01-24-2013 01:45 PM - edited 02-21-2020 06:39 PM
Trying to get NTP workign across a VPN. I have a switch that sits behind an ASA doing an IPSEC VPN (the ASA).
The NTP server is on the other side, which the switch is trying to get to.
ntp authtication-key 1 md 5 ****
ntp authenticate
ntp server x.x.x.x key 1
I know the VPN is operating fine as I'm able to pass certain types of traffic.
Why does the " show ntp ass detail" command run on the switch tell me it is "configured, authenticated, insane ....."
when on the ASA I run "show crypto ips sa" show zero #pkts encaps:
Basically if it is getting "authenticated" to the ntp server, then why would I not see any encapsulation increments?
Or am I just reading this wrong...
Thanks,
Pete
01-25-2013 12:39 AM
NTP uses UDP port 123, depends on your ASA, you will probably need to configure an access list to allow that.
Is the ASA able to sync with the NTP server with no issue? Authenticated doesn't mean that the switch has sync'ed, it should says sane instead of insane.
01-28-2013 07:31 AM
IP to IP is allowed, which should include UDP port 123 on the crypto map.
I understand that authenticated does not mean synce'd. I'm trying to understand how the authenticated mechanism works, which should at least indicate reachability to the ntp server. But why no encryp/decrypt # increments for authenticating ?
I'll try it with the ASA as described here :
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a5641e.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide