Hello.I believe you hit a bug

jordan.bean · ‎11-01-2014

I'm trying to configure our router to be both an NTP client and server for clients on our network. I believe that I'm running into a bug.

My configuration is:

access-list 1 remark Restrict NTP to local networks
access-list 1 permit 207.x.y.0 0.0.15.255
access-list 1 permit 10.0.0.0 0.255.255.255

access-list 2 remark NTP sync with specified servers
access-list 2 permit 127.127.7.1
access-list 2 permit 18.26.4.105
access-list 2 permit 209.81.9.7
access-list 2 permit 192.5.41.40

ntp access-group peer 2
ntp access-group serve-only 1
ntp master
ntp update-calendar
ntp server 192.5.41.40
ntp server 18.26.4.105
ntp server 209.81.9.7

The router is syncing fine with the 3 NTP servers. However, no clients can query my routers. The only way that I can get clients to successfully query my routers for NTP is to either remove both "ntp access-group" commands (which I obviously can't do) or to add my clients to the peer access list, which is also incorrect:

access-list 2 permit 207.x.y.0 0.0.15.255
access-list 2 permit 10.0.0.0 0.255.255.255

It looks like NTP queries coming into the router are being checked against the "peer" ACL only and that "serve-only" is being ignored.

If I remove "ntp access-group peer 2" and only have "ntp access-group serve-only 1" the queries still fail.

I found 1 previous post regarding someone having a similar issue a year ago and it didn't receive any replies.

Vasilii Mikhailovskii · ‎01-12-2015

Hello.

I believe you hit a bug CSCuj66318, that is fixed in 15.2(4)M7.

I tried 15.2(4)M7 and 15.2(4)M1 - M1 behaves as you described, while M7 works fine.

NTP issue in 15.2(4)