08-22-2009 10:56 AM - edited 03-06-2019 07:22 AM
Hi folks!
Don't know if this is right section of NetPro forum to bring up my problem.
I have 871 router configured as NTP master. It works as a gateway for a small windows network with a domain controller. I want DC to pull the time from the router and configured the router as follows:
Router:
ntp source Vlan1
ntp access-group peer 11
ntp access-group serve 1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 11 permit 128.249.1.1
access-list 11 permit 192.5.41.41
ntp master
ntp server 128.249.1.1
ntp server 192.5.41.41 prefer
interface Vlan1
description Internal User's segment
ip address 192.168.1.1 255.255.255.0
ip access-group vl1-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect FW in
ip virtual-reassembly
ip tcp adjust-mss 1452
ip access-list extended vl1-in
permit tcp host 192.168.1.10 any eq smtp
deny tcp 192.168.1.0 0.0.0.255 any eq smtp
permit ip any any
Domain Controller is configured according to Microsoft recommendations and I believe they are correct. This is what happens when DC starts synching with the router (I debugged NTP on the router)
174073: Aug 22 18:53:29.348: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).
174074: Aug 22 18:53:29.348: NTP Core(DEBUG): ntp_receive: message received
174075: Aug 22 18:53:29.348: NTP Core(DEBUG): ntp_receive: peer is 0x00000000, next action is 5.
174076: Aug 22 18:53:29.348: NTP Core (NOTICE): ntp_receive: dropping message: AM_NEWPASS, auth error..
My question is what kind of authentication should I configure on the router?
Kindly and hopefully
Eugene
08-29-2009 05:39 PM
Hi!
I really appreciate your attempt to help. Thanks a lot!
I've removed access-lists for NTP configuration, this how it looks now:
ntp logging
ntp source FastEthernet4
ntp access-group peer 11
ntp server 128.249.1.1
ntp server 192.5.41.41 prefer
access-list 11 permit 128.249.1.1
access-list 11 permit 192.5.41.41
And this is an access-list applied to vlan1 interface:
ip access-list extended vl1-in
permit tcp host 192.168.1.10 any eq smtp
deny tcp 192.168.1.0 0.0.0.255 any eq smtp
permit ip any any
After manually having Windows box resync its time with the router I see the following messages while debugging NTP:
GIBSGW#
011378: Aug 30 01:32:48.599: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).
011379: Aug 30 01:32:48.599: NTP Core(DEBUG): ntp_receive: message received
011380: Aug 30 01:32:48.599: NTP Core (NOTICE): ntp_receive: dropping message: restricted..
GIBSGW#
And 192.168.1.1 is the router's IP address and it is reachable from DC (192.168.1.10), see the above access-list.
Eugene
08-31-2009 05:18 AM
can you install wireshark on the server and just capture the ntp packets then post here?
08-31-2009 07:13 AM
Eugene
I suggest that you also remove this line from your config:
ntp access-group peer 11
I had a similar experience where I had one of the ntp access lists (peer and serve-only) but not the other. It seems that IOS implementation of NTP works best if both access lists are used or if no access list is used.
HTH
Rick
08-31-2009 05:51 PM
Well, I removed the line "ntp access-group peer 11" with the corresponding access-list. To my great suprise the Windows box was able to sync time with the router but it happened only once. All subsequent attempt to synchronize time failed again.
I'm attaching the capture done on this Windows box.
Strange enough "show ntp association" gives the following output:
GIBSGW#sh ntp assoc
address ref clock st when poll reach delay offset disp
+~128.249.1.1 129.7.1.66 2 58 128 377 0.000 -10.388 11.325
192.168.1.10 .INIT. 16 - 32768 0 0.000 0.000 15937.
*~192.5.41.41 .USNO. 1 10 128 377 0.000 -4.852 6.113
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
Looks like NTP client got stuck in INIT process.
And ntp debug now shows different:
039820: Sep 1 01:50:19.081: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).
039821: Sep 1 01:50:19.081: NTP Core(DEBUG): ntp_receive: message received
039822: Sep 1 01:50:19.081: NTP Core(DEBUG): ntp_receive: peer is 0x833A8050, next action is 1.
039823: Sep 1 01:50:19.081: NTP Core (NOTICE): ntp_receive: dropping message: unsynch.
Now it is a pure access issue. Starting to pull my hair....
09-01-2009 02:49 AM
Eugene
It might be helpful if you would post the output of show ntp association detail
HTH
Rick
09-01-2009 09:37 PM
Hi Rick,
Here it is, for me messages about NTP client being insane look very weird. What I noticed is that when I remove "ntp master" entry and then add it again the windows box sync its time with the router and then all subsequent attempts fail.
GIBSGW#sh ntp assoc detail
127.127.1.1 configured, insane, invalid, stratum 7
ref ID .LOCL., time CE4881B2.33E9474D (22:31:30.202 PDT Tue Sep 1 2009)
our mode active, peer mode passive, our poll intvl 16, peer poll intvl 16
root delay 0.00 msec, root disp 0.00, reach 377, sync dist 0.00
delay 0.00 msec, offset 0.0000 msec, dispersion 0.25
precision 2**16, version 4
org time CE4881B2.33E9474D (22:31:30.202 PDT Tue Sep 1 2009)
rec time CE4881B2.33E9DE4C (22:31:30.202 PDT Tue Sep 1 2009)
xmt time CE4881B2.33E8E2A4 (22:31:30.202 PDT Tue Sep 1 2009)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
minpoll = 4, maxpoll = 4
192.168.1.10 configured, insane, invalid, stratum 3
ref ID 192.168.1.1 , time CE48800C.561092F5 (22:24:28.336 PDT Tue Sep 1 2009)
our mode active, peer mode active, our poll intvl 512, peer poll intvl 1024
root delay 0.12 msec, root disp 66.52, reach 377, sync dist 0.27
delay 0.00 msec, offset 3.1615 msec, dispersion 20.54
precision 2**6, version 4
org time CE4881A5.EDCAC083 (22:31:17.928 PDT Tue Sep 1 2009)
rec time CE4881A5.EB8F689A (22:31:17.920 PDT Tue Sep 1 2009)
xmt time CE48800C.52A3231C (22:24:28.322 PDT Tue Sep 1 2009)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 -0.00 0.00 0.00 0.00 -0.00 0.00
filterror = 0.01 0.02 0.02 0.02 0.03 0.03 0.03 0.04
minpoll = 6, maxpoll = 10
192.168.1.10 dynamic, insane, invalid, unsynced, stratum 16
ref ID .INIT., time 00000000.00000000 (16:00:00.000 PST Wed Dec 31 1899)
our mode passive, peer mode unspec, our poll intvl 32768, peer poll intvl 131072
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 15.98
delay 0.00 msec, offset 0.0000 msec, dispersion 15937.50
precision 2**16, version 3
org time CE472519.27020C49 (21:44:09.152 PDT Mon Aug 31 2009)
rec time CE472518.772BFF01 (21:44:08.465 PDT Mon Aug 31 2009)
xmt time CE48764A.08C9296C (21:42:50.034 PDT Tue Sep 1 2009)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16.00 16.00 16.00 16.00 16.00 16.00 16.00 16.00
minpoll = 15, maxpoll = 17
192.5.41.41 configured, our_master, sane, valid, stratum 1
ref ID .USNO., time CE488024.4F4D77DD (22:24:52.309 PDT Tue Sep 1 2009)
our mode client, peer mode server, our poll intvl 512, peer poll intvl 512
root delay 0.00 msec, root disp 0.32, reach 377, sync dist 0.06
delay 0.00 msec, offset -1.5672 msec, dispersion 9.10
precision 2**20, version 4
org time CE48802A.5C18C02F (22:24:58.359 PDT Tue Sep 1 2009)
rec time CE48802A.67D1E232 (22:24:58.405 PDT Tue Sep 1 2009)
xmt time CE48802A.5077B0A7 (22:24:58.314 PDT Tue Sep 1 2009)
filtdelay = 0.09 0.08 0.09 0.09 0.09 0.17 0.12 0.09
filtoffset = -0.00 -0.00 0.00 0.00 0.00 0.00 0.01 -0.00
filterror = 0.00 0.00 0.01 0.01 0.01 0.02 0.02 0.03
minpoll = 6, maxpoll = 10
This is what I'm getting in Windows system event log:
Time Provider NtpClient: No valid response has been received from manually configured peer 192.168.1.1,0x4 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name.
