04-24-2024 06:35 AM
Hi All,
I have a couple of C9300 L3 switches that are connecting to an ASA firewall. The NTP and the syslog server for the switches are located behind a firewall.
When one of the switches request/send packets the gateway IP is the source address on the Firewall (which is normal behavior).
Is there an option to add the Management IP of the switch while sending/receiving such packets?
Thanks.
Solved! Go to Solution.
04-24-2024 06:47 AM
ntp source interface
logging source-interface interface
This I think what you need
MHM
04-24-2024 06:47 AM
ntp source interface
logging source-interface interface
This I think what you need
MHM
04-25-2024 01:13 AM
Hi,
Thanks for the response.
I did the following changes:
ntp source ?
AccessTunnel Access Tunnel interface
AppGigabitEthernet App-hosting Gigabit Ethernet
Auto-Template Auto-Template interface
BDI Bridge-Domain interface
Bluetooth Bluetooth interface
CEM-PG Circuit Emulation interface with Protection group
CEOBC Cluster EOBC Interface
FortyGigabitEthernet Forty Gigabit Ethernet
GMPLS MPLS interface
GigabitEthernet GigabitEthernet IEEE 802.3z
InternalInterface Internal Interface
L2LISP L2 Locator/ID Separation Protocol Virtual Interface
LISP Locator/ID Separation Protocol Virtual Interface
Loopback Loopback interface
Lspvif LSP virtual interface
Null Null interface
PROTECTION_GROUP Protection-group controller
Port-channel Ethernet Channel of interfaces
SDH_ACR Virtual SDH-ACR controller
SERIAL-ACR Serial interface with ACR
Serial-PG Serial interface with Protection Group
TLS-VIF TLS Virtual Interface
TenGigabitEthernet Ten Gigabit Ethernet
Tunnel Tunnel interface
Tunnel-tp MPLS Transport Profile interface
TwentyFiveGigE Twenty Five Gigabit Ethernet
VirtualPortGroup Virtual Port Group
Vlan Catalyst Vlans
nve Network virtualization endpoint interface
X02YAL11UH001-KF001-(config)#ntp source vlan ?
<1-4094> Vlan interface number
X02YAL11UH001-KF001-(config)#ntp source vlan 403
X02YAL11UH001-KF001-(config)#do wr
But the firewall does not receive any packets from vlan 403.
04-25-2024 01:29 AM
Vlan 403 must be l3 and have IP and UP
In asa interface connect to SW
Capture CAP interface <interface name> match ip host <vpan403> any
Then
Show capture CAP
See if there is traffic toward asa or not
MHM
04-25-2024 06:25 AM
Hi,
The FW does not respond to the capture.
Result of the command: "capture cap eth 1/13 match ip host vlan 403 any"
capture cap eth 1/13 match ip host vlan 403 any
^
ERROR: % Invalid input detected at '^' marker.
Can you please help me correct it?
04-25-2024 06:39 AM
"capture cap eth 1/13 match ip host vlan 403 any"
You need to use vlan403 ip not it name' I write it name because I dont know IP
MHM
04-25-2024 06:57 AM
Hi ,
Thank you for the suggestion.
The interface on the FW had a name and the "?" prompted me to use the name.
Please check the output:
sh cap
capture cap type raw-data interface Utility&Radio [Capturing - 212 bytes]
match ip host 10.169.29.193 any
sh capture cap
3 packets captured
1: 15:53:05.412225 10.169.29.193.123 > 10.169.24.11.123: udp 48
2: 15:53:42.411416 10.169.29.193.123 > 10.169.24.12.123: udp 48
3: 15:54:12.411447 10.169.29.193.123 > 10.169.24.11.123: udp 48
Looks like we do have the packets sent but the logging monitor does not show these packets.
04-25-2024 07:02 AM
now we finish this part, do same but other direction
match ip any host 10.169.29.193
MHM
04-25-2024 11:07 PM
Hi,
please check output below:
04-25-2024 11:14 PM
No capture <name of capture>
Now we totally know that the NTP is send NTP to SW using interface we specify.
I.e. there is connection between NTP and SW'
And I think that answer your Q about using specific IP to connect to NTP.
Did you face issue with NTP?
MHM
04-26-2024 01:52 AM
yes the clock is still not synchronized.
I can see the configured IPs in the show ntp associations but in the show ntp status I get a message that clock is not synchronized,no reference clock set.
04-26-2024 01:55 AM
share
show ntp status <<-
let take look
MHM
04-26-2024 02:36 AM
Below is the output:
04-26-2024 03:36 AM
last think before I run lab for this case
debug ntp packet <<- in SW share this
MHM
04-26-2024 04:10 AM
Thank you for the support.
Output of debug :
X02YAL11UH001-KF001-SW#debug ntp packet
NTP packets debugging is on
X02YAL11UH001-KF001-SW#
*Apr 26 11:07:43.694 UTC: NTP: ntpio_send_ipv4: dst 10.169.24.11, src 0.0.0.0, if_out Vlan403
*Apr 26 11:07:43.694 UTC: NTP message sent to 10.169.24.11, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:07:58.694 UTC: NTP: ntpio_send_ipv4: dst 10.169.24.12, src 0.0.0.0, if_out Vlan403
*Apr 26 11:07:58.694 UTC: NTP message sent to 10.169.24.12, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:14.045 UTC: NTP message received from 10.169.29.196 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:14.046 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.196, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:14.046 UTC: NTP message sent to 10.169.29.196, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:15.045 UTC: NTP message received from 10.169.29.196 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:15.045 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.196, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:15.045 UTC: NTP message sent to 10.169.29.196, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:16.046 UTC: NTP message received from 10.169.29.196 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:16.046 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.196, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:16.046 UTC: NTP message sent to 10.169.29.196, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:17.046 UTC: NTP message received from 10.169.29.196 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:17.046 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.196, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:17.046 UTC: NTP message sent to 10.169.29.196, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:18.046 UTC: NTP message received from 10.169.29.196 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:18.046 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.196, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:18.046 UTC: NTP message sent to 10.169.29.196, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:19.045 UTC: NTP message received from 10.169.29.196 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:19.046 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.196, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:19.046 UTC: NTP message sent to 10.169.29.196, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:37.669 UTC: NTP message received from 10.169.29.201 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:37.669 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.201, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:37.669 UTC: NTP message sent to 10.169.29.201, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:38.669 UTC: NTP message received from 10.169.29.201 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:38.669 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.201, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:38.669 UTC: NTP message sent to 10.169.29.201, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:39.646 UTC: NTP message received from 10.169.29.197 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:39.646 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.197, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:39.646 UTC: NTP message sent to 10.169.29.197, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:39.670 UTC: NTP message received from 10.169.29.201 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:39.670 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.201, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:39.670 UTC: NTP message sent to 10.169.29.201, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:40.646 UTC: NTP message received from 10.169.29.197 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:40.646 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.197, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:40.646 UTC: NTP message sent to 10.169.29.197, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:40.669 UTC: NTP message received from 10.169.29.201 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:40.669 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.201, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:40.669 UTC: NTP message sent to 10.169.29.201, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:41.647 UTC: NTP message received from 10.169.29.197 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:41.647 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.197, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:41.647 UTC: NTP message sent to 10.169.29.197, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:41.670 UTC: NTP message received from 10.169.29.201 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:41.670 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.201, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:41.670 UTC: NTP message sent to 10.169.29.201, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:42.646 UTC: NTP message received from 10.169.29.197 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:42.646 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.197, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:42.646 UTC: NTP message sent to 10.169.29.197, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:42.669 UTC: NTP message received from 10.169.29.201 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:42.669 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.201, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:42.669 UTC: NTP message sent to 10.169.29.201, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:43.647 UTC: NTP message received from 10.169.29.197 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:43.647 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.197, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:43.648 UTC: NTP message sent to 10.169.29.197, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:44.646 UTC: NTP message received from 10.169.29.197 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:44.646 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.197, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:44.646 UTC: NTP message sent to 10.169.29.197, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:50.694 UTC: NTP: ntpio_send_ipv4: dst 10.169.24.11, src 0.0.0.0, if_out Vlan403
*Apr 26 11:08:50.694 UTC: NTP message sent to 10.169.24.11, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:59.440 UTC: NTP message received from 10.169.29.198 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:08:59.440 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.198, src 10.169.29.193, if_out Vlan403
*Apr 26 11:08:59.440 UTC: NTP message sent to 10.169.29.198, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:09:00.440 UTC: NTP message received from 10.169.29.198 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:09:00.440 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.198, src 10.169.29.193, if_out Vlan403
*Apr 26 11:09:00.440 UTC: NTP message sent to 10.169.29.198, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:09:01.440 UTC: NTP message received from 10.169.29.198 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:09:01.440 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.198, src 10.169.29.193, if_out Vlan403
*Apr 26 11:09:01.440 UTC: NTP message sent to 10.169.29.198, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:09:02.439 UTC: NTP message received from 10.169.29.198 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:09:02.439 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.198, src 10.169.29.193, if_out Vlan403
*Apr 26 11:09:02.439 UTC: NTP message sent to 10.169.29.198, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:09:03.439 UTC: NTP message received from 10.169.29.198 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:09:03.439 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.198, src 10.169.29.193, if_out Vlan403
*Apr 26 11:09:03.440 UTC: NTP message sent to 10.169.29.198, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:09:04.440 UTC: NTP message received from 10.169.29.198 on interface 'Vlan403' (10.169.29.193).
*Apr 26 11:09:04.441 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.198, src 10.169.29.193, if_out Vlan403
*Apr 26 11:09:04.441 UTC: NTP message sent to 10.169.29.198, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:09:05.693 UTC: NTP: ntpio_send_ipv4: dst 10.169.24.12, src 0.0.0.0, if_out Vlan403
*Apr 26 11:09:05.693 UTC: NTP message sent to 10.169.24.12, from interface 'Vlan403' (10.169.29.193).
*Apr 26 11:09:10.500 UTC: NTP message received from 10.169.29.200 on interface 'Vlan401' (10.169.29.1).
*Apr 26 11:09:10.500 UTC: NTP: ntpio_send_ipv4: dst 10.169.29.200, src 10.169.29.1, if_out Vlan401
*Apr 26 11:09:10.500 UTC: NTP message sent to 10.169.29.200, from interface 'Vlan401' (10.169.29.1).
I see that we are requesting for NTP on 10.169.29.193 (VLAN 403) but the reply is sent to 10.169.29.1 (VLAN 401).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide