04-01-2019 11:05 AM
Hi Everyone,
I am working in a switching environment with a wide variety of Cisco switch models and IOS versions, including 2960s, 3560s, a c4900M, and a single nexus 3000. I have configured a Linux server to serve as the NTP server for these devices, and have configured the server to sync to global clocks with no issues. Almost all of my devices are accepting the time from my NTP server and setting their clocks by it, but I cannot find a way to make my nexus 3000 use this time. I have tried following the documentation: Cisco Nexus 3000 Series NX-OS System Management Configuration Guide, Release 6.x to configure NTP on the nexus 3000, but have had no luck getting it to function correctly. I realize that the syntax for the IOS is different between the 2960 and the 3000, but I'm not sure how to configure the nexus 3000 correctly.
Can anyone tell me how to get my nexus 3000 to sync with my NTP server like the rest of my devices? Does it matter that it is the only device in my network that uses NX-OS? Do I need to configure authentication between the nexus 3000 and my higher NTP server, or configure CFS on the nexus 3000? Please let me know if it would help to see the running configuration on either device, or the output of commands like show ntp status, and I will be happy to share such data; I attempted to include such output in this post, but was unable to post due to an unspecified error.
Thank you for your time and consideration.
04-01-2019 11:21 AM
Hi,
It doesn't matter if the 3k is the only Nexus device and no, you don't need authentication for NTP to work correctly. I have never configured a 3k but if it is like the rest of the Nexus device, you just need
ntp server <IP> and
ntp source-interface
You can verify if the switch can see the NTP server, correct date and time by using:
sh ntp peer-status
HTH
04-01-2019 11:37 AM
Hi Reza,
Thank you for your quick response. I have tried using the commands that you suggested and I am still unable to get my Nexus 3000 to sync with my NTP server. Here is the output from a show run ntp on my nexus 3000:
4-118-R2-1-servercore# show run ntp
!Command: show running-config ntp
!Time: Mon Apr 1 14:29:42 2019
version 6.0(2)U2(5)
logging level ntp 6
ntp distribute
ntp server 192.168.44.250
ntp source-interface mgmt0
ntp logging
ntp commit
interface mgmt0
ntp multicast client
ntp broadcast
and here is the output from show ntp peer-status
4-118-R2-1-servercore# show ntp peer-status
Total peers : 2
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote local st poll reach delay vrf
-------------------------------------------------------------------------------
=192.168.44.250 192.168.44.6 16 64 0 0.00000 default
^255.255.255.255 192.168.44.6 16 64 0 0.00000
Note that the device shows that it is not syncing with 44.250. Compare this to the output from show run | include ntp on a 2960 switch which is syncing correctly:
4-125A-cabinet-netlab#show run | include ntp
ntp broadcast client
ntp clock-period 22519226
ntp server 192.168.17.250
and the output on this other device when I show ntp associations
4-125A-cabinet-netlab#show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.17.250 208.67.72.50 3 152 256 377 2.2 0.02 0.4
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
The above showing that the 2960 is syncing. Note that the addresses 192.168.44.250 and 192.168.17.250 are simply different interfaces on the same device, my NTP server.
Does any of the information I have shared above suggest to you a solution to my issues syncing the nexus 3000 with my NTP server?
04-01-2019 01:15 PM
Hi,
I think overall the IOS gives you much better and more comprehensive information regarding NTP than Nexus OS. So, not sure if you can get the same data from the Nexus series. Anyway, does "show ntp peers" show the correct peer? Also, looking at the output you posted, it appears that date and time are correct.
Command: show running-config ntp
!Time: Mon Apr 1 14:29:42 2019
So, maybe NTP is working as expected?
HTH
04-02-2019 10:41 AM
Hi again,
The reason that show running config ntp shows the correct time is that I have manually set the clock and date on that device to as close to the correct time and date as possible, so although it looks like the device is syncing correctly via NTP, it isn't. Setting the time manually like this will make it so that any log messages that the device generates will have a time in the correct ballpark, but I'm trying to get accurate time so that I will be able to get information by comparing logs from this device with logs from other devices, and if the time isn't the same across all devices (I expect drift to occur on the Nexus 3000) then the logs from the Nexus 3000 are likely to produce more confusion than useful information.
Here is the result from show ntp peers:
4-118-R2-1-servercore# show ntp peers
--------------------------------------------------
Peer IP Address Serv/Peer
--------------------------------------------------
192.168.44.250 Server (configured)
255.255.255.255 Peer (configured)
This shows that the correct peer is configured (192.168.44.250), but doesn't inform us whether or not the nexus 3000 is syncing with that peer. Also, the broadcast peer (255.255.255.255) wasn't manually configured, so I think it is a built-in default peer association. Mind that the command show ntp associations is not available on the nexus 3000, so I am unable to use that to determine if the device is syncing with the NTP server.
Here is the output from a show ntp ?
4-118-R2-1-servercore# show ntp ?
access-groups Display NTP access groups
authentication-keys Display authentication keys
authentication-status NTP Authentication Status
internal NTP internal info
logging-status Display NTP logging status
peer-status Show the status for all the server/peers
peers Show all the peers.
pending Show the NTP temporary database
pending-diff Show the pending database diff.
rts-update Show if the RTS update is enabled
session Show the session information
source Source IP address configured
source-interface Source interface configured
statistics Show the NTP statistics
status Show the NTP distribution status
trusted-keys Display trusted keys
4-118-R2-1-servercore#
Do any of those options look like they would contain information that would be helpful to you in addressing this problem?
Thanks again for your time as assistance.
04-02-2019 10:44 AM
Also, here is the output from a show ntp peer-status
4-118-R2-1-servercore# show ntp peer-status
Total peers : 2
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote local st poll reach delay vrf
-------------------------------------------------------------------------------
=192.168.44.250 192.168.44.6 16 64 0 0.00000 default
^255.255.255.255 192.168.44.6 16 64 0 0.00000
You can see from this output that 192.18.44.250 is not selected for sync. Does configuration of a vrf for the peer connection matter here, perhaps?
04-02-2019 11:51 AM
Hi,
One thing I noticed in your config. The NTP source is from mgmt0 which is usually in a VRF.
ntp source-interface mgmt0
Can you try and source the interface from an interface in the global routing table (loopback, svi, etc..) and test again?
HTH
04-02-2019 01:05 PM
I believe that I have modified the source interface as you suggested. Here are the commands I have entered and the corresponding output from show ntp peer-status:
4-118-R2-1-servercore(config)# ntp source-interface loopback 0
4-118-R2-1-servercore(config)# end
4-118-R2-1-servercore# copy run start
[########################################] 100%
Copy complete, now saving to disk (please wait)...
4-118-R2-1-servercore#
4-118-R2-1-servercore# show ntp peer-status
Total peers : 2
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote local st poll reach delay vrf
-------------------------------------------------------------------------------
=192.168.44.250 0.0.0.0 16 64 0 0.00000 default
^255.255.255.255 0.0.0.0 16 64 0 0.00000
and here is the new output from show run | include ntp
4-118-R2-1-servercore(config)# do show run | include ntp
logging level ntp 6
ip access-list copp-system-acl-ntp
10 permit udp any any eq ntp
20 permit udp any eq ntp any
class-map type control-plane match-any copp-ntp
match access-group name copp-system-acl-ntp
class copp-ntp
ntp distribute
ntp server 192.168.44.250
ntp source-interface loopback0
ntp logging
ntp commit
ntp multicast client
ntp broadcast
It looks like specifying the source interface as loopback 0 did not cause the switch to begin syncing its clock with the specified peer. Would you suggest a difference value to try setting the source interface to, or perhaps another angle from which to approach the problem?
04-02-2019 01:49 PM
I have it set to loopback and it syncs just fine but this is a 6k, not 3k.
Try opening a ticket with TAC. This may be a known bug on 3ks.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide