Solved: NTP request to server by Loopback interface in non admin VDC

lodovici2012 · ‎01-16-2018

Hi,

I have N7k with NX-OS 6.2 (16), and divided with one admin vdc and a Prod vdc.
I have 3 external NTP server (10.92.5.58, 10.92.5.59 and 10.7.11.6).

The vdc admin is configured like this (3 ntp server; source interface: management) :

interface mgmt0
description Mgmt0-N7K-1
vrf member management
ip address 10.197.99.100/24

N7K-Admin# show ntp peers
--------------------------------------------------
Peer IP Address                              Serv/Peer
--------------------------------------------------
10.92.5.58                                    Server (configured)
10.92.5.59                                    Server (configured)
10.7.11.6                                      Server (configured)

N7K-Admin# show ntp peer-status
Total peers : 3
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote local st   poll   reach   delay             vrf
-------------------------------------------------------------------------------
*10.92.5.58             10.197.99.100     3 64 377 0.01596    management
=10.92.5.59             10.197.99.100     3   64   377 0.01591   management
=10.7.11.6               10.197.99.100     3   64 377 0.00061     management

In this configuration, the 3 ntp servers, replace an old ntp server (10.92.1.4). So, I want that only the IP of management interface of the Admin vdc (10.197.99.100) sends ntp requests to ntp servers (10.92.5.58, 10.92.5.59 and 10.7.11.6).

The problem is that the old ntp server (10.92.1.4) receive again the ntp requests from the Loopback interface0 (10.103.17.253) of the vdc Prod.

Loopback0 interface configuration of the vdc Prod :

interface loopback0
ip address 10.103.17.253/32
ip router ospf LAN area 0.0.0.0

Show command on the vdc Prod:

N7k-Prod# show ntp peers
INFO: System clock is not controlled by NTP in this VDC
You can use "clock protocol <protocol> vdc <vdc_id>"
to change the current setting.

N7k-Prod# show ntp peer-status
INFO: System clock is not controlled by NTP in this VDC
You can use "clock protocol <protocol> vdc <vdc_id>"
to change the current setting.

N7k-Prod# show ntp source
No Source IP address configured.

N7k-Prod# show ntp status
Distribution : Disabled
Last operational state: No session

Thank you.

lodovici2012 · ‎02-05-2018

Hi Mark,

the Nexus stopped to send ntp requests from the Loopback interface0 (10.103.17.253) to the ntp server (10.92.1.4).

The IP address of the ntp server (10.92.1.4) was configured on another switch (a C6509), neighbor of the Admin VDC of the Nexus. When I passed the command

no ntp peer 10.92.1.4

on the C6509, the Nexus stopped to send ntp requests.

Regards

View solution in original post

Mark Malone · ‎01-16-2018

Hi
did you try ntp source-interface mgmt 0 in the admin VDC

NTP Source Interface / IP Address

Introduced: Cisco NX-OS Release 4.1(3)

Specifying a NTP source interface or IP address is recommended when using a VRF instance other than the management VRF instance. This allows security devices such as firewalls to identify the source of the NTP packet. It the source interface or IP address is not specified; the primary IP address on the originating (outbound) interface is used. If the NTP traffic is associated to the management VRF instance, the mgmt0 interface IP address is selected. You cannot configure an NTP interface and IP source address simultaneously.

n7000(config)# ntp source-interface ethernet 2/1

n7000(config)# ntp source x.x.x.x

lodovici2012 · ‎01-16-2018

Already done :

N7K-Admin# show ntp source-interface
Source interface mgmt0

Thanks

lodovici2012 · ‎01-16-2018

Some output from "debug ntp info" debug on vdc Admin :

2018 Jan 16 18:23:43.200378 ntp: ntp_process_mts_msg: Opcode received: MTS_OPC_NTP_SHOW_REQ
2018 Jan 16 18:23:43.210598 ntp: ntp_doquery: sendrequest, num attempts = 30
2018 Jan 16 18:23:43.211061 ntp: fsrv_is_shared_intf_vdc(2225): srv_type: 2 vdc_id: 1
2018 Jan 16 18:23:43.211143 ntp: Sending cmi response with return_code = 0x0
2018 Jan 16 18:23:43.211181 ntp: setting global CMI msg req to NULL

