NTP alert messages on N5K - looking for origin source

marce1000 · ‎08-09-2017

Got this in the logs : is there any way to find the source (culprit) (ip) ?

Aug  9 14:27:46 switch-name : 2017 Aug  9 14:27:46 ET: %DAEMON-3-SYSTEM_MSG: NTP Receive dropping message: Received NTP control mode packet. Drop count:1  - ntpd[3825]

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rob Cluett · ‎08-09-2017

A packet capture in front of or on the syslog server will expose who is sending the NTP message by IP Address.

There may be a way to have the syslog message read the IP rather than the hostname but I'll leave that up to someone who has more experience.

Rob Cluett · ‎08-09-2017

As an aside... Routers and switches can be configured to send syslog messages with an IP instead of a hostname. Doesn't help your situation but worth noting.

Geir Sand-Strand · ‎10-31-2017

Have you looked into this anymore? What did you end up doing regarding this message?

We have the same in our Nexus enviroment.

Br

Geir

canjohnson · ‎02-08-2018

I found the origin for ours by using this command on our 7018:

ethanalyzer local interface inband capture-filter "port 123" limit-captured-frames 100 write bootflash:<filename>.pcap display

Good luck.