NTP Synchronization problem 2600 router - Page 2

johnramz · ‎06-27-2012

Cisco COmmunity:

In the below setup the CISCO 2600 router is not synchronizing with external NTP server

PLease help

John

Setup:

INTERNET ISP router ======CISCO ASA5505(10.1.1.2)======fa0/1CISCO 2600fa0/0=====Users

The goal is to synchronize the 2600 with an External NTP server. The ASA is already synchronized after using just these commands:

clock timezone UTC -6

ntp server 38.106.177.10

ON THE 2600 router I get these outputs after 3 hours:

RTR#sh ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18

reference time is 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

RTR#sh ntp association

address ref clock st when poll reach delay offset disp

~38.106.177.10 0.0.0.0 16 - 64 0 0.0 0.00 16000.

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

RTR# debug ntp packet

*Apr 3 18:28:01.065: NTP: xmit packet to 38.106.177.10:

*Apr 3 18:28:01.065: leap 3, mode 3, version 3, stratum 0, ppoll 64

*Apr 3 18:28:01.065: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)

*Apr 3 18:28:01.065: ref 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

*Apr 3 18:28:01.065: org 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

*Apr 3 18:28:01.065: rec 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

*Apr 3 18:28:01.065: xmt AF68AA11.10C7B7FB (18:28:01.065 CST Sat Apr 3 1993)

Configuration

RTR#sh run

Building configuration...

Current configuration : 1853 bytes

!

version 12.2

service timestamps debug datetime msec localtime

service timestamps log datetime msec

service password-encryption

!

hostname RTR

!

clock timezone CST -6

clock summer-time CDT recurring

ip subnet-zero

!

ip domain-name domain.com

ip name-server 10.250.100.1

!

interface FastEthernet0/0

ip address 10.250.1.113 255.255.0.0

no ip proxy-arp

ip route-cache flow

speed auto

full-duplex

!

interface FastEthernet0/1

ip address 10.1.1.1 255.255.0.0

duplex auto

speed auto

!

ip flow-export destination 10.250.100.60 2055

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.2

ip route 10.210.0.0 255.255.0.0 10.250.1.111

ip route 10.220.2.0 255.255.255.0 10.250.1.111

ip route 10.230.0.0 255.255.0.0 10.250.1.111

ip route 10.231.0.0 255.255.0.0 10.250.1.111

ip route 10.240.0.0 255.255.0.0 10.250.1.111

ip route 10.241.0.0 255.255.0.0 10.250.1.111

ip route 10.242.0.0 255.255.0.0 10.250.1.111

ip route 172.16.0.0 255.255.0.0 10.250.1.112

ip route 172.30.1.0 255.255.255.0 10.1.1.2

ip route 192.168.3.0 255.255.255.0 10.250.1.111

ip route 192.168.4.0 255.255.255.0 10.250.1.111

ip route 192.168.100.0 255.255.255.0 10.250.1.111

ip http server

!

line con 0

line aux 0

line vty 0 4

password xxxxxxx

login

!

ntp source FastEthernet0/1

ntp server 38.106.177.10

end

smehrnia · ‎06-27-2012

Paul, the ASA can only be a NTP client, not a server

Hope it Helps!

Soroush.

johnramz · ‎06-28-2012

Everyone,

Thanks for trying to help me. I have been trying to determine:

A- Is it the ASA blocking NTP traffic?

B- Is it the NTP server itself no replying to client(2600 router)?.

A- Is it the ASA blocking NTP traffic?

I posted both configurations: Router and ASA

I set up two captures in the ASA :

INSIDE interface

ASA(config)# access-list NTPtr permit ip any host 184.82.112.110

ASA(config)# access-list NTPtr permit ip host 184.82.112.110 any

ASA(config)# capture cap1 access-list NTPtr interface inside

ASA(config)# show capture cap1 detail

2 packets captured

1: 10:25:15.385462 0011.9346.90c1 0024.97bb.89de 0x8100 94: 802.1Q vlan#1 P0 10.1.1.1.123 > 184.82.112.110.123: [udp sum ok] udp 48 (ttl 255, id 0)

2: 10:26:19.383723 0011.9346.90c1 0024.97bb.89de 0x8100 94: 802.1Q vlan#1 P0 10.1.1.1.123 > 184.82.112.110.123: [udp sum ok] udp 48 (ttl 255, id 0)

2 packets shown

OUTSIDE interface

ASA(config)# capture cap1 access-list NTPtr interface outside

************************************************ASA <==>NTP server**********************************************

113: 11:23:57.691538 0024.97bb.89de 0011.9346.7ca1 0x8100 94: 802.1Q vlan#2 P0 X.X.X.210.65535 > 184.82.112.110.123: [udp sum ok] udp 48 (ttl 255, id 20013)