2018 Jan 16 18:26:30.512358 ntp: Sending Time of day upd to standby
2018 Jan 16 18:26:30.512496 ntp: setting global CMI msg req to NULL
2018 Jan 16 18:26:30.512570 ntp: setting global CMI msg req to NULL
2018 Jan 16 18:26:30.512648 ntp: setting global CMI msg req to NULL
2018 Jan 16 18:26:30.512702 ntp: setting global CMI msg req to NULL
2018 Jan 16 18:26:30.520498 ntp: setting global CMI msg req to NULL
2018 Jan 16 18:26:30.565192 ntp: setting global CMI msg req to NULL

2018 Jan 16 18:29:30.778764 ntp: ntp_sigchld_wait_and_fetch_status: waitpid() returns with status of 28627
2018 Jan 16 18:29:30.778832 ntp: ntp_sigchld_wait_and_fetch_status: Non-ntp child exited ! Dont care !

Some output from "debug ntp info" debug on vdc Prod :

2018 Jan 16 18:37:33.263229 ntp: Processed a sdwrap msg (MTS_OPC_SYSLOG_FACILITY_OPR)
2018 Jan 16 18:37:37.070364 ntp: Sending Time of day upd to standby

2018 Jan 16 18:38:47.981899 ntp: Processed a sdwrap msg (MTS_OPC_SYSLOG_FACILITY_OPR)

2018 Jan 16 18:39:07.080467 ntp: Sending Time of day upd to standby

2018 Jan 16 18:40:37.080392 ntp: Sending Time of day upd to standby

2018 Jan 16 18:42:07.083508 ntp: Sending Time of day upd to standby

2018 Jan 16 18:43:37.093499 ntp: Sending Time of day upd to standby

2018 Jan 16 18:44:22.378147 ntp: ntp_sigchld_wait_and_fetch_status: waitpid() returns with status of 30773
2018 Jan 16 18:44:22.378218 ntp: ntp_sigchld_wait_and_fetch_status: Non-ntp child exited ! Dont care !

Mark Malone · ‎01-17-2018

What about applying a deny ntp acl on the lo0 , we did that on our remote offices to make sure only certain interfaces process MGMT traffic

have you tried apply the ntp source ip as well with interface ... ntp source ip-address
reading online i dont see any other specific way to chose the VDC NTP source as it just syncs off the default VDC automatically

lodovici2012 · ‎01-18-2018

I Mark,

I changed from

ntp source-interface mgmt0

to

ntp source ip-address

on the vdc Admin, and I passed the command

no feature ntp

on the vdc Prod, but the ntp server received again the requests from the 10.103.17.253.

Perhaps it is a bug.

I pass the incident to the network architects team, maybe they will find the problem. In this case, I will post the solution.

Thank you

Mark Malone · ‎01-18-2018

did you also try configure the source on the VDC too ?

Config on N7k:
=============
Default VDC
===========
ntp server 10.1.1.2 use-vrf management
ntp source-interface mgmt0
ntp logging
ntp commit

vlan 1

vrf context management
ip route 0.0.0.0/0 10.1.1.2

interface mgmt0
vrf member management
ip address 10.1.1.1/24

N7k# switchto vdc vdc1

VDC1
=====
ntp server 10.1.1.2 use-vrf management
ntp source-interface mgmt0
ntp master 8

interface mgmt0
vrf member management
ip address 10.1.1.3/24

lodovici2012 · ‎01-18-2018

The ntp is configured only on the default VDC (the vdc Admin) :

ntp server 10.7.11.6 use-vrf management
ntp server 10.92.5.58 prefer use-vrf management
ntp server 10.92.5.59 use-vrf management
ntp source 10.197.99.100

vlan1

vrf context management
ip route 0.0.0.0/0 10.197.99.254