05-04-2021 04:45 AM
Hi,
we get some errors by configuring NTP:
re(config)#clock timezone CEST +2
aber auch hiermit:
re#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 933000 (1/100 of seconds), resolution is 4000
reference time is 00000000.00000000 (02:00:00.000 CEST Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 139.96 msec, peer dispersion is 0.00 msec
loopfilter state is 'NSET' (Never set), drift is 0.000000000 s/s
system poll interval is 8, never updated.
re#show ntp associations detail
10.10.10.23 configured, ipv4, insane, invalid, unsynced, stratum 16
ref ID .TIME., time 00000000.00000000 (02:00:00.000 CEST Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 1024
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 15937.81
delay 0.00 msec, offset 0.0000 msec, dispersion 15937.50, jitter 0.00 msec
precision 2**10, version 4
assoc id 58613, assoc name 10.10.10.23
assoc in packets 0, assoc out packets 144, assoc error packets 0
org time E436A66D.0147AE18 (18:53:17.005 MET-DST Fri Apr 30 2021)
rec time 00000000.00000000 (02:00:00.000 CEST Mon Jan 1 1900)
xmt time 00000000.00000000 (02:00:00.000 CEST Mon Jan 1 1900)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
minpoll = 6, maxpoll = 10
what could be the issue here?
Regards
Boris
05-04-2021 04:57 AM
check do you have any NTP configuration,.
post below :
show run | in NTP
show ntp status
show ntp peers
05-11-2021 07:34 AM
l think something is missing in outgoing NTP config communication, no PM, CM for the zone-pair ?
...
zone-pair security WAN-self source WAN destination self
service-policy type inspect PM_WAN-Self
zone-pair security self-DMZ source self destination DMZ
zone-pair security self-LAN source self destination LAN
service-policy type inspect PM_Self-LAN
zone-pair security self-WAN source self destination WAN
here also the output attached
#show run | in NTP
class-map type inspect match-all CM_DMZ-WAN_NTP
match access-group name ACL-NTP
class-map type inspect match-all CM_LAN-WAN_NTP
class type inspect CM_DMZ-WAN_NTP
class type inspect CM_LAN-WAN_NTP
ip access-list extended ACL-NTP
#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 82131100 (1/100 of seconds), resolution is 4000
reference time is 00000000.00000000 (02:00:00.000 CEST Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 12319.66 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000000000 s/s
system poll interval is 8, never updated.
#show ntp peers
^
% Invalid input detected at '^' marker.
05-11-2021 10:10 PM
Hi,
NTP configuration is missing in the above-shared output also you are using a Policy-MAP configured that is responsible for NTP class-map inspection. Also, we can't images based on the ACL name.
So recommended sharing complete show run output.
05-13-2021 05:30 AM
05-13-2021 06:38 AM
you need to enable debug ntp messages to see, also please confirm you have reachability to this IP 50.50.2.23
05-19-2021 07:45 AM
NTP server can't be pinged from the Router, but ping works from client-PC.
l think we need to add this to our config, but not clear for me what IPs we need to use - router public IP or Management Interface ? or we don't need to limit anything in this access list ?
class-map type inspect match-all CM_Self-WAN_NTP
match access-group name ACL_Self-WAN_NTP
match protocol ntp
policy-map type inspect PM_Self-WAN
class type inspect CM_Self-WAN_NTP
inspect
zone-pair security self-WAN source self destination WAN
service-policy type inspect PM_Self-WAN
ip access-list extended ACL_Self-WAN_NTP
20 remark --- from public IP of Routers?
30 permit ip host 50.50.108.150 host 50.50.2.23 eq ntp
40 remark --- or from Mangement-IP of Router?
50 permit ip host 10.10.10.1 host 50.50.2.23 eq ntp
60 remark --- or not limit the source address, as we did already in Self Zone ?
70 permit ip host any host 50.50.2.23 eq ntp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide