cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1457
Views
0
Helpful
2
Replies

ISR 4451 NTP Selection Issue

mojocoops
Level 1
Level 1

Hi all,

I'm trying to figure out why an ISR 4451 connected to the Internet has chosen a Stratum 2 NTP server over a Stratum 1 (212.26.18.41); when a 3750 connected to the Internet at another site has chosen the same Stratum 1 server successfully.  Show ntp ass detail commands both taken at 13:47 AEST, you'll see the differences below.

4451 config:

ntp server vrf INTERNET 212.26.18.41
ntp server vrf INTERNET 180.211.88.211
ntp server vrf INTERNET 119.82.243.189
ntp server vrf INTERNET 211.233.40.78

4451#show ntp ass

address ref clock st when poll reach delay offset disp
-~212.26.18.41 .GPS. 1 630 1024 377 412.90 -21.867 1.038
+~180.211.88.211 131.188.3.220 2 378 1024 377 232.96 3.105 1.039
*~119.82.243.189 118.143.17.82 2 897 1024 357 144.93 5.792 1.133
+~211.233.40.78 133.100.8.2 2 295 1024 377 189.97 -7.368 1.107
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

show ntp ass detail output for Stratum 1 server:

212.26.18.41 configured, ipv4, sane, valid, stratum 1
ref ID .GPS., time DA1DFCEE.564EFD3D (13:33:02.337 AEST Fri Dec 18 2015)
our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
root delay 0.00 msec, root disp 0.45, reach 377, sync dist 222.72
delay 413.91 msec, offset -22.5654 msec, dispersion 1.07, jitter 0.97 msec
precision 2**20, version 4
assoc id 49144, assoc name 212.26.18.41
assoc in packets 73262, assoc out packets 76979, assoc error packets 0
org time 00000000.00000000 (10:00:00.000 AEST Mon Jan 1 1900)
rec time DA1DFCFD.82B274FA (13:33:17.510 AEST Fri Dec 18 2015)
xmt time DA1DFCFD.82B274FA (13:33:17.510 AEST Fri Dec 18 2015)
filtdelay = 413.93 413.93 414.84 413.93 414.89 413.91 414.93 414.80
filtoffset = -22.49 -22.77 -21.92 -22.73 -21.99 -22.56 -21.98 -22.23
filterror = 0.98 1.01 1.04 1.07 1.10 1.13 1.16 1.19
minpoll = 6, maxpoll = 10

3750 config:

ntp server vrf Internet 180.211.88.211
ntp server vrf Internet 119.82.243.189
ntp server vrf Internet 212.26.18.41

3750#show ntp ass

address ref clock st when poll reach delay offset disp
+~180.211.88.211 131.188.3.220 2 235 512 377 209.7 44.95 7.6
+~119.82.243.189 95.222.122.210 2 222 512 377 149.2 38.66 6.2
*~212.26.18.41 .GPS. 1 135 512 377 419.3 5.03 8.3
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

212.26.18.41 configured, our_master, sane, valid, stratum 1
ref ID .GPS., time DA1E003D.1CF42E80 (13:47:09.113 AEST Fri Dec 18 2015)
our mode client, peer mode server, our poll intvl 256, peer poll intvl 256
root delay 0.00 msec, root disp 0.35, reach 377, sync dist 210.526
delay 412.14 msec, offset 4.0084 msec, dispersion 4.10
precision 2**20, version 3
org time DA1E003D.BFDD82F1 (13:47:09.749 AEST Fri Dec 18 2015)
rcv time DA1E003D.F398304E (13:47:09.951 AEST Fri Dec 18 2015)
xmt time DA1E003D.8A0CB780 (13:47:09.539 AEST Fri Dec 18 2015)
filtdelay = 412.14 415.51 409.30 431.08 430.65 436.39 445.82 418.61
filtoffset = 4.01 1.17 3.82 -8.38 -8.90 -12.76 -18.02 -4.82
filterror = 0.02 1.16 3.11 5.07 7.02 8.00 8.65 9.63

I'm wondering if there's a bug with NTPv4 on 4451s seeing as the org time is reporting an odd value.  FYI there is a redundant 4451 Internet router in another DC, showing the same issue.  Same OS version. 

