01-17-2024 08:43 AM
Looking for some assistance...running into some odd behavior with authenticated NTP
NTP synchronization always fails when authenticated
Source: Cisco 4451 and 4331 routers are NTP sources (Running IOS XE 17.6 code)…pulling from public NTP (sync'd stratum 2 & 3)
Clients: Several Cisco 3850 switches (Running IOS XE 16.12/16.9 code)
When no authentication is enabled all devices sync to the two routers (4451 is the preferred)
When I enable ntp authentication nothing sync’s. All the switches sit at .INIT
When I check show ntp associations detail they all show the following:
x.x.x.x configured, ipv4, authenticated (‘ ‘ reject), insane, invalid, unsynced, stratum 16
rec time xxxxxxxxxxx Mon Jan 1 1900
xmt time xxxxxxxxxxx Mon Jan 1 1900
A soon as I turn off ntp authentication, the switches instantly sync
Validated the ntp keys, cut-n-paste the keys from the same text file
Config Snippet:
Routers (NTP Source)
ntp authentication-key 1 md5 testkey1
ntp authenticate
ntp-trusted-key 1
ntp-server X.X.X.X (Public NTP servers)
ntp-server Y.Y.Y.Y (Public NTP servers)
Switches (NTP Clients)
ntp authentication-key 1 md5 testkey1
ntp authenticate
ntp-trusted-key 1
ntp-server 10.x.255.1 key 1 prefer (4451 loopback)
ntp-server 10.x.255.3 key 1 (4331 loopback)
When I debug on the switches I get the following message:
NTP Core(INFO): 10.x.255.1 C01C 8C bad_auth no key (16.9 code)
Or
NTP Core(INFO): 10.x.255.1 C01C 8C bad_auth Invalid_NAK (16.12 code)
However I know the keys are there on the routers/switches, again a cut-n-paste from a text file...( I copied from one text editor to a different one in case I had some weird application issue)
Not using any NTP ACL's and the switches can all reach the router loopbacks. No in-path ACL's blocking access to the routers..again NTP works in a non-authenticated mode.
So I’m wondering do I have bug on the sender (router side) or the receiver (switch side)?
Solved! Go to Solution.
05-09-2024 10:13 AM
Was able to resolve with the following:
Could never get MD5 auth between 3850's....the following worked for me
3850 to 4451 routers with MD5 auth worked as long as i matched up the key indexes. On my routers i have the following:
ntp authentication-key 1 hmac-sha2-256 <string>
ntp authentication-key 2 hmac-sha1 <string>
ntp authentication-key 3 md5 <string>
ntp trusted-key 1 - 3
------------------------------------
The switches need to be setup to use the same key index
ntp authentication-key 3 md5 <string>
ntp trusted-key 3
Since it was the only key on the system I was entering it as ntp authentication-key 1 md5 <string>...once it changed it to match, auth started working
01-17-2024 08:52 AM
ntp authentication-key 1 md5 clear testkey1 <<- add clear in both side and check
MHM
01-18-2024 05:17 AM
Invalid input detected...can't put clear and the key. I can put clear by itself but I'm assuming that the devices are accepting that as the new key
01-17-2024 10:30 AM
Hello,
--> cut-n-paste
That might be the problem. What if you type in the key manually ?
01-18-2024 05:24 AM
Manually entered the key string on both sides and still no good...on the switch I was testing with I get the same debug message NTP Core(INFO): 10.x.255.1 C01C 8C bad_auth no key
01-18-2024 05:28 AM
On a side note I'm starting to lean towards an issue on the switch side, I just pointed a third router (4451 running IOS XE 17.3) I use as a VPN gateway at the two routers and it authenticated with no issue.
show ntp associations detail
10.x.255.3 configured, ipv4, authenticated ('*' sys.peer), authtype (md5), our_master, sane, valid, stratum 3
01-24-2024 09:20 AM
sorry are this issue solve ?
thanks
01-24-2024 12:03 PM
Hello,
what if you toggle the NTP versions ?
--> ntp-server 10.x.255.1 key 1 prefer (4451 loopback) version 3/4
05-09-2024 10:13 AM
Was able to resolve with the following:
Could never get MD5 auth between 3850's....the following worked for me
3850 to 4451 routers with MD5 auth worked as long as i matched up the key indexes. On my routers i have the following:
ntp authentication-key 1 hmac-sha2-256 <string>
ntp authentication-key 2 hmac-sha1 <string>
ntp authentication-key 3 md5 <string>
ntp trusted-key 1 - 3
------------------------------------
The switches need to be setup to use the same key index
ntp authentication-key 3 md5 <string>
ntp trusted-key 3
Since it was the only key on the system I was entering it as ntp authentication-key 1 md5 <string>...once it changed it to match, auth started working
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide