cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

2310
Views
0
Helpful
22
Replies
Highlighted
Beginner

NTP Synchronization problem 2600 router

Cisco COmmunity:

In the below setup the CISCO 2600 router is not synchronizing with external NTP server

PLease help

John

Setup:

INTERNET ISP router ======CISCO ASA5505(10.1.1.2)======fa0/1CISCO 2600fa0/0=====Users

The goal is to synchronize the 2600 with an External NTP server. The ASA is already synchronized after using just these commands:

clock timezone UTC -6

ntp server 38.106.177.10

ON THE 2600 router I get these outputs after 3 hours:

RTR#sh ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18

reference time is 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

RTR#sh ntp association

      address         ref clock     st  when  poll reach  delay  offset    disp

~38.106.177.10    0.0.0.0          16     -    64    0     0.0    0.00  16000.

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

RTR# debug ntp packet

*Apr  3 18:28:01.065: NTP: xmit packet to 38.106.177.10:

*Apr  3 18:28:01.065:  leap 3, mode 3, version 3, stratum 0, ppoll 64

*Apr  3 18:28:01.065:  rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)

*Apr  3 18:28:01.065:  ref 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

*Apr  3 18:28:01.065:  org 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

*Apr  3 18:28:01.065:  rec 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

*Apr  3 18:28:01.065:  xmt AF68AA11.10C7B7FB (18:28:01.065 CST Sat Apr 3 1993)

Configuration

RTR#sh run

Building configuration...

Current configuration : 1853 bytes

!

version 12.2

service timestamps debug datetime msec localtime

service timestamps log datetime msec

service password-encryption

!

hostname RTR

!

!

clock timezone CST -6

clock summer-time CDT recurring

ip subnet-zero

!

!

ip domain-name domain.com

ip name-server 10.250.100.1

!

!

!

!

interface FastEthernet0/0

ip address 10.250.1.113 255.255.0.0

no ip proxy-arp

ip route-cache flow

speed auto

full-duplex

!

interface FastEthernet0/1

ip address 10.1.1.1 255.255.0.0

duplex auto

speed auto

!

!

ip flow-export destination 10.250.100.60 2055

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.2

ip route 10.210.0.0 255.255.0.0 10.250.1.111

ip route 10.220.2.0 255.255.255.0 10.250.1.111

ip route 10.230.0.0 255.255.0.0 10.250.1.111

ip route 10.231.0.0 255.255.0.0 10.250.1.111

ip route 10.240.0.0 255.255.0.0 10.250.1.111

ip route 10.241.0.0 255.255.0.0 10.250.1.111

ip route 10.242.0.0 255.255.0.0 10.250.1.111

ip route 172.16.0.0 255.255.0.0 10.250.1.112

ip route 172.30.1.0 255.255.255.0 10.1.1.2

ip route 192.168.3.0 255.255.255.0 10.250.1.111

ip route 192.168.4.0 255.255.255.0 10.250.1.111

ip route 192.168.100.0 255.255.255.0 10.250.1.111

ip http server

!

!

line con 0

line aux 0

line vty 0 4

password xxxxxxx

login

!

ntp source FastEthernet0/1

ntp server 38.106.177.10

end

22 REPLIES 22
Advisor

NTP Synchronization problem 2600 router

Is this router in front of your ASA or behind your ASA? You may have to set the clock manually on the 2600 a little closer to the real time. If NTP is way off, the synchronization may not happen at all.

HTH,

John

HTH, John *** Please rate all useful posts ***
Beginner

NTP Synchronization problem 2600 router

The router is behind the ASA. I tried to show that in the text diagram in my question.

Advisor

Re: NTP Synchronization problem 2600 router

Ah...

Do you have an acl on your inside interface on the ASA? If so, you'll need to allow udp 123 through for ntp traffic.

I completely missed the diagram

HTH,

John

HTH, John *** Please rate all useful posts ***
Beginner

NTP Synchronization problem 2600 router

No ACLs on inside interface. Why would the ASA itself communicates with external NTP without being explicitely allowed.? I assume because traffic coming from behind Inside to Outside is allowed.

