07-16-2008 01:00 PM - edited 03-03-2019 10:45 PM
I am having issues with 3600 and 7200 routers not sysncing with NTP server. My NTP server is working fine as I have other devices syncing to it. The 3600 and 7200 routers can sync to public NTP servers on the internet but cannot sync to my internal NTP server. The routers do have access to the NTP server because they and ping and traceroute to it.
Solved! Go to Solution.
07-17-2008 08:09 AM
Mike
If you can ping the NTP server address sourcing the ping from FastEther2/0 then that does demonstrate IP connectivity, which is one of the first things I would look at. So that is good.
Based on the information so far I am suspicious about the firewall(s) and whether they are blocking some NTP traffic. I had a situation at a customer site once where their firewall was permitting only if both source port and destination port were NTP. There was a device sending NTP requests but the source port was some high port - and was being blocked even though it was a very legitimate NTP request. Could something like that be going on that does permit NTP from some devices but not from others?
HTH
Rick
07-16-2008 01:03 PM
Hi, IOS is very picky about NTP and as soon something doesn't seem right, it won't synch.
Eg, server claims to be stratum 0, or other apparently minor inconsistencies.
07-16-2008 01:05 PM
What is your NTP server?
07-16-2008 01:10 PM
NTP server is running on a Linux machine.
NTP Status from router not working:
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24
reference time is CC28B5C4.FD1E3E38 (11:00:36.988 PST Wed Jul 16 2008)
clock offset is -7.0256 msec, root delay is 168.08 msec
root dispersion is 71.73 msec, peer dispersion is 0.47 msec
NTP Status from different router.
Clock is synchronized, stratum 4, reference is 172.17.2.166
nominal freq is 249.5901 Hz, actual freq is 249.5873 Hz, precision is 2**18
reference time is CC28E17F.B5C3C30C (14:07:11.710 PST Wed Jul 16 2008)
clock offset is -0.1556 msec, root delay is 8.09 msec
root dispersion is 32.78 msec, peer dispersion is 0.03 msec
07-16-2008 01:13 PM
Do you have nat or fw between routers and ntp ?
07-16-2008 01:16 PM
Yes firewall is in front of NTP server. I have allowed anything over NTP to it as I have some switches and other firewall accessing it.
07-16-2008 02:04 PM
Are you doing NTP authentication. If you are then make sure the key configured is correct. Another thing to check is if you are using a different source address for NTP peering then make sure you can ping the NTP server from the sourced IP. NTP is somewhat flaky and I have had some situations where I had to reload the box to make NTP sync as there's no clear command to try and force it to sync up.
HTH
Sundar
07-16-2008 06:58 PM
Mike
We might be in a better position to answer your issue if we had more details about your environment. Perhaps you could post the output of show run | include ntp
Also it might be help if you would post the output of show ntp association detail
HTH
Rick
07-17-2008 07:57 AM
Some information on the environment.
3640 ISP router
(cannot connect to NTP)
|
2912 Switch connected to router
(cannot connect to NTP server)
|
Two Juniper Firewall Connected to Switch
(can connect to NTP server)
|
4500 Switch Connected to firewalls
(can connect to NTP server)
Show NTP config of 3640:
ntp source FastEthernet2/0
ntp server 69.25.233.209
Sh ntp associayion:
address ref clock st when poll reach delay offset disp
~69.25.233.209 0.0.0.0 16 - 64 0 0.0 0.00 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
07-17-2008 07:50 AM
I am not using any Authentication. I am sourcing the ip address of interface and I am able to ping the NTP server from that address.
07-17-2008 08:09 AM
Mike
If you can ping the NTP server address sourcing the ping from FastEther2/0 then that does demonstrate IP connectivity, which is one of the first things I would look at. So that is good.
Based on the information so far I am suspicious about the firewall(s) and whether they are blocking some NTP traffic. I had a situation at a customer site once where their firewall was permitting only if both source port and destination port were NTP. There was a device sending NTP requests but the source port was some high port - and was being blocked even though it was a very legitimate NTP request. Could something like that be going on that does permit NTP from some devices but not from others?
HTH
Rick
07-17-2008 08:18 AM
I was originally allowing the access list in the firewall as:
permit udp any gt 1023 host 69.25.233.209 eq ntp
I changed it to:
permit udp any host 69.25.233.209 eq ntp
That solved the problem thanks
07-17-2008 08:56 AM
Mike
I am glad that my suggestion helped you solve your problem. Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read about about a problem and can know that a suggestion did lead to a solution.
HTH
Rick
03-19-2019 06:40 AM
03-19-2019 08:18 AM
Hello,
what is the source interface for your NTP config ? Paste the configuration of your router if possible...
One thing you could try is to set the clock manually to something close to real time, that sometimes help with synchronization:
Router#clock set
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide