Help with NTP setup

ajwhite0 · ‎02-20-2025

Hello,

I've been checking logs on some switches and I realised the clock is not right. It made me look at the NTP settings which look like this:

'show ntp associations'

  address         ref clock       st   when   poll reach  delay  offset   disp
 ~192.168.138.10  10.11.10.10    2     63     64   377  8.991 -67456.  1.917
 ~10.11.10.10   .LOCL.           1     26     64   377  9.995 -67456.  1.923
 ~192.168.138.11  10.11.10.10    2     32     64   377 14.996 -67454.  1.910
 ~10.11.10.11   .INIT.          16      -   1024     0  0.000   0.000 15937.
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

I've found out these are Windows servers.

If I run 'show ntp status' I see this which I think means it's not working?

Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 1366239900 (1/100 of seconds), resolution is 4000
reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.16 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000000000 s/s
system poll interval is 64, never updated.

shambhu.kumar · ‎02-20-2025

Because clock is not synchronized and there is no reference clock.Could you check IP's of NTP servers/peers and reference clocks are reachable from your device?

M02@rt37 · ‎02-20-2025

Hello @ajwhite0

Regarding you #show ntp associations output, your Equipment is not synchonized.

You should have '*~' in front of ntp servers.

The #show ntp status command confirm that ! "unsync." and startum 16 !

Check if you have confugured ntp source command...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

liviu.gheorghe · ‎02-20-2025

Usually the command ntp source <interface name & number> helps in this situation to help routing ntp packets to desired servers.

Also check access list restricting ntp traffic.

HTH

Regards, LG
*** Please Rate All Helpful Responses ***

ajwhite0 · ‎02-20-2025

It seems the remote NTP (windows servers) are not healthy, I've setup NTP on 2 Linux VMs now and a test shows they work.

What free tool can I use to update all these switches rather than manually logging on to each one please?

liviu.gheorghe · ‎02-20-2025

You can use Ansible to configure your Cisco equipment - https://medium.com/@mattouchi6/automating-cisco-switch-configuration-using-ansible-a-comprehensive-guide-e9ef4e6c5025

HTH

Regards, LG
*** Please Rate All Helpful Responses ***

ajwhite0 · ‎02-20-2025

I'm giving that a go from my Linux machine, but I see that most switches if I try to ssh to them I get:

no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

or

no matching host key type found. Their offer: ssh-rsa

liviu.gheorghe · ‎02-20-2025

Edit the .ssh/config file of the user you are trying to ssh into the equipment.

Add the key exchange methods not found:

KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Save the file and try again.

Edit: If it complaints about missing ciphers, add them the same way, for example:

Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Regards, LG
*** Please Rate All Helpful Responses ***

ajwhite0 · ‎02-25-2025

Sorry for the delay, I'll be looking at this today/tomorrow and if it works use with Ansible. I'll check back with an update. Thanks!