Solved: Re: Configure NTP on switch

Sharkey13 · ‎09-21-2010

Hello. This should be easy, but for some reason it is not....

Background: trying to configure NTP on a core switch. Edge ASA has NTP configured on it and it is working.

Issue: I cannot get core switch to synch NTP with either the ASA or the same NTP source ASA uses.

Configuration on ASA:

ntp server 192.5.41.41 source OUTSIDE prefer

ASA# sh ntp stat
Clock is synchronized, stratum 2, reference is 192.5.41.41
nominal freq is 99.9984 Hz, actual freq is 100.0041 Hz, precision is 2**6
reference time is d04366ba.734ec938 (11:15:38.450 mdt Tue Sep 21 2010)
clock offset is -17.3707 msec, root delay is 56.08 msec
root dispersion is 36.09 msec, peer dispersion is 18.28 msec

ASA# sh ntp ass
address ref clock st when poll reach delay offset disp
*~192.5.41.41 .USNO. 1 6 64 377 56.4 -16.30 17.2
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Configuration on switch (directly connected to ASA):

ntp server 192.5.41.41 source GigabitEthernet6/1 prefer

4510#sh ntp stat
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D04363C5.AAFFBC27 (11:03:01.667 MDT Tue Sep 21 2010)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

4510#sh ntp ass

address ref clock st when poll reach delay offset disp
~192.5.41.41 0.0.0.0 16 - 64 0 0.0 0.00 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

I have tried using ASA as the NTP source as well with no results. Suggestions?

Thanks, Patrick

Jon Marshall · ‎09-21-2010

Collin

Thanks for confirming that you can't use ASA as time source, i couldn't find any confirmation on whether it could or couldn't.

Patrick

As an aside if you control the upstream router from the firewall then it would be best to use this to get the time and then sync your internal devices to that router.

Jon

View solution in original post

Jon Marshall · ‎09-21-2010

Patrick

On the switch if you want to sync with the ASA (assuming you can do this as i have never done it) then don't use the NTP server the ASA uses, you need to use an IP the switch can get to ie. the inside interface address of the ASA.

Have you tried that ?

Jon

Sharkey13 · ‎09-21-2010

Jon - thank you for your reply.

Yes, I have used this as well on switch:

ntp server 10.x.y.z source gig6/1 prefer

Same results, no association.

Patrick

Collin Clark · ‎09-21-2010

You can not use an ASA as a time source. The best practice is to have one of your routers to use a trusted time source then have all of your other network devices get time from it. The switch should be able to pull time from the public source. Do you see the NTP traffic traversing the firewall?

Jon Marshall · ‎09-21-2010

Collin

Thanks for confirming that you can't use ASA as time source, i couldn't find any confirmation on whether it could or couldn't.

Patrick

As an aside if you control the upstream router from the firewall then it would be best to use this to get the time and then sync your internal devices to that router.

Jon

Sharkey13 · ‎09-21-2010

Collin - thanks for the reply.

What I have since found out is that routers behind the switch can synch just fine with the NTP server, and the switch can synch just fine with any of those. But the switch still cannot synch directly with the NTP server.

Patrick

Collin Clark · ‎09-21-2010

Can you post your switch config?

KMinev7171 · ‎03-07-2015

On C2960S switch try this:

ntp passive
ntp logging
ntp server 69.167.160.10 source Vlan1
ntp server 169.229.70.183 source Vlan1
ntp server 199.102.46.72 prefer source Vlan1
ntp server 23.227.162.123 source Vlan1