NTP NAK Error

jbulloch · ‎11-21-2024

Recently it was brought to my attention to the NTP for our user layer switches wasn't functioning. These use md5 hash configuration.

To troubleshoot, i checked the traffic through our firewall. I was able to see the traffic being passed. Then, i did a capture both at the firewall and was able to confirm in detail that NTP information was flowing between switches and the ntp server as expected to port 123 on UDP. I then selected two switches and preformed a capture on those particular switches uplink interfaces. I was able to confirm that the switches were indeed receiving UDP with a NTP payload.

With that information in mind i double checked the switch NTP config and ran some debug. The IP packet debug confirmed that the switches were sending the packets. NTP debug led me to this:

*Nov 21 11:41:34.685 est: NTP Core (INFO): x.x.xx C01C 8C bad_auth Invalid_NAK
*Nov 21 11:41:34.685 est: NTP Core (ERROR): Invalid-NAK error at 1473700 x.x.x.x<-x.x.x.x

So i reached out to the server admin that runs the NTP server, and we realized the key index was off. We changed it so we were both on the same number key and reset the password to something new and confirmed we were both using the same. We ran a capture again to confirm the switch and server were seeing and sending the new key #.

However we still receive NAK error. I attempted to remove and re-add the key trust command on the XE switch has someone else suggested in a thread, and verifed the clock settings on the switch. The switch is confiqured has such:

ntp authentication-key 3 md5 115808040D401C1F1C6B1A05121302112B 7
ntp authenticate
ntp trusted-key 3
ntp source <mgmt vlan>
ntp server x.x.x.x key 3
ntp server x.x.x.x key 3 maxpoll 10 minpoll 6 version 4 burst iburst
clock timezone est -5 0
clock summer-time edt recurring

Any advice on what we may be missing here would be welcomed. Is there something i am overlooking?

MHM Cisco World · ‎11-21-2024

ntp authentication-key x hmac-sha1 <string> <<- it can serve use sha1 not md5

MHM

jbulloch · ‎11-25-2024

MHM,

Thanks, reminding me of sha was helpful. I realized the image on this switch was also outdated so it's been updated. And sha is a much better choice over md5.

However same issue countines with sha1 and sha2, matching key table and confirmed password. I am starting to think a issue exists somewhere on config of the NTP device. It is a Orolia. Looking into that now.

MHM Cisco World · ‎11-25-2024

ntp authentication-key 1 hmac-sha2-256 <string>

ntp authentication-key 2 hmac-sha1 <string>

ntp authentication-key 3 md5 <string>

ntp trusted-key 1 - 3

try three and check,

and sure it can NTP server issue

MHM

jbulloch · ‎11-25-2024

Yea,

I get NAK error no matter then chosen hash method.

*Nov 25 12:11:58.701 est: NTP Core (ERROR): Invalid-NAK error at 5050 x.x.x.x<-x.x.x.x

MHM Cisco World · ‎11-25-2024

do ntp auth-key x ?
and try all encrypt op you get

jbulloch · ‎11-25-2024

Aes, sha, sha2, and md5 all given the same NAK issues.

I've been removeing the auth key x and trusted-key x each time and adding back to kick off the debug.

MHM Cisco World · ‎11-25-2024

without Authc it work ?

MHM

jbulloch · ‎11-25-2024

Yes, i have tested same devices to secondary NTP without auth with success. I will also test the primary sortly.