2 Replies 2

Vinit Jain
Cisco Employee
Cisco Employee

Hello

Could you please share the below output in a file:

- show version

- show run

The output above shows that 4451 was not able to sync the NTP. Can you try to run debug ntp packet [detail] command and see what is happening. 

Thanks

Vinit

Thanks
--Vinit

Hi Vinit,

Please see output below:

4451#show ver
Cisco IOS XE Software, Version 03.13.02.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Fri 30-Jan-15 15:19 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2015 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

UCQ-DC1-RT2-INT uptime is 17 weeks, 10 hours, 52 minutes
Uptime for this control processor is 17 weeks, 10 hours, 53 minutes
System returned to ROM by reload at 21:44:48 AEST Sun Aug 23 2015
System restarted at 21:47:14 AEST Sun Aug 23 2015
System image file is "bootflash:isr4400-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.


Technology Package License Information:

-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appx None None None
uc None None None
security securityk9 Permanent securityk9
ipbase ipbasek9 Permanent ipbasek9

cisco ISR4451-X/K9 (2RU) processor with 3735596K/6147K bytes of memory.
Processor board ID ***
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
15036375K bytes of flash memory at bootflash:.

Configuration register is 0x2102


4
version 15.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service compress-config
no platform punt-keepalive disable-kernel-core
!
hostname 4451
!
boot-start-marker
boot system flash bootflash:isr4400-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin
boot-end-marker
!
!
vrf definition INTERNET
rd 65028:1
!
address-family ipv4
exit-address-family
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition ***-P-MGMT-DC1
!
address-family ipv4
exit-address-family
!
logging buffered 128000
logging console notifications
enable secret 5 $1$AsIz$20n5WSeN7zkmGpgEuEN8h.
!
aaa new-model
!
!
aaa group server tacacs+ ***
server name ***
server name ***
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
!
aaa authentication login default group *** local
!
!
!
!
!
aaa session-id common
clock timezone AEST 10 0
clock calendar-valid
!
!
!
!
!
no ip domain lookup
ip domain name ***

!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
key chain HSRP
key 1
key-string 7 ***
cryptographic-algorithm md5
!
!
!
license udi pid ISR4451-X/K9 sn ***
!
username ***