114: 11:23:57.723488 0011.9346.7ca1 0024.97bb.89de 0x8100 94: 802.1Q vlan#2 P0 184.82.112.110.123 >

X.X.X.210.65535: [udp sum ok] udp 48 (DF) (ttl 53, id 0)

**************************************************2600RTR<====>NTP serve*******************************************

115: 11:24:59.336972 0024.97bb.89de 0011.9346.7ca1 0x8100 94: 802.1Q vlan#2 P0 10.1.1.1.123 > 184.82.112.110.123: [udp sum ok] udp 48 (ttl 255, id 0)

116: 11:26:03.335279 0024.97bb.89de 0011.9346.7ca1 0x8100 94: 802.1Q vlan#2 P0 10.1.1.1.123 > 184.82.112.110.123: [udp sum ok] udp 48 (ttl 255, id 0)

B- Is it the NTP server itself no replying to client(2600 router)?.

I have used different NTP servers and none have worked for the router.

Does anyone still think I need to explicitly allow the NTP traffic coming back? it is going out according to the captures but no replies from NTP server

Or could it be that the IOS version is too old in that router?

Thanks again

Johnny

smehrnia · ‎06-28-2012

Hi Johnny,

if your NTP request goes out, it's not like ntp server dont reply because of router's ios version, try to find out if u receive it on ur outside interface and if yes and drops, explicitly let it in.

Hope it Helps,

Soroush.

Hope it Helps!

Soroush.

John Blakley · ‎06-28-2012

Johnny,

Here's what I'm wondering. The ASA doesn't have a specific nat rule for 10.1.1.0 (or at least I'm not seeing it), but it does have the rule for 10.250.x.x which is on your lan side. Can you change the sourced interface for NTP?

If the IOS supports it, it should be "ntp source fa0/0"

HTH,

John

HTH, John *** Please rate all useful posts ***

johnramz · ‎06-28-2012

j.blakley

i changed the NAT rule to include any ip in this range 10.0.0.0 and still does not work and did away with the source.

soroushm

How would you allow the NTP traffic coming back explicitly for that host 10.1.1.1 ?. Please specify configuration if you do not mind.

Thanks

Johnny

smehrnia · ‎06-28-2012

i guess you have to add this link to ur ACL (allowing NTP from 38.106.177.10 to come in to any destination):

access-list from_outside extended permit udp host 38.106.177.10 eq 123 any

HTH,

Soroush.

Hope it Helps!

Soroush.

johnramz · ‎06-29-2012

soroushm

Thanks again. Still not working. I even added the line like this with the NTP server we are using:

access-list from_outside extended permit ip host 184.82.112.110 any

The access counter remains in "0" hits coming back

access-list from_outside line 3 extended permit ip host 184.82.112.110 any (hitcnt=0) 0x644eb7c3

The capture show this:

1: 06:22:02.298797 802.1Q vlan#2 P0 10.1.1.1.123 > 184.82.112.110.123: udp 48

2: 06:23:06.297775 802.1Q vlan#2 P0 10.1.1.1.123 > 184.82.112.110.123: udp 48

Nothing coming back

The only thing that is interesting that I noticed is that the connection from the router initiates from port 123 as well instead of a random port, but that should not matter.

Well I guess there is nothing else to do. I think the NTP servers are not responding to those packets coming from the 2600 router perhaps due to incompatibility reason.

It is not blocking, an open ACL is there and the counters shows no hits.

Any other idea?

Thanks

Johnny

johnramz · ‎06-29-2012

Everyone,

The problem is fixed. Upgraded IOS 12.4 from 12.2 and it is working now.

sh capture cap1

4 packets captured

1: 10:05:31.855119 802.1Q vlan#1 P0 10.1.1.1.123 > 184.82.112.110.123: udp 48

2: 10:05:31.886947 802.1Q vlan#1 P0 184.82.112.110.123 > 10.1.1.1.123: udp 48

3: 10:06:35.854173 802.1Q vlan#1 P0 10.1.1.1.123 > 184.82.112.110.123: udp 48

4: 10:06:36.220066 802.1Q vlan#1 P0 184.82.112.110.123 > 10.1.1.1.123: udp 48

4 packets shown

sh ntp status

Clock is synchronized, stratum 3, reference is 184.82.112.110

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18

reference time is D39844BB.E271D517 (10:14:03.884 CDT Fri Jun 29 2012)

clock offset is -1.4301 msec, root delay is 35.37 msec

root dispersion is 7907.09 msec, peer dispersion is 7875.24 msec

NO CHANGES required in configuration. I removed the ACL that was suggested and changed NAT statement back the way it was

ASA allows NTP traffic originating behind "INSIDE" interface and does not need ACL to allow the traffic coming back from the NTP server.

Thanks to all that tried to help.

Johnny