NTP server is not synced

black_elvenil · ‎12-15-2015

Hello all,

recently we changed domain controllers to our satellite offices from win server 2008 R2 to win server 2012 R2. Each domain controller acts as NTP server and since we made this change I noticed that all the switches (core & edge) cannot sync their clock.

At the beginning I thought this was an IOS issue as a colleague in another office said that he doesn't have this issue with his 15.0(2a)EX5 2960 switches.

I upgraded the firmware but this didn't actually fix the problem. Then that guy mentioned that he was actually able to make it work by adding the "ntp maxdistance" command and specifically gave a max distance of 10 in order to solve this issue. I also did the same and it worked instantly.

My question is: Do I have to use this command? What it actually does?

Attached are the outputs of the show ntp associations and show ntp assciations detail commands.

My switch is a WS-C2960X-48FPD-L with software version 15.0(2a)EX5

Thank you all in advance.

Austin Sabio · ‎12-15-2015

ntp maxdistance is a threshold value to determine # of packets required for synchronization of peers in NTP v.4 (your 2nd screenshot shows your NTP version#). Now, the question is it required? I would say yes if the default value is not the same on NTP server/client.

Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp3482808177

Hope it helps,

Aus

black_elvenil · ‎12-16-2015

Thank you very much for your answer Aus. Does anybody know by chance what this value is for a Windows NTP server?

Mark Malone · ‎12-16-2015

You should definitely avoid using that ios version its experimental and most likely contains a large amount of bugs , ntp4 is know widely to slow down synchronization and this command was introduced to resolve that issue on some systems it allows the sync to speed up , certain parameters they introduced in v4 caused major sync issues.Its only required in v4.

either way for that switch you should be on the MD release main deployment which has been much more tested than the release your on now 15.2..2e3

black_elvenil · ‎12-16-2015

Hello Mark and thanks for your reply! Wow, this is a kind of surprise for me, as the mentioned version is on new installed switches by an official Cisco partner. How can I check which version should I use? How can I find if the other versions in the other offices are actually good to have them? Regarding the sync speed, some switches remained unsynced even for days before I start using this command. Thank you again!

Mark Malone · ‎12-16-2015

Hey yes the partner does not install them they come out of factory like that and go to distributor , when you order them from your partner they just hit up dist office and they get sent out , usually partners would only keep a certain amount of spare stock on site , most new gear comes from distributors based around the countries by Cisco

The EX IOS are only on 29560s and their known to be shit , we run very secure scans here against the ios to try an find faults , the safe harbor images are what Cisco recommends and what usually passes our internal MVM scanners

see the screenshot attached the star indicates the safe harbor version which is put through more testing by Cisco ,Safe Harbor focuses on satisfying customer quality requirements in key vertical markets. This program links and expands on several Cisco testing projects, including development, regression testing, and systems testing, that are critical to the success of enterprise-service organizations. Safe Harbor certification marks the successful completion of extensive integrity testing that validates each release.

Ye im not surprised its not syncing right on v4 if you set the version to v3 it will prob sync a lot quicker , you can add burst on certain ios to the end of it as well that can speed it up too V4 is new so you have to expect these things until its ironed out

ntp x.x.x.x burst