!
redundancy
mode none
!
!
!
!
!
!
track 100 ip sla 100 reachability
!
track 200 ip sla 200 reachability
!
ip tftp source-interface Port-channel1.500
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
description ***-DC1-FW-INT-P001
no ip address
negotiation auto
!
interface Port-channel1.500
encapsulation dot1Q 500
vrf forwarding ***-P-MGMT-DC1
ip address 10.14.0.21 255.255.255.0
!
interface Port-channel1.2599
encapsulation dot1Q 2599
vrf forwarding INTERNET
ip address 10.100.103.241 255.255.255.240
standby version 2
standby 10 ip 10.100.103.243
standby 10 priority 200
standby 10 preempt
standby 10 authentication md5 key-chain HSRP
standby 20 ip 10.100.103.244
standby 20 priority 190
standby 20 preempt
standby 20 authentication md5 key-chain HSRP
!
interface GigabitEthernet0/0/0
description ***-DC1-SW3-DMZ Po1
no ip address
negotiation auto
channel-group 1 mode active
!
interface GigabitEthernet0/0/1
description ***-DC1-SW3-DMZ Po1
no ip address
negotiation auto
channel-group 1 mode active
!
interface GigabitEthernet0/0/2
description Internet
bandwidth 100000
vrf forwarding INTERNET
ip address 139.130.40.74 255.255.255.252
ip access-group ACL-***-INTERNET in
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.100.104.21 255.255.255.0
negotiation auto
!
router bgp 65028
bgp router-id 10.100.104.21
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
!
address-family ipv4 vrf INTERNET
redistribute connected
redistribute static
neighbor 10.100.103.242 remote-as 65028
neighbor 10.100.103.242 description ***-DC2-RT2-INT
neighbor 10.100.103.242 activate
neighbor 10.100.103.242 next-hop-self
neighbor 139.130.40.73 remote-as 1221
neighbor 139.130.40.73 description Internet
neighbor 139.130.40.73 activate
neighbor 139.130.40.73 next-hop-self
neighbor 139.130.40.73 route-map RM-INTERNET-IN in
neighbor 139.130.40.73 route-map RM-INTERNET-OUT out
exit-address-family
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route vrf INTERNET 203.42.111.24 255.255.255.248 10.100.103.253 name DC1_FW track 100
ip route vrf INTERNET 203.23.20.32 255.255.255.224 10.100.103.253 name DC1_FW track 100
ip route vrf INTERNET 203.23.20.64 255.255.255.192 10.100.103.253 name DC1_FW track 100
ip route vrf INTERNET 203.23.20.160 255.255.255.224 10.100.103.253 name DC1_FW track 100
ip route vrf INTERNET 203.23.21.128 255.255.255.128 10.100.103.254 2 name DC2_FW track 200
ip route vrf INTERNET 203.23.21.64 255.255.255.224 10.100.103.254 name DC2_FW track 200
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.100.104.1
ip route vrf ***-P-MGMT-DC1 0.0.0.0 0.0.0.0 10.14.0.1
!
!
ip access-list extended ACL-REMOTE-ACCESS
remark allow DiData internet router SSH access
permit tcp host 175.184.217.225 any eq 22 log
remark Allow internal access
permit tcp 10.0.0.0 0.255.255.255 any eq 22
permit tcp 148.182.29.0 0.0.0.255 any eq 22
deny ip any any log
ip access-list extended ACL-***-INTERNET
remark --- RFC 1918 and Multicast ---
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 0.0.0.0 any
remark --- ICMP ---
permit icmp any any
remark --- NTP ---
permit udp host 212.26.18.41 eq ntp host 139.130.40.74 eq ntp
permit udp host 180.211.88.211 eq ntp host 139.130.40.74 eq ntp
permit udp host 119.82.243.189 eq ntp host 139.130.40.74 eq ntp
permit udp host 211.233.40.78 eq ntp host 139.130.40.74 eq ntp
remark --- BGP ---
permit tcp host 139.130.40.73 host 139.130.40.74 eq bgp
permit tcp host 139.130.40.73 eq bgp host 139.130.40.74
deny tcp any any eq bgp
deny tcp any eq bgp any
remark --- Carrier Address ---
deny ip any host 139.130.40.74
remark --- Public ranges ---
permit ip any 203.23.20.0 0.0.1.255
permit ip any 203.42.111.24 0.0.0.7
permit esp any 203.23.20.0 0.0.1.255
permit esp any 203.42.111.24 0.0.0.7
permit ahp any 203.23.20.0 0.0.1.255
permit ahp any 203.42.111.24 0.0.0.7
remark --- Deny ---
deny ip any any
!
!
ip prefix-list DC1-PRIMARY seq 10 permit 203.23.20.0/24 le 27
ip prefix-list DC1-PRIMARY seq 20 permit 203.42.111.24/29
!
ip prefix-list DC2-PRIMARY seq 10 permit 203.23.21.0/24 le 27
!
ip prefix-list DEFAULT-ROUTE seq 10 permit 0.0.0.0/0
ip sla 100
icmp-echo 10.100.103.253 source-interface Port-channel1.2599
vrf INTERNET
threshold 2500
timeout 3000
ip sla schedule 100 life forever start-time now
ip sla 200
icmp-echo 10.100.103.254 source-interface Port-channel1.2599
vrf INTERNET
threshold 2500
timeout 3000
ip sla schedule 200 life forever start-time now
logging host 10.14.2.199 vrf Mgmt-intf
logging host 10.14.2.199
!
route-map RM-INTERNET-IN permit 10
description Default Route Only
match ip address prefix-list DEFAULT-ROUTE
!
route-map RM-INTERNET-IN deny 999
!
route-map RM-INTERNET-OUT permit 10
description Primary DC1 - no Prepend
match ip address prefix-list DC1-PRIMARY
!
route-map RM-INTERNET-OUT permit 20
description Primary DC2 - 1 Prepend
match ip address prefix-list DC2-PRIMARY
set as-path prepend 65028
!
route-map RM-INTERNET-OUT deny 999
!
snmp-server community ***RO
snmp-server host 10.255.254.1 ***
!
tacacs server ***
address ipv4 ***
timeout 3
tacacs server ***
address ipv4 ***
timeout 3
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 30 0
privilege level 15
transport input ssh
line vty 5 15
exec-timeout 30 0
privilege level 15
!
ntp server vrf INTERNET 212.26.18.41
ntp server vrf INTERNET 180.211.88.211
ntp server vrf INTERNET 119.82.243.189
ntp server vrf INTERNET 211.233.40.78
!
end