Eugene
09-02-2009 04:31 AM
Eugene
I believe that the good news in what you have posted is this line:
192.5.41.41 configured, our_master, sane, valid, stratum 1
This indicates that you are successfully learning NTP time from an authoritative external source. If you are learning NTP from the external source then you do not need to configure ntp master. I believe that configuring ntp master is confusing the situation and I suggest that you remove ntp master from the configuration.
I also notice that there are 2 entries for 192.168.1.10. One of the entries indicates that this device is learning NTP from this device and the second entry indicates that it is dynamic and is not learning NTP from this device. Can you clarify whether 192.168.1.10 is in the configuration and what is going on with that device?
HTH
Rick
09-02-2009 10:28 PM
Hi Rick,
This is the whole point about 192.168.1.10 device. It is windows domain controller that I want to sync its time with the router (192.168.1.1)
The DC behaves very weird. Right before I deleted "ntp master" from the router I found three events in DC's system log related to NTP activity. They happened within 5 minutes interval:
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 38
Date: 9/1/2009
Time: 10:48:57 PM
User: N/A
Computer: MERLIN
Description:
The time provider NtpClient cannot reach or is currently receiving invalid time data from 192.168.1.1 (ntp.m|0x4|192.168.1.10:123->192.168.1.1:123).
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 37
Date: 9/1/2009
Time: 10:50:05 PM
User: N/A
Computer: MERLIN
Description:
The time provider NtpClient is currently receiving valid time data from 192.168.1.1 (ntp.m|0x4|192.168.1.10:123->192.168.1.1:123).
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 38
Date: 9/1/2009
Time: 10:50:50 PM
User: N/A
Computer: MERLIN
Description:
The time provider NtpClient cannot reach or is currently receiving invalid time data from 192.168.1.1 (ntp.m|0x4|192.168.1.10:123->192.168.1.1:123).
How should I understand it? First NTP Client on DC can't reach NTP server and then in a couple of minutes it successfuly sync its time. Weird.
I removed "ntp master" from the router and then windows box was able to sync the time with the router again. I debugged NTP and saw this:
GIBSGW#
073449: Sep 3 06:25:41.833: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).
073450: Sep 3 06:25:41.833: NTP Core(DEBUG): ntp_receive: message received
073451: Sep 3 06:25:41.833: NTP Core(DEBUG): ntp_receive: peer is 0x833A7B70, next action is 1.
073452: Sep 3 06:25:41.833: NTP Core (NOTICE): ntp_receive: dropping message: unsynch.
GIBSGW#
073453: Sep 3 06:25:49.619: NTP message sent to 192.168.1.10, from interface 'Vlan1' (192.168.1.1).
Let's see if the problem reproduces again.
Eugene
05-09-2012 07:38 AM
Hi,
I was having this same problem and found a section on the Microsoft site which talked about the W32Time service sending symmetric packets instead of client mode packets. The suggestion was to force the server to use normal requests instead of symmetric using the following command -
w32tm /config /manualpeerlist:172.19.60.253,0x8 /syncfromflags:MANUAL
I stopped and started the W32time service and this resolved the issue.
Hope this helps anyone else who gets this error and can see past the endless useless expert-exchange websites!
Gordon
10-21-2014 03:43 PM
It sure did, thankyou Gordon
04-08-2019 09:30 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide