Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3055
Views
0
Helpful
2
Replies

NTP across IPsec VPN

xayavongp
Level 1
Level 1

‎01-24-2013 01:45 PM - edited ‎02-21-2020 06:39 PM

Trying to get NTP workign across a VPN.  I have a switch that sits behind an ASA doing an IPSEC VPN (the ASA).

The NTP server is on the other side, which the switch is trying to get to.

ntp authtication-key 1 md 5 ****

ntp authenticate

ntp server x.x.x.x key 1

I know the VPN is operating fine as I'm able to pass certain types of traffic.

Why does the " show ntp ass detail" command run on the switch tell me it is  "configured, authenticated, insane ....."

when on the ASA I run "show crypto ips sa" show zero #pkts encaps:

Basically if it is getting "authenticated" to the ntp server, then why would I not see any encapsulation increments?

Or am I just reading this wrong...

Thanks,

Pete

Labels:
0 Helpful
2 Replies 2

Rudy Sanjoko
Level 4
Level 4

‎01-25-2013 12:39 AM

NTP uses UDP port 123, depends on your ASA, you will probably need to configure an access list to allow that.

Is the ASA able to sync with the NTP server with no issue? Authenticated doesn't mean that the switch has sync'ed, it should says sane instead of insane.

https://supportforums.cisco.com/docs/DOC-1263

0 Helpful

xayavongp
Level 1
Level 1
In response to Rudy Sanjoko

‎01-28-2013 07:31 AM

IP to IP is allowed, which should include UDP port 123 on the crypto map.

I understand that authenticated does not mean synce'd. I'm trying to understand how the authenticated mechanism works, which should at least indicate reachability to the ntp server. But why no encryp/decrypt # increments for authenticating ?

I'll try it with the ASA as described here :

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a5641e.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents