Solved: Ntp Clock is unsynchronized in 3850

m.abdulsami · ‎05-16-2023

Hi, i was facing an issue with NTP sync in 3850 switch

Show ntp status

Clock is unsynchronized, stratum 16, no reference clock

sh ntp associations

address ref clock st when poll reach delay offset disp
~172.16.143.252 .TIME. 16 - 64 0 0.000 0.000 15937.
~172.16.143.253 .TIME. 16 - 64 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

as i see in debug command

NTP Core(INFO): 172.16.143.252 8015 85 restart timeout
May 16 09:53:22.809 AST: NTP: ntpio_send_ipv4: dst 172.16.143.252, src 0.0.0.0, if_out Vlan2
May 16 09:53:22.809 AST: NTP message sent to 172.16.143.252, from interface 'Vlan2' (172.16.143.21).

NTP: ntpio_send_ipv4: dst 172.16.143.253, src 0.0.0.0, if_out Vlan2
May 16 09:54:11.809 AST: NTP message sent to 172.16.143.253, from interface 'Vlan2' (172.16.143.21).

Rich R · ‎05-18-2023

So you either have a security/packet ACL blocking the NTP between those 2 devices or 1 of the devices has an NTP ACL configured which does not allow the other device.
So on both devices:
- check packet ACLs - allow UDP 123 as you mentioned
- "sh run | inc ntp" and look for "ntp access-group" and check the ACL applied there.
When you've done that then it's a good idea to "no ntp server x.x.x.x" then re-apply "ntp server x.x.x.x" to re-initialise the NTP polling process otherwise it can take some time to do that by itself.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

M02@rt37 · ‎05-16-2023

Hello @m.abdulsami,

The debug logs reveal that NTP messages are being sent from the interface Vlan2 (with IP address 172.16.143.21) to the NTP server addresses, but there is no response or synchronization happening.

To resolve the issue, you should check the following:

--Verify the connectivity between the NTP servers (172.16.143.252 and 172.16.143.253) and your switch ___ seem to be on vlan2 also as concerned your NTP servers.... but try to ping them from SVI-2 on your Switch ___

--Confirm that the NTP servers themselves are functioning properly and providing accurate time synchronization.

--Check for any network access control lists that may be blocking NTP traffic.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

m.abdulsami · ‎05-16-2023

Thanks for the reply M02@rt37

i have troubleshoot from the below link

https://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-ntp/116161-trouble-ntp-00.html

i allowed udp port 123 any

still not working

M02@rt37 · ‎05-16-2023

Ok @m.abdulsami,

Do you see the segment udp_123 from the switch on your NTP server? Thanks to tcpdump, Wireshark....

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

m.abdulsami · ‎05-16-2023

Yes,

Other switches are working from the NTP server.

Richard Burts · ‎05-16-2023

Would you post the output of the commands show ntp status and show ntp association from both 172.16.143.252 and 172.16.143.253

HTH

Rick

m.abdulsami · ‎05-16-2023

Thanks @Richard Burts

find below output of the switches

172.16.143.252

sh ntp status

Clock is synchronized, stratum 3, reference is 172.20.254.244
nominal freq is 250.0000 Hz, actual freq is 249.9985 Hz, precision is 2**10
ntp uptime is 95109500 (1/100 of seconds), resolution is 4016
reference time is E80EE3A2.65E35510 (08:24:50.398 UTC Wed May 17 2023)
clock offset is -0.5000 msec, root delay is 1.57 msec
root dispersion is 18.82 msec, peer dispersion is 1.98 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000006010 s/s
system poll interval is 1024, last update was 10 sec ago.

RH-FGC1#sh ntp associations

address ref clock st when poll reach delay offset disp
~172.20.254.243 172.20.254.244 3 550 1024 377 1.000 0.500 17.418
*~172.20.254.244 10.247.38.50 2 62 1024 377 1.000 -0.500 1.981
~172.16.143.253 .TIME. 16 - 64 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

172.16.143.253

Clock is synchronized, stratum 3, reference is 172.20.254.244
nominal freq is 250.0000 Hz, actual freq is 249.9997 Hz, precision is 2**10
ntp uptime is 95123800 (1/100 of seconds), resolution is 4016
reference time is E80EE300.D020C6D8 (08:22:08.813 UTC Wed May 17 2023)
clock offset is 2.5000 msec, root delay is 1.57 msec
root dispersion is 22.99 msec, peer dispersion is 1.97 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000001134 s/s
system poll interval is 1024, last update was 317 sec ago.

RH-FGC2#sh ntp associations

address ref clock st when poll reach delay offset disp
~172.20.254.243 172.20.254.244 3 250 1024 377 1.000 2.500 17.105
*~172.20.254.244 10.247.38.50 2 345 1024 377 1.000 2.500 1.974
~172.16.143.253 .TIME. 16 - 64 0 0.000 0.000 16000.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

Other switches are running with this Ntp servers

172.16.143.1

Clock is synchronized, stratum 4, reference is 172.16.143.253
nominal freq is 250.0000 Hz, actual freq is 250.0042 Hz, precision is 2**10
ntp uptime is 95132000 (1/100 of seconds), resolution is 4000
reference time is E80ED7E4.2872B090 (07:34:44.158 UTC Wed May 17 2023)
clock offset is 0.5000 msec, root delay is 1.79 msec
root dispersion is 77.95 msec, peer dispersion is 2.02 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000017041 s/s
system poll interval is 1024, last update was 3305 sec ago.

RH-FGC1-AS01#sh ntp associations

address ref clock st when poll reach delay offset disp
+~172.16.143.252 172.20.254.244 3 1009 1024 377 1.000 2.500 2.013
*~172.16.143.253 172.20.254.244 3 157 1024 377 1.000 0.500 2.029
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

MHM Cisco World · ‎05-18-2023

debug ntp packets <<- share this first it can reachability issue if we dont see packet then no need other debug

debug ntp events <<- share these after sure that we receive NTP packet

debug ntp validity

debug ntp sync

m.abdulsami · ‎05-18-2023

Hi @MHM Cisco World

find below output.

debug ntp packet

May 18 22:48:21.809 AST: NTP: ntpio_send_ipv4: dst 172.16.143.252, src 0.0.0.0, if_out Vlan2
May 18 22:48:21.810 AST: NTP message sent to 172.16.143.252, from interface 'Vlan2' (172.16.143.21).
May 18 22:48:49.808 AST: NTP: ntpio_send_ipv4: dst 172.16.143.253, src 0.0.0.0, if_out Vlan2
May 18 22:48:49.809 AST: NTP message sent to 172.16.143.253, from interface 'Vlan2' (172.16.143.21).

Leo Laohoo · ‎05-16-2023

Is the NTP server a Windows-based client?

If it is, try using a Linux-based NTP server.

m.abdulsami · ‎05-16-2023

Is the NTP server a Windows-based client?

NO

Ntp server is distribution switch

other switches NTP is working fine which is connected with the same distribution.

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 56 WS-C3850-48P 16.12.05b CAT3K_CAA-UNIVERSALK9 INSTALL
2 56 WS-C3850-48P 16.12.05b CAT3K_CAA-UNIVERSALK9 INSTALL
3 56 WS-C3850-48P 16.12.05b CAT3K_CAA-UNIVERSALK9 INSTALL

Rich R · ‎05-18-2023

So you either have a security/packet ACL blocking the NTP between those 2 devices or 1 of the devices has an NTP ACL configured which does not allow the other device.
So on both devices:
- check packet ACLs - allow UDP 123 as you mentioned
- "sh run | inc ntp" and look for "ntp access-group" and check the ACL applied there.
When you've done that then it's a good idea to "no ntp server x.x.x.x" then re-apply "ntp server x.x.x.x" to re-initialise the NTP polling process otherwise it can take some time to do that by itself.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

MHM Cisco World · ‎05-18-2023

I see the SW send NTP but not receive anything ?
can you ping NTP server using VLAN interface IP, check the reachability

Richard Burts · ‎05-19-2023

Given that the problem switch appears to be in the same subnet as the ntp servers I would assume that there would be ip connectivity. But pinging the servers might be helpful in assuring that this is the case. It seems that the suggestion of some ntp filtering might be the case. Can you post the output of the command show run | include ntp from the problem switch and both of the switches acting as ntp server?

HTH

Rick

m.abdulsami · ‎05-20-2023

RH-F2C1-AS01#show run | include ntp
10 permit udp any any eq ntp
20 permit udp any eq ntp any
ntp authentication-key 1 md5 13544246595D5D78087179 7
ntp authenticate
ntp trusted-key 1
ntp source Vlan2
ntp server 172.16.143.252
ntp server 172.16.143.253