip route 0.0.0.0/0 10.0.201.254

Reachability to the NTP source...

BL01R01B10SRVS01# ping 10.0.1.1 vrf management source 10.0.201.11
PING 10.0.1.1 (10.0.1.1) from 10.0.201.11: 56 data bytes
64 bytes from 10.0.1.1: icmp_seq=0 ttl=253 time=3.487 ms
64 bytes from 10.0.1.1: icmp_seq=1 ttl=253 time=4.02 ms
64 bytes from 10.0.1.1: icmp_seq=2 ttl=253 time=3.959 ms
64 bytes from 10.0.1.1: icmp_seq=3 ttl=253 time=4.053 ms
64 bytes from 10.0.1.1: icmp_seq=4 ttl=253 time=4.093 ms

--- 10.0.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 3.487/3.922/4.093 ms
BL01R01B10SRVS01#

Are we missing some NTP or managment vrf setup in the Nexus 5Ks??

Thanks

Rob Spain

UK

11 Replies 11

Joe Clarke
Cisco Employee
Cisco Employee

I don't have a Nexus 5K with which to test, but I think you need to add "use-vrf management" to your NTP server lines.  For example:

ntp server 10.0.1.1 use-vrf management

Pull out all your NTP server lines, then add them back with the correct VRF.


HUBERT RESCH
Level 3
Level 3

Hi I see the same behaviour in our installation, the only difference is that we are using an additional vrf for management purpose (the vrf management we use for vpc-keepalive) and I am not really sure if an additional vrf is supported on pure L2-N5K5, that was my first assumption, but seems not to be the case because you run the same problem with vrf management. we are running 5.0.3.N2.1

Thx

hubert

Bump

I'm experiencing the same behaviour using a VSS as NTP server and N7K as client. The N7K has no problem getting its NTP from external NTP servers, but when pointing it to the VSS, it never gets synced. Obviously routing issues, acls and so on is out of the question. Is the 7K platform handling the NTP part different from IOS devices?

I'm seeing some cases internally that mention a huge NTP overhaul that went into 5.2(1).  Customers that were experiencing issues with NX-to-IOS NTP sync were no longer seeing the issue in 5.2(1).  The bug that tracked the update is CSCsv33349.  Not sure what version you're running, but an upgrade may get things working.

Many thanks for your reply, Joseph.

The 7Ks are running 5.2(1) for the time beeing, but the customer is planning an upgrade to 5.2(4) i June. I will have a check on the NTP sync after this.

benweber
Level 1
Level 1

Try adding the line:

"clock protocol ntp"

I was having the same problem but it worked after I found that command.

Benweber, thanks for this post.  This worked for me!  I had two Nexus 5ks that needed to be synced with the ntp server and it wasn't working until I added the command into the config.

I'd like to add I did force the sync using the command after adding 'clock protocol ntp'.

ntp sync-retry

boehmd
Level 1
Level 1

I had the same problem. This happens, when you use the management interface for the ntp traffic. Since this interface is in the vrf management, you have to announce the ntp servers in that vrf, like Joseph Clarke mentioned in his first post.

So in my case,

ntp server 10.0.1.1 use-vrf management

solved it.

rawlinsm
Level 1
Level 1

I have multiple 5020's, 5548's, and 5596's, and they all experience this same problem. Mind you I run strictly layer 2. I don't even have feature interface-vlan enabled. I tried: "ntp server X.X.X.X use-vrf management" as well as "clock protocol ntpt". These didn't help. 

I was told by TAC that there is a bug (sorry I do not have the ID), but basically NTP will not work over the management VRF. The only way I got NTP to work, was by enabling the feature interface-vlan, and adding a vlan interface with an IP and retrieving NTP through this interface. 

I upgraded to 5.2 (1) in hopes that this would fix the issue. but it did not. 

 

Upgrading to NX-OS 6.0(2)N2(1) resolved the problem for me.

same issue, can't believe they make something as simple as ntp, so difficult. I don't want to add a layer 3 vlan on the 5k.... it needs to work using the vrf....

Review Cisco Networking for a $25 gift card