Debug all NTP, output for relevant NTP server:

Dec 18 14:43:00.326: NTP message sent to 212.26.18.41, from interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:00.740: NTP message received from 212.26.18.41 on interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:00.740: NTP Core(DEBUG): ntp_receive: message received
Dec 18 14:43:00.740: NTP Core(DEBUG): ntp_receive: peer is 0x7F99F841E140, next action is 1.
Dec 18 14:43:02.325: NTP message sent to 212.26.18.41, from interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:02.739: NTP message received from 212.26.18.41 on interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:02.739: NTP Core(DEBUG): ntp_receive: message received
Dec 18 14:43:02.739: NTP Core(DEBUG): ntp_receive: peer is 0x7F99F841E140, next action is 1.
Dec 18 14:43:04.326: NTP message sent to 212.26.18.41, from interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:04.740: NTP message received from 212.26.18.41 on interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:04.740: NTP Core(DEBUG): ntp_receive: message received
Dec 18 14:43:04.740: NTP Core(DEBUG): ntp_receive: peer is 0x7F99F841E140, next action is 1.
Dec 18 14:43:06.325: NTP message sent to 212.26.18.41, from interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:06.739: NTP message received from 212.26.18.41 on interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:06.739: NTP Core(DEBUG): ntp_receive: message received
Dec 18 14:43:06.739: NTP Core(DEBUG): ntp_receive: peer is 0x7F99F841E140, next action is 1.
Dec 18 14:43:08.325: NTP message sent to 212.26.18.41, from interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:08.739: NTP message received from 212.26.18.41 on interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:08.739: NTP Core(DEBUG): ntp_receive: message received
Dec 18 14:43:08.739: NTP Core(DEBUG): ntp_receive: peer is 0x7F99F841E140, next action is 1.
Dec 18 14:43:10.325: NTP message sent to 212.26.18.41, from interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:10.739: NTP message received from 212.26.18.41 on interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:10.739: NTP Core(DEBUG): ntp_receive: message received
Dec 18 14:43:10.739: NTP Core(DEBUG): ntp_receive: peer is 0x7F99F841E140, next action is 1.
Dec 18 14:43:12.326: NTP message sent to 212.26.18.41, from interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:12.740: NTP message received from 212.26.18.41 on interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:12.740: NTP Core(DEBUG): ntp_receive: message received
Dec 18 14:43:12.740: NTP Core(DEBUG): ntp_receive: peer is 0x7F99F841E140, next action is 1.
Dec 18 14:43:14.325: NTP message sent to 212.26.18.41, from interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:14.739: NTP message received from 212.26.18.41 on interface 'GigabitEthernet0/0/2' (139.130.40.74).
Dec 18 14:43:14.739: NTP Core(DEBUG): ntp_receive: message received
Dec 18 14:43:14.739: NTP Core(DEBUG): ntp_receive: peer is 0x7F99F841E140, next action is 1.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco