Re: NTP issues

adepojutayo · ‎05-14-2011

considering this configuratiion for a master to client NTP implementation, am starting to feel NTP configuration has a bug especially because most of the ASA's hardly repond to ntp servers

MASTER

=======

ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp source Loopback0
ntp access-group peer 1
ntp master 5

IOS CLIENT

======

ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp server 10.1.1.1

ASA CLIENT

=========

ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp server 10.1.1.1

golly_wog · ‎05-18-2011

Mate

Can you do a show ip access-list 1, to verify that the IOS and ASA are in the ACL.

I'd personally remove the "ntp access-group peer 1", then debug ntp packets and events.

I'd also change the stratum on the NTP master to 2.

Let me know how you get on.

cheers

adepojutayo · ‎05-18-2011

this is the ntp server

R1(config)#do sh access-l
Standard IP access list 1
20 permit 10.5.5.5
10 permit 192.168.9.10

this is the ASA's output (ntp client) (192.168.9.10)

ASA2(config)# sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec

ASA2(config)# sh ntp associations
address ref clock st when poll reach delay offset disp
~10.1.1.1 0.0.0.0 16 36 64 0 0.0 0.00 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

this is the second ISR's output (ntp client 2) (10.5.5.5)

R5(config)#do sh ntp sta
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 249.5901 Hz, actual freq is 249.5901 Hz, precision is 2**18
reference time is D17E1454.1F95BFC4 (09:48:04.123 UTC Wed May 18 2011)
clock offset is 275.6918 msec, root delay is 48.63 msec
root dispersion is 16150.73 msec, peer dispersion is 16000.00 msec

Vamsi Pinnaka · ‎05-18-2011

"I have ASA in between client and the master. It took nearly 4hrs for NTP synchronization. Don't know why ? but it takes time. One of my friend reported that sync happened after 8hrs. May be it is bug. Some time it will sync with in seconds and some times it will take hrs".

Regards

Vamsi Pinnaka

golly_wog · ‎05-18-2011

Mate

On the master can you do a "show ntp status" and also turn on the debugging and show us this.

Drop the Stratum down to 2. I've seen switches (3750s etc), that couldn't act as masters - their internal clocks would always show insane, maybe yours is too...?

