NTP (VRF) problem

dan_wiebell · ‎11-01-2011

Having a problem with NTP on an 1841 with VRFs. I have configured the following:

interface VlanX

description NTP interface

ip vrf forwarding NTP

ip address <ip address>

ntp authentication-key 1 md5 blahblah

ntp authenticate

ntp source VlanX

ntp master 2

ntp max-associations 2

ntp server vrf NTP <public address 1>

ntp server vrf NTP <public address 2>

ip route vrf NTP <public address 1>

ip route vrf NTP <public address 2>

ip route vrf NTP <internal address 1>

ip route vrf NTP <internal address 2>

There is only one gateway via VlanX (the firewall).

NTP requests to the two ntp servers go out (confirmed in debug), but I get no hits on the firewall, permit or deny or otherwise. If I execute a ping from my router in the NTP vrf I get the appropriate hit.

However, if I configure another ntp server command pointing to an internal host:

ntp server vrf NTP <internal address 1>

I get the appropriate hit on the firewall. Ideas on how I can troubleshoot this? I've checked the bug tracker and there is no software bug listed for this model/image/ntp -

c1841-advipservicesk9-mz.123-11.YZ2

Reza Sharifi · ‎11-01-2011

Do you have s static route for the vrf

ip route vrf NTP x.x.x.x 255.255.255.255 x.x.x.x (vlan x)

dan_wiebell · ‎11-01-2011

As I posted above:

"ip route vrf NTP

ip route vrf NTP

ip route vrf NTP "

Routes are fine - as I said I can ping the addresses and generate the correct entries on the firewall.

NWT · ‎02-19-2018

Hi,

It's been a while, but did you manage to solve the issue?

It seems we have the same thing happening where our router doesn't send the ntp traffic with the vrf, it uses the general interface instead which is why the asa doesn't know any routes for it.

Kr

Predrag Jovic · ‎02-20-2018

Which device is in question?

Some devices do not support vrf aware ntp

IOS XE Release 3SE (3850/3650)

The switch does not support VRF-aware services

for Unicast Reverse Path Forwarding (uRPF) or Network Time protocol(NTP).