Solved: NTP Master and NTP Server

vitumbiko nkhwazi · ‎05-20-2023

Hello.

I have a Cisco 4351 router that i configured as an NTP Master, all other routers and switches synchronize to this router. I have configured a Windows server as an NTP Server that synchronizes with Internet time servers, i need the 4351 router to synchronize its clock to the windows server, and then in turn distribute the time to the rest of the routers.

The problem is that even when i configure the windows server as an NTP server on the router, its still preferring to synchronize to its local NTP server on IP address 127.127.1.1, how can make the router to not use its local reference? below is the NTP configuration and output for some show commands:

NBS-BT-DC-C4351-EDGE#sh run | sec ntp
ntp authentication-key 2 md5 107A514A3705180E30002E1D73086831 7
ntp authenticate
ntp trusted-key 2
ntp source Loopback0
ntp access-group serve ACL_NTP
ntp master 15
ntp server 10.40.129.153 prefer




NBS-BT-DC-C4351-EDGE#sh ntp associations
Load for five secs: 2%/1%; one minute: 3%; five minutes: 3%
Time source is NTP, 11:04:06.671 CAT Sat May 20 2023

address             ref clock      st      when       poll reach delay offset disp
*~127.127.1.1    .LOCL.      14        5           16 377 0.000 0.000 1.204
~10.40.129.153    .INIT.       16         -          1024 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

M02@rt37 · ‎05-20-2023

Hello @vitumbiko nkhwazi

In the NTP output you provided, the IP address 10.40.129.153 has a reference clock status of ".INIT." and a stratum value of 16. A stratum value of 16 indicates that the device is unsynchronized and is being used to initialize the NTP association. Then, your routeur prefer to synchronied with its local reference, even if you configure stratum 15 on it! The stratum value represents the level of hierarchy in the NTP network, with lower numbers indicating higher accuracy and reliability. Stratum 1 devices are considered the most accurate and reliable time sources, while stratum 15 is the highest value, indicating that the router is not synchronized to any external time source.

You have to troubleshoot and find the reason why your router is not synchronised with WIndows NTP server:

-- Verify that the IP address of the Windows server is correct and reachable from the Cisco 4351 route

--Check for any ACLs or firewall rules that may be blocking NTP traffic between the router and the Windows server.

-- Check for any NTP authentication settings on both the router and the Windows server, ensuring they are correctly configured and matching.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

paul driver · ‎05-20-2023

Hello
One reason why a rtr wont sync with a lower stratum would be due to the clock timing being to much out of sync in the first place, Also make sure the rtr is set to be able to query the windows ntp server and its not set by mistake just to serve it.

Suggest you create two acls so you can peer with the windows server and serve your lan clients ntp queries, decrease your stratum, as 15 is quite a high value..

access−list 10 permit host 10.40.129.153
access−list 10 deny any

access−list 11 permit <lan subnets>
access−list 11 deny any

ntp access−group peer 10
ntp access−group serve−only 11
ntp master 8

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎05-20-2023

ntp master 15

remove this from the config
check other cisco device is sync with router or not

ntp server 10.40.129.153 prefer key 2

this also needed

M02@rt37 · ‎05-20-2023

Hello @vitumbiko nkhwazi

In the NTP output you provided, the IP address 10.40.129.153 has a reference clock status of ".INIT." and a stratum value of 16. A stratum value of 16 indicates that the device is unsynchronized and is being used to initialize the NTP association. Then, your routeur prefer to synchronied with its local reference, even if you configure stratum 15 on it! The stratum value represents the level of hierarchy in the NTP network, with lower numbers indicating higher accuracy and reliability. Stratum 1 devices are considered the most accurate and reliable time sources, while stratum 15 is the highest value, indicating that the router is not synchronized to any external time source.

You have to troubleshoot and find the reason why your router is not synchronised with WIndows NTP server:

-- Verify that the IP address of the Windows server is correct and reachable from the Cisco 4351 route

--Check for any ACLs or firewall rules that may be blocking NTP traffic between the router and the Windows server.

-- Check for any NTP authentication settings on both the router and the Windows server, ensuring they are correctly configured and matching.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Rich R · ‎05-20-2023

Yep remove the

ntp master

command.
To get it to sync quicker it can sometimes help to remove the

ntp server

commands, set the time as close to correct as possible manually (clock set), then replace the

ntp server

commands.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Joseph W. Doherty · ‎05-20-2023

BTW, don't know if this still applies to Windows NTP servers, but I recall (?) it used to be their "NTP" service wasn't fully compatible with other NTP devices. I recall you needed to install "extra" NTP software to get full NTP compatibility.