cheers

adepojutayo · ‎05-20-2011

ntp server

Log Buffer (4096 bytes):
D17F6936.D1E5740C (10:02:30.819 UTC Thu May 19 2011)
.May 19 10:02:25.110: rec D17F6931.1A0EB0D3 (10:02:25.101 UTC Thu May 19 2011)
.May 19 10:02:25.110: xmt D17F6931.1B9258F8 (10:02:25.107 UTC Thu May 19 2011)
.May 19 10:02:25.110: Authentication key 1
.May 19 10:03:22.139: NTP: rcv packet from 192.168.65.5 to 10.1.1.1 on Loopback0:
.May 19 10:03:22.139: leap 3, mode 3, version 3, stratum 0, ppoll 64
.May 19 10:03:22.139: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)
.May 19 10:03:22.139: ref 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
.May 19 10:03:22.139: org 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
.May 19 10:03:22.139: rec 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
.May 19 10:03:22.139: xmt D17F6969.B75CEB34 (10:03:21.716 UTC Thu May 19 2011)
.May 19 10:03:22.143: inp D17F696A.23C829CC (10:03:22.139 UTC Thu May 19 2011)
.May 19 10:03:29.099: NTP: rcv packet from 192.168.9.10 to 10.1.1.1 on Loopback0:
.May 19 10:03:29.099: leap 3, mode 3, version 3, stratum 0, ppoll 64
.May 19 10:03:29.099: rtdel 0000 (0.000), rtdsp 10400 (1015.625), refid 00000000 (0.0.0.0)
.May 19 10:03:29.099: ref 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
.May 19 10:03:29.099: org D17F6931.1B9258F8 (10:02:25.107 UTC Thu May 19 2011)
.May 19 10:03:29.103: rec D17F6936.E260818A (10:02:30.884 UTC Thu May 19 2011)
.May 19 10:03:29.103: xmt D17F6976.D1E568A2 (10:03:34.819 UTC Thu May 19 2011)
.May 19 10:03:29.103: inp D17F6971.19C45F83 (10:03:29.100 UTC Thu May 19 2011)
.May 19 10:03:29.103: Authentication key 1
.May 19 10:03:29.103: NTP: stateless xmit packet to 192.168.9.10:
.May 19 10:03:29.107: leap 3, mode 4, version 3, stratum 0, ppoll 64
.May 19 10:03:29.107: rtdel 0000 (0.000), rtdsp 0002 (0.031), refid 7F7F0701 (127.127.7.1)
.May 19 10:03:29.107: ref D17F658B.A2E55960 (09:46:51.636 UTC Thu May 19 2011)
.May 19 10:03:29.107: org D17F6976.D1E568A2 (10:03:34.819 UTC Thu May 19 2011)
.May 19 10:03:29.107: rec D17F6971.19C45F83 (10:03:29.100 UTC Thu May 19 2011)
.May 19 10:03:29.107: xmt D17F6971.1B45727B (10:03:29.106 UTC Thu May 19 2011)
.May 19 10:03:29.111: Authentication key 1
.May 19 10:04:26.140: NTP: rcv packet from 192.168.65.5 to 10.1.1.1 on Loopback0:
.May 19 10:04:26.140: leap 3, mode 3, version 3, stratum 0, ppoll 64
.May 19 10:04:26.140: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)
.May 19 10:04:26.140: ref 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
.May 19 10:04:26.140: org 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
.May 19 10:04:26.144: rec 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
.May 19 10:04:26.144: xmt D17F69A9.B798E6C8 (10:04:25.717 UTC Thu May 19 2011)
.May 19 10:04:26.144: inp D17F69AA.24474BD4 (10:04:26.141 UTC Thu May 19 2011)
.May 19 10:04:33.096: NTP: rcv packet from 192.168.9.10 to 10.1.1.1 on Loopback0:
.May 19 10:04:33.100: leap 3, mode 3, version 3, stratum 0, ppoll 64
.May 19 10:04:33.100: rtdel 0000 (0.000), rtdsp 10400 (1015.625), refid 00000000 (0.0.0.0)
.May 19 10:04:33.100: ref 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
.May 19 10:04:33.100: org D17F6971.1B45727B (10:03:29.106 UTC Thu May 19 2011)
.May 19 10:04:33.100: rec D17F6976.E2363F98 (10:03:34.883 UTC Thu May 19 2011)
.May 19 10:04:33.100: xmt D17F69B6.D1E55C34 (10:04:38.819 UTC Thu May 19 2011)
.May 19 10:04:33.104: inp D17F69B1.19907058 (10:04:33.099 UTC Thu May 19 2011)
.May 19 10:04:33.104: Authentication key 1
.May 19 10:04:33.104: NTP: stateless xmit packet to 192.168.9.10:
.May 19 10:04:33.104: leap 3, mode 4, version 3, stratum 0, ppoll 64
.May 19 10:04:33.104: rtdel 0000 (0.000), rtdsp 0002 (0.031), refid 7F7F0701 (127.127.7.1)
.May 19 10:04:33.104: ref D17F658B.A2E55960 (09:46:51.636 UTC Thu May 19 2011)
.May 19 10:04:33.108: org D17F69B6.D1E55C34 (10:04:38.819 UTC Thu May 19 2011)
.May 19 10:04:33.108: rec D17F69B1.19907058 (10:04:33.099 UTC Thu May 19 2011)
.May 19 10:04:33.108: xmt D17F69B1.1B14F4E1 (10:04:33.105 UTC Thu May 19 2011)
.May 19 10:04:33.108: Authentication key 1

ntp client 1 CISCO ISR

Log Buffer (4096 bytes):