Thanks

John

Advisor

Re: NTP Synchronization problem 2600 router

That's correct. The ASA can communicate with the NTP server because it's locally generated traffic. The router on the other hand has to go through the ASA to get to it. If you don't have any acls on the inside interface, the traffic originating from the inside is automatically allowed out. Can you post your config for the ASA by chance?

HTH, John *** Please rate all useful posts ***
Beginner

NTP Synchronization problem 2600 router

j.blakley thanks for your reply. Here is is the ASA config:

ASA Version 8.2(1)

!

hostname ASAdct5505

domain-name default.domain.invalid

names

interface Vlan1

nameif inside

security-level 100

allow-ssc-mgmt

ip address 10.1.1.2 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.240

!

interface Vlan3

description DMZ

nameif DMZ

security-level 50

ip address 172.30.1.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner login Only for authorized users . PLease disconnect if you are not one.

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone UTC -6

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit intra-interface

object-group network obj_172.22.7.0

network-object 172.22.7.0 255.255.255.0

access-list from_outside extended permit tcp any host 12.156.156.211 eq 3389

access-list from_outside extended permit tcp any host 12.156.156.212 eq 3389

access-list DMZ_in extended permit ip 172.30.1.0 255.255.255.0 10.0.0.0 255.0.0.

access-list DMZ_in extended permit tcp 172.30.1.0 255.255.255.0 any eq www

access-list DMZ_in extended permit tcp 172.30.1.0 255.255.255.0 any eq https

access-list DMZ_in extended permit udp 172.30.1.0 255.255.255.0 any eq domain

pager lines 24

logging enable

logging buffer-size 1000000

logging monitor debugging

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 172.30.1.2-172.30.1.200

nat (inside) 1 10.250.0.0 255.255.0.0

nat (outside) 1 10.250.2.0 255.255.255.0

nat (DMZ) 1 172.30.0.0 255.255.0.0

static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

access-group from_outside in interface outside

access-group DMZ_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

route inside 10.0.0.0 255.0.0.0 10.1.1.1 1

route inside 172.16.0.0 255.255.0.0 10.1.1.1 1

route inside 192.168.0.0 255.255.0.0 10.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.250.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 38.106.177.10

tftp-server inside 10.250.1.10 /asacurrentconfig.txt

webvpn

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

: end

Rising star

NTP Synchronization problem 2600 router

Hi,

can you successful ping the NTP server from ur router?


Soroush.

Hope it Helps!

Soroush.
Beginner

NTP Synchronization problem 2600 router

I can ping the NTP server from ASA but not from 2600 router. I cannot see how the ASA could be blocking NTP traffic if the ASA itself communicates with the same NTP server just fine

Thanks

john

Rising star

Re: NTP Synchronization problem 2600 router

the traffic which is originated from the device itself, and the traffic passing through the device are two different stories.

if it thats just the NTP traffic that you have the difficulty passing through ASA make an exception and let it pass, the Source and Destination (for both ways RX/TX) is known, specific config.

plz Rate if it helped,

Soroush.

Hope it Helps!

Soroush.
Hall of Fame Community Legend

NTP Synchronization problem 2600 router

Have you tried other NTP servers?

Look for your local NTP server from the link Stratum Two Time Servers.

Beginner

NTP Synchronization problem 2600 router

Yes I have

from this Page

Hall of Fame Community Legend

NTP Synchronization problem 2600 router

Sorry, I didn't make myself clear here ... Can you ADD more NTP server addresses to your config and try so the appliance can do a round-robin?

Rising star

NTP Synchronization problem 2600 router

Have you tried setting up captures on your ASA to see if its getting to the inside interface on the ASA. You can then setup a capture inbound on the outside interface to see if its responding. If the NTP server is not responding then that's not on you. I would try to verify traffic from Traffic Initiator to Traffic Destination and back to Traffic Initiator.

Beginner

Re: NTP Synchronization problem 2600 router

On my router 2901 my command is

ntp server 10.1.1.7 prefer

I don't have anything about ntp source fa 0/1. One other option is get time from the Asa.

Sent from Cisco Technical Support iPhone App

CreatePlease to create content
Content for Community-Ad