Problem solved! https:/

Francesco Hoellbacher · ‎08-04-2015

Hello all,

I got a problem securing NTP. I am allowing only communication to 1 peer and deny everyone else. Still Router is answering to NTP querys not in the allowed ACL. What am I doing wrong? The Router should only communicate with one server and answer to no querys...

This is the config:

ntp access-group peer 90
ntp access-group serve-only 80
ntp access-group query-only 80
ntp server 1.2.3.4

access-list 80 deny any
access-list 90 permit 1.2.3.4

This is the debug output, when I make a query from online NTP query tool https://w3dt.net/tools/ntpq

Aug 5 08:14:20: NTP message received from 54.229.168.42 on interface 'Loopback10' (1.2.3.4).
Aug 5 08:14:20: NTP Core(DEBUG): ntp_receive: message received
Aug 5 08:14:20: NTP message sent to 54.229.168.42, from interface 'Loopback10' (1.2.3.4).
Aug 5 08:14:20: NTP message received from 54.229.168.42 on interface 'Loopback10' (1.2.3.4).
Aug 5 08:14:20: NTP Core(DEBUG): ntp_receive: message received
Aug 5 08:14:20: NTP message sent to 54.229.168.42, from interface 'Loopback10' (1.2.3.4).
Aug 5 08:14:21: NTP message received from 54.229.168.42 on interface 'Loopback10' (1.2.3.4).
Aug 5 08:14:21: NTP Core(DEBUG): ntp_receive: message received
Aug 5 08:14:21: NTP message sent to 54.229.168.42, from interface 'Loopback10' (1.2.3.4).
Aug 5 08:14:21: NTP message received from 54.229.168.42 on interface 'Loopback10' (1.2.3.4).
Aug 5 08:14:21: NTP Core(DEBUG): ntp_receive: message received
Aug 5 08:14:21: NTP message sent to 54.229.168.42, from interface 'Loopback10' (1.2.3.4).

Thanks for help!

Francesco Hoellbacher · ‎08-05-2015

Problem solved! https://tools.cisco.com/bugsearch/bug/CSCuj66318

Problem with securing NTP on 3945