May 19 09:56:53.603: %SYS-5-CONFIG_I: Configured from console by console
May 19 09:56:57.714: NTP: xmit packet to 10.1.1.1:
May 19 09:56:57.714: leap 3, mode 3, version 3, stratum 0, ppoll 64
May 19 09:56:57.714: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)
May 19 09:56:57.714: ref 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
May 19 09:56:57.714: org 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
May 19 09:56:57.718: rec 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
May 19 09:56:57.718: xmt D17F67E9.B6FB98CA (09:56:57.714 UTC Thu May 19 2011)
May 19 09:56:57.718: Authentication key 1
May 19 09:58:01.715: NTP: xmit packet to 10.1.1.1:
May 19 09:58:01.715: leap 3, mode 3, version 3, stratum 0, ppoll 64
May 19 09:58:01.715: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)
May 19 09:58:01.715: ref 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
May 19 09:58:01.715: org 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
May 19 09:58:01.719: rec 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
May 19 09:58:01.719: xmt D17F6829.B7394D26 (09:58:01.715 UTC Thu May 19 2011)
May 19 09:58:01.719: Authentication key 1

ntp client ASA

leap 3, mode 3, version 3, stratum 0, ppoll 64
rtdel 0000 (0.000), rtdsp 10400 (1015.625), refid 00000000 (0.0.0.0)
ref 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)
org d17f68b1.1c2a6d29 (10:00:17.110 UTC Thu May 19 2011)
rec d17f68b6.e238662a (10:00:22.883 UTC Thu May 19 2011)
xmt d17f68f6.d1e5a50c (10:01:26.819 UTC Thu May 19 2011)
NTP: rcv packet from 10.1.1.1 to 192.168.9.10 on outside:
leap 3, mode 4, version 3, stratum 0, ppoll 64
rtdel 0000 (0.000), rtdsp 0002 (0.031), refid 7f7f0701 (127.127.7.1)
ref d17f658b.a2e55960 (09:46:51.636 UTC Thu May 19 2011)
org d17f68f6.d1e5a50c (10:01:26.819 UTC Thu May 19 2011)
rec d17f68f1.1a5f08e0 (10:01:21.103 UTC Thu May 19 2011)
xmt d17f68f1.1be01bd8 (10:01:21.108 UTC Thu May 19 2011)
inp d17f68f6.e23dc626 (10:01:26.883 UTC Thu May 19 2011)

ASA2(config)# sh nt ass de

10.1.1.1 configured, authenticated, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time d17f6931.1b9258f8 (10:02:25.107 UTC Thu May 19 2011)
rcv time d17f6936.e260818a (10:02:30.884 UTC Thu May 19 2011)
xmt time d17f6936.d1e5740c (10:02:30.819 UTC Thu May 19 2011)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

ASA2(config)# NTP: xmit packet to 10.1.1.1:
leap 3, mode 3, version 3, stratum 0, ppoll 64
rtdel 0000 (0.000), rtdsp 10400 (1015.625), refid 00000000 (0.0.0.0)
ref 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)
org d17f6931.1b9258f8 (10:02:25.107 UTC Thu May 19 2011)
rec d17f6936.e260818a (10:02:30.884 UTC Thu May 19 2011)
xmt d17f6976.d1e568a2 (10:03:34.819 UTC Thu May 19 2011)
NTP: rcv packet from 10.1.1.1 to 192.168.9.10 on outside:
leap 3, mode 4, version 3, stratum 0, ppoll 64
rtdel 0000 (0.000), rtdsp 0002 (0.031), refid 7f7f0701 (127.127.7.1)
ref d17f658b.a2e55960 (09:46:51.636 UTC Thu May 19 2011)
org d17f6976.d1e568a2 (10:03:34.819 UTC Thu May 19 2011)
rec d17f6971.19c45f83 (10:03:29.100 UTC Thu May 19 2011)
xmt d17f6971.1b45727b (10:03:29.106 UTC Thu May 19 2011)
inp d17f6976.e2363f98 (10:03:34.883 UTC Thu May 19 2011)