cannot manage to sync with ntp authentication

nlariguet · ‎02-25-2009

ntp server whatever source outside prefer ... is working flawlessly but when I try:

...

name 192.5.41.209 server-ntp-USNO description US Naval Obervatory

name 128.115.14.97 server-ntp-LLL description Lawrence Livermore Laboratory

...

ntp authentication-key 1 md5 * (where * is an arbitrary 32-character string; ie: a user-defined random-string am I right ?)

ntp authentication-key 2 md5 * (another different one)

ntp authenticate

ntp trusted-key 1

ntp trusted-key 2

ntp server server-ntp-LLL key 2 source outside

ntp server server-ntp-USNO key 1 source outside prefer

...

the above example is more-or-less out of the PIX documentation but as you can see:

firewall# show ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6

reference time is 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

firewall# show ntp associations detail

128.115.14.97 configured, insane, invalid, unsynced, stratum 16

ref ID 0.0.0.0, time 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)

our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000

delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00

precision 2**5, version 3

org time 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)

rcv time 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)

xmt time cd508e71.b903bb88 (03:43:45.722 UTC Thu Feb 26 2009)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

192.5.41.209 configured, insane, invalid, unsynced, stratum 16

ref ID 0.0.0.0, time 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)

our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000

delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00

precision 2**5, version 3

org time cd508e75.72d7dc0f (03:43:49.448 UTC Thu Feb 26 2009)

rcv time cd508e73.e8c22140 (03:43:47.909 UTC Thu Feb 26 2009)

xmt time cd508e73.b9046392 (03:43:47.722 UTC Thu Feb 26 2009)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

what I am doing wrong ?

pix804

sadbulali · ‎03-03-2009

To enable the PIX Firewall NTP client, enter the following command:

[no] ntp server ip_address [key number] source if_name [prefer]

To enable authentication for NTP messages, enter the following command:

[no] ntp authenticate

[no] ntp authentication-key number md5 value

[no] ntp trusted-key number

The ntp authenticate command enables NTP authentication. If you enter this command, the PIX Firewall will not synchronize to an NTP server unless the server is configured with one of the authentication keys specified using the ntp trusted-key command.

nlariguet · ‎03-03-2009

and WHAT is the difference from what I posted: