Re: NTP confusion

john-serink · ‎08-21-2020

Hello All:

I am confused about the ntp functionality on IOS.

I have my IRS4431 setup like this:

ntp master 15
ntp server in.pool.ntp.org

Now, from my laptop with and IPSec tunnel opened up to the router:

jserinki7 /home/jserink # ntpdate 192.168.48.1
22 Aug 13:30:04 ntpdate[5390]: adjust time server 192.168.48.1 offset +0.011645 sec
jserinki7 /home/jserink # ntpdate in.pool.ntp.org
22 Aug 13:29:45 ntpdate[5828]: step time server 162.159.200.1 offset -34.956340 sec

So, if I go to in.pool.ntp.org directly I'm 34.9 seconds out from the router.

And then this:

CCrouter# sh ntp associations

address ref clock st when poll reach delay offset disp
*~127.127.1.1 .LOCL. 14 14 16 377 0.000 0.000 1.204
~45.86.70.11 .INIT. 16 - 64 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

The offset is zero, which is impossible, so the router is syncing with itself and NOT with in.pool.ntp.org.

If I remove the ntp master command, then there is no ntp server on the router.

How do I tell the router to sync to in.pool.ntp.org and then to act as an ntp server for clients inside the network?

Cheers,

John

paul driver · ‎08-21-2020

Hello

First of all can your rtr resolve in.pool.ntp.org as the ntp server.

Possible example:

ip host in.pool.ntp.org1 x.x.x.x

ip host in.pool.ntp.org2 x.x.x.x

ip access-list standard Internet_ntp
permit host < in.pool.ntp.org1>
permit host < in.pool.ntp.org2>

ip access-list standard client_ntp
permit ip x.x.x.x/24

ntp server in.pool.ntp.org1
ntp server in.pool.ntp.org2

ntp access-group peer Internet_ntp
ntp access-group serve-only client_ntp
ntp source x.x.x.x
ntp authenticate
ntp authentication-key 10 md5 NTPKEY
ntp trusted-key10

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

john-serink · ‎08-22-2020

Hi Paul:

Thanx for the response.

I can resolve the ntp server:

CCrouter#ping in.pool.ntp.org
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 162.159.200.123, timeout is 2 seconds:
!.!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 32/32/33 ms
CCrouter#

CCrouter#sh ntp status
Clock is synchronized, stratum 15, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 79307100 (1/100 of seconds), resolution is 4000
reference time is E2EB64AA.CF5C2B30 (15:02:26.810 INT Sat Aug 22 2020)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 2.37 msec, peer dispersion is 1.20 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 16, last update was 14 sec ago.

Its synchronizing with itself which I find confusing.

I think you nailed it, my incoming access list does not allow udp 123.....oops.

Good catch.

Cheers,

John

Georg Pauwen · ‎08-22-2020

Hello,

when you issue the exec command 'sh ntp status', is the clock synchronized ? Assuming that you can ping the public pool addresses, sometimes what helps is to manually set the clock to a time that approximates the real time as much as possible, with the 'clock set' command...

john-serink · ‎08-22-2020

Hi Guys:

I'm updated my input access list:

permit udp any host x.x.x.x eq ntp

I took out the ntp server master command but have these:

ntp server 3.in.pool.ntp.org
ntp server 1.in.pool.ntp.org
ntp server 2.in.pool.ntp.org

CCrouter# sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 79664800 (1/100 of seconds), resolution is 4000
reference time is E2EB70BA.CF5C2B30 (15:53:54.810 INT Sat Aug 22 2020)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 7.37 msec, peer dispersion is 0.00 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 64, last update was 503 sec ago.

CCrouter# sh ntp associations

address ref clock st when poll reach delay offset disp
~162.159.200.1 .INIT. 16 - 512 0 0.000 0.000 15937.
~45.86.70.11 .INIT. 16 - 512 0 0.000 0.000 15937.
~162.159.200.123 .INIT. 16 - 512 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

So, when I don't have the ntp server master command there is NO ntp server ont he router to query.

When i do issue the command, there is an ntp server but the router synchronizes with itself only. Notice above, the router appears to get the responses from the ntp servers but never syncs to them.

Weird>

Cheers,

john

Richard Burts · ‎08-22-2020

John

This is an interesting situation and I believe that we do not have enough information to fully understand the issue or to suggest solutions. In your original post you shared this

CCrouter# sh ntp associations

address ref clock st when poll reach delay offset disp
*~127.127.1.1 .LOCL. 14 14 16 377 0.000 0.000 1.204
~45.86.70.11 .INIT. 16 - 64 0 0.000 0.000 15937.

notice that for the Internet time server the reference clock is INIT. Your router is not establishing sync with that time server. And that is why it syncs to itself (when you have configured ntp master).

In your most recent post we see this

CCrouter# sh ntp associations

address ref clock st when poll reach delay offset disp
~162.159.200.1 .INIT. 16 - 512 0 0.000 0.000 15937.
~45.86.70.11 .INIT. 16 - 512 0 0.000 0.000 15937.
~162.159.200.123 .INIT. 16 - 512 0 0.000 0.000 15937.

now you have configured 3 ntp sources but each has the ref clock as INIT, so your router is not establishing sync with any of them.

To understand the issue and to give suggestions we need more information. Can you tell us about the topology of the network? Is this router connected directly to the Internet? Or does it go through other device(s) to get to the Internet. Perhaps the output of traceroute from this router to one of the ntp servers might be helpful.

Also can you post the configuration of this router?

HTH

Rick

john-serink · ‎08-24-2020

Hi Rick:

Thanx for getting back to me.

I was just editing my list to post it for you Rick when I spotted a mistake in the input access list for ntp.....doh!

That'll do it.

Fixed now:

CCrouter#sh ntp status
Clock is synchronized, stratum 4, reference is 162.159.200.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 98084000 (1/100 of seconds), resolution is 4000
reference time is E2EE41FA.6DD2F2D8 (19:11:14.429 INT Mon Aug 24 2020)
clock offset is -0.8827 msec, root delay is 203.11 msec
root dispersion is 3941.92 msec, peer dispersion is 3938.24 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 64, last update was 11 sec ago.
CCrouter#sh ntp associations

address ref clock st when poll reach delay offset disp
*~162.159.200.1 10.202.8.4 3 11 64 1 35.944 -1.312 1938.4
~127.127.1.1 .LOCL. 13 11 16 1 0.000 0.000 7937.9
~45.86.70.11 .STEP. 16 - 128 0 0.000 0.000 15937.
+~162.159.200.123 10.202.8.4 3 14 64 1 35.962 -1.876 188.52
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

All good. Doing this stuff after about 10 hours and you start making mistakes.

But, asking me for the config made me read over it in detail and boom, fixed.

Thank you all for you time.

Cheers,

john

Richard Burts · ‎08-24-2020

John

Thanks for the update. You are welcome. Glad to know that you found an error in the acl and fixed it. I am happy that my request for the config got you to take a fresh look at it and to find the problem. A well deserved +5 for reporting how you found and fixed your own issue.

HTH

Rick