cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28693
Views
10
Helpful
25
Replies

Cannot synchronize time with Cisco IOS router set as NTP master

zheka_pefti
Level 2
Level 2

Hi folks!

Don't know if this is right section of NetPro forum to bring up my problem.

I have 871 router configured as NTP master. It works as a gateway for a small windows network with a domain controller. I want DC to pull the time from the router and configured the router as follows:

Router:

ntp source Vlan1

ntp access-group peer 11

ntp access-group serve 1

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 11 permit 128.249.1.1

access-list 11 permit 192.5.41.41

ntp master

ntp server 128.249.1.1

ntp server 192.5.41.41 prefer

interface Vlan1

description Internal User's segment

ip address 192.168.1.1 255.255.255.0

ip access-group vl1-in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip inspect FW in

ip virtual-reassembly

ip tcp adjust-mss 1452

ip access-list extended vl1-in

permit tcp host 192.168.1.10 any eq smtp

deny tcp 192.168.1.0 0.0.0.255 any eq smtp

permit ip any any

Domain Controller is configured according to Microsoft recommendations and I believe they are correct. This is what happens when DC starts synching with the router (I debugged NTP on the router)

174073: Aug 22 18:53:29.348: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).

174074: Aug 22 18:53:29.348: NTP Core(DEBUG): ntp_receive: message received

174075: Aug 22 18:53:29.348: NTP Core(DEBUG): ntp_receive: peer is 0x00000000, next action is 5.

174076: Aug 22 18:53:29.348: NTP Core (NOTICE): ntp_receive: dropping message: AM_NEWPASS, auth error..

My question is what kind of authentication should I configure on the router?

Kindly and hopefully

Eugene

25 Replies 25

Lucien Avramov
Level 10
Level 10

If you are running a T train of IOS on your 871 with 12.4.20 or higher, you are impacted by bug : CSCsw30737

That bug is fixed from 12.4(24)T.

Thanks a lot for a reference to a bug but the router does run the required release:

GIBSGW#sh ver

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)

Are there any latest releases?

Eugene

Okay. You are running a fine version of it.

You have an inbound acl and ntp source from that same vlan.

Have you tried to remove the ACL from the interface to see if this helps?

The other thing would be to disable the FW from the interface and see what that does.

Mohamed Sobair
Level 7
Level 7

Hi Eugene,

what does the (Inspect-FW) inspects? Do you have inspection rule for UDP port 123?

On the other hand, you should have NTP association before configuring any authentication.

The debug message ensure that its miss authentication, could you also double check if your domain controller has NTP authentication configured?

Apart from that, on the router you can configure MD5 NTP authentication method.

HTH

Mohamed

Hey Mohamed, appreciations for looking into my problem.

I've got the following inspect FW line:

"ip inspect name FW udp". I believe NTP falls into this rule as well.

Can you please elaborate on what you meant by NTP associations?

My problem is that I couldn't find anything on Microsoft sites how to configure NTP authentication. They mention about some Kerberos authentication. If this is the case how could it be configured on the router? And how will I conigure MD5 authentication on the router?

Eugene

Eugene,

There is no such thing as support for kerberos on IOS.

Its the very first time I hear kerberos to be related to NTP and honestly I don't see the point of doing such.

In any case, regarding how to configure NTP auth, here is the example:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008010e97e.shtml#using_ntp

Just tried to remove FW from vlan 1 interface. No luck. Still same "ntp_receive: dropping message: AM_NEWPASS, auth error" during NTP debug.

I've never experienced problems with synching time between Cisco gear. The irony is about having Windows DC synch its time with Cisco router. I don't believe no one has done it. There must be a way as it wouldn't have any sense at all. DCs can authenticate with external sources. I just proved it with configuring the DC with a public NTP:

Event Type: Information

Event Source: W32Time

Event Category: None

Event ID: 35

Date: 8/23/2009

Time: 11:36:39 PM

User: N/A

Computer: MERLIN

Description:

The time service is now synchronizing the system time with the time source 24.215.0.24 (ntp.m|0x1|192.168.1.10:123->24.215.0.24:123).

Eugene

Anyone please! It drives me mad. The DC can sync the time with a public NTP source but not with IOS router set as master NTP. Help !!!!

remove the ntp master command.

post the output of "show ntp assoc" before and after you remove it.

Before "no ntp master"

GIBSGW#sh ntp associations

address ref clock st when poll reach delay offset disp

~127.127.1.1 .LOCL. 7 6 16 377 0.000 0.000 0.245

+~128.249.1.1 129.7.1.66 2 52 64 377 0.000 -103.97 3.780

*~192.5.41.41 .USNO. 1 12 64 377 0.000 -98.679 3.655

* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

GIBSGW#

008988: Aug 28 22:14:58.336: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).

008989: Aug 28 22:14:58.336: NTP Core(DEBUG): ntp_receive: message received

008990: Aug 28 22:14:58.336: NTP Core(DEBUG): ntp_receive: peer is 0x00000000, next action is 5.

008991: Aug 28 22:14:58.336: NTP Core (NOTICE): ntp_receive: dropping message: AM_NEWPASS, auth error..

After "no ntp master"

GIBSGW(config)#do sh ntp asso

address ref clock st when poll reach delay offset disp

+~128.249.1.1 129.7.1.66 2 63 64 377 0.000 -103.97 4.078

*~192.5.41.41 .USNO. 1 21 64 377 0.000 -97.718 3.079

* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

same error during NTP debugging and of course Windows DC can't sync time with the router.

on your windows server, go to a dos prompt and type in "net time /querysntp" and post the response.

keep the ntp master command out of there. it's not needed. can the server ping the ntp server by the configured IP?

how did you set the ntp server on windows? through the registry? or command line (net time /setsntp:x.x.x.x)

Here you go:

On Windows box:

C:\Program Files\Far>net time /querysntp

The current SNTP value is: 192.168.1.1

The command completed successfully.

The windows server can reach NTP server because it is its default gateway. I followed Microsoft guide to configure NTP both using registry and CLI.

Pasting the output from Windows CLI:

C:\Program Files\Far>net time /setsntp:192.168.1.1

The command completed successfully.

C:\Program Files\Far>net time /querysntp

The current SNTP value is: 192.168.1.1

The command completed successfully.

C:\Program Files\Far>w32tm /resync /rediscover

Sending resync command to local computer...

The computer did not resync because no time data was available.

192.168.1.1 is the router that you're trying to use as your ntp server?

can you ping it from this windows server?

remove the ntp acl's while testing also.