cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1300
Views
5
Helpful
6
Replies

NTP setup error

Boris3
Level 1
Level 1

Hi,

 

we get some errors by configuring NTP:

 

re(config)#clock timezone CEST +2

aber auch hiermit:

re#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 933000 (1/100 of seconds), resolution is 4000
reference time is 00000000.00000000 (02:00:00.000 CEST Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 139.96 msec, peer dispersion is 0.00 msec
loopfilter state is 'NSET' (Never set), drift is 0.000000000 s/s
system poll interval is 8, never updated.
re#show ntp associations detail
10.10.10.23 configured, ipv4, insane, invalid, unsynced, stratum 16
ref ID .TIME., time 00000000.00000000 (02:00:00.000 CEST Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 1024
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 15937.81
delay 0.00 msec, offset 0.0000 msec, dispersion 15937.50, jitter 0.00 msec
precision 2**10, version 4
assoc id 58613, assoc name 10.10.10.23
assoc in packets 0, assoc out packets 144, assoc error packets 0
org time E436A66D.0147AE18 (18:53:17.005 MET-DST Fri Apr 30 2021)
rec time 00000000.00000000 (02:00:00.000 CEST Mon Jan 1 1900)
xmt time 00000000.00000000 (02:00:00.000 CEST Mon Jan 1 1900)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
minpoll = 6, maxpoll = 10

 

what could be the issue here?


Regards

Boris

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

check do you have any NTP configuration,.

 

post below :

 

show run | in NTP

show ntp status

show ntp peers

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

l think something is missing in outgoing NTP config communication, no PM, CM for the zone-pair ?

...
zone-pair security WAN-self source WAN destination self
service-policy type inspect PM_WAN-Self
zone-pair security self-DMZ source self destination DMZ
zone-pair security self-LAN source self destination LAN
service-policy type inspect PM_Self-LAN
zone-pair security self-WAN source self destination WAN

here also the output attached

 

#show run | in NTP
class-map type inspect match-all CM_DMZ-WAN_NTP
match access-group name ACL-NTP
class-map type inspect match-all CM_LAN-WAN_NTP
class type inspect CM_DMZ-WAN_NTP
class type inspect CM_LAN-WAN_NTP
ip access-list extended ACL-NTP


#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 82131100 (1/100 of seconds), resolution is 4000
reference time is 00000000.00000000 (02:00:00.000 CEST Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 12319.66 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000000000 s/s
system poll interval is 8, never updated.


#show ntp peers
^
% Invalid input detected at '^' marker.

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

NTP configuration is missing in the above-shared output also you are using a Policy-MAP configured that is responsible for NTP class-map inspection. Also, we can't images based on the ACL name. 

 

So recommended sharing complete show run output. 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hi,

 

please find edited show run.

thanks and regards

Boris

you need to enable debug ntp messages to see, also please confirm you have reachability to this IP 50.50.2.23

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NTP server can't be pinged from the Router, but ping works from client-PC.

l think we need to add this to our config, but not clear for me what IPs we need to use - router public IP or Management Interface ? or we don't need to limit anything in this access list ?

 

class-map type inspect match-all CM_Self-WAN_NTP
match access-group name ACL_Self-WAN_NTP
match protocol ntp

policy-map type inspect PM_Self-WAN
class type inspect CM_Self-WAN_NTP
inspect

zone-pair security self-WAN source self destination WAN
service-policy type inspect PM_Self-WAN


ip access-list extended ACL_Self-WAN_NTP
20 remark --- from public IP of Routers?
30 permit ip host 50.50.108.150 host 50.50.2.23 eq ntp
40 remark --- or from Mangement-IP of Router?
50 permit ip host 10.10.10.1 host 50.50.2.23 eq ntp
60 remark --- or not limit the source address, as we did already in Self Zone ?
70 permit ip host any host 50.50.2.23 eq ntp

Review Cisco Networking for a $25 gift card