Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2523
Views
4
Helpful
4
Replies

wlc 2504 NTP or Manual Timing Problem

lkajcsu01
Level 1
Level 1

‎04-29-2017 10:56 AM - edited ‎07-05-2021 06:57 AM

Manual and/or NTP timing issue:

2504 WLC=poe Switch - couple of AP`s

When  - for example accidentally power cut - your wlc is not having power

: for 5 minutes, but it doesn`t have an ntp -> it`s time might will come back same as the configured ap`s

:for longer then 5 minutes -> it will loose its time and get back to by default what is  - - - Sat Jan  1 00:00:00 2000 , so you will never forget the first day of the 21 century was a Saturday. How good is that, Cisco reminds you where the 2K starts.

If you use an ntp server  - I am only tested with cisco ios ntp - internal server, was not tested with external ntp, but later on I will do that - you will see, it might not working, the wlc and the router is "not in sync" , they not synchronizing the time with each other.

But lets dig deeper here: 

 - connection:

CiscoRouter 192.168.0.1  --- SW ---- 192.168.0.5 WLC

 - config used in router:

ntp logging
ntp authentication-key 1 md5 CiscoTimeKey                                                                  
ntp authenticate
ntp trusted-key 1
ntp source Vlan1
ntp access-group ipv4 peer 1
ntp master 5
ntp max-associations 5
ntp update-calendar
ntp server 192.168.0.1 prefer version 4 burst key 1 source Vlan 1
ntp peer 192.168.0.5

 - config on wlc

config time ntp key-auth add 1 md5 ascii CiscoTimeKey
config time ntp auth enable 1 1
config time ntp server 1 192.168.0.1

Go to the GUI on wlc and check the "NTP" section / dont forget to save.

( on the wlc leave the "ntp time interval : 600 " as by default )

..and you ap`s are still not coming up..  between the router and the wlc the ntp authentication  - the key exchange and authentication to be exact - is perfect, but the time is not in sync....

CiscoRouter#sh ntp associations

address ref clock st when poll reach delay offset disp
*~127.127.1.1 .LOCL. 4 12 16 377 0.000 0.000 0.232
~192.168.0.1 .INIT. 16 - 64 0 0.000 0.000 15937.
~192.168.0.5 .INIT. 16 - 512 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
CiscoRouter#

(Cisco Controller) show>time

Time............................................. Sat Jan 1 00:05:24 2000

Timezone delta................................... 0:0
Timezone location................................

NTP Servers
NTP Polling Interval......................... 600

Index NTP Key Index           NTP Server        Status NTP Msg          Auth Status
------- ----------------------------------------------------------------------------------------------
1              1                          192.168.0.1           Not Synched             AUTH SUCCESS

CiscoRouter#sh ntp packets
Ntp In packets : 348
Ntp Out packets : 367
Ntp bad version packets : 348
Ntp protocol error packets : 0

... still nothing... so the router sending ntp pakets out and the coming back packets are flagged as "bad" packets..

CiscoRouter#sh ntp packets
Ntp In packets : 446
Ntp Out packets : 469
Ntp bad version packets : 446
Ntp protocol error packets : 0

..still nothing ...

CiscoRouter#sh ntp packet
Ntp In packets : 638
Ntp Out packets : 692
Ntp bad version packets : 638
Ntp protocol error packets : 0

... and suddenly something happens .. (after 18 minutes of misery)

Time............................................. Fri Apr 28 08:32:00 2017

Timezone delta................................... 0:0
Timezone location................................

NTP Servers
NTP Polling Interval......................... 600

Index      NTP Key Index     NTP Server Status    NTP Msg            Auth Status
------- ----------------------------------------------------------------------------------------------
1             1                         192.168.0.1                   In Sync              AUTH SUCCESS

..and all your AP`s are back again.

.. if you know the right - detailed answer why, please let me know !!! 

SHARE IT !

Labels:
0 Helpful
4 Replies 4

lkajcsu01
Level 1
Level 1

‎04-29-2017 10:59 AM

confirmation about the AP`s uptime:

UP Time
0 d, 01 h 50 m 37 s
Controller Associated Time
0 d, 01 h 32 m 22 s
Controller Association Latency
0 d, 00 h 18 m 14 s

so you should wait around 18 minutes. Tested on three  different router-sw-wlc setup, all works with the configuration above.

SHARE IT !

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to lkajcsu01

‎04-29-2017 04:45 PM

Makes sense.

The router(s), 192.168.0.1 & 192.168.0.15, is classed as "Stratum 16".  This means it's the "least" trustworthy.  So the WLC, I guess is cycling through "shopping" for a trustworthy NTP packets being offered.  

We use InfoBlox as our NTP server and I've got 12 controllers and I have never seen a problem with our type of setup.  Our InfoBlox is classed as "Stratum 2".  We also have a Linux server with a second job of being an NTP server and >1k routers and switches are pointed to it.  Like our InfoBlox it's classed as a "Stratum 2" and we've got no issues with NTP synchronizing after a reboot or power outages.  

NOTE:  The only time I saw where NTP synchronize took >4 minutes, more like 10 minutes, after a reboot or power outage was due to a bug with the IOS code.  

So what happens if your router goes out to the internet and gets synchronized to an authoritative time-source. 

Another thing, NTP can get slowed down by a lot of things, like ACL and authentication.  Want to speed things up?  Keep it simple.  The command "ntp server <IP ADDRESS>" is as simple as it gets.   

0 Helpful

lkajcsu01
Level 1
Level 1
In response to Leo Laohoo

‎04-30-2017 07:13 AM

Hello Leo, 

 

Thanks for your advice, I will test later what can speed this process up.

I will also try what if when the ios router also have ntp external and ntp internal in the same time, but what I more concern is this:

CiscoRouter#sh ntp packet
Ntp In packets : 638
Ntp Out packets : 692
Ntp bad version packets : 638
Ntp protocol error packets : 0

no error on the ntp packets, but the "not forming ntp synchronization, because the version of the ntp packet.. 

This example is with the by default ntp version 4, but when I tried with verson 3 or version 2, got exactly the same result .. ( more or less, with ver3 was 18:35 , with ver2 was 18:10 )

The "ntp master 5 " said this example on Stratum 5, I will also try what if I will change it to Startum 2.

Thanks for the comments !

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to lkajcsu01

‎04-30-2017 01:52 PM

The command "ntp master" will only make matters a lot worst.  The command, literally, translate to the router telling everyone "Hey, look.  I am an authoritative time source." when it's not.  It's not because Cisco routers cannot keep an accurate time without synchronizing to an authoritative time source.  

May we, if it's possible, ask the logic or the reasoning behind this exercise of having the router NOT get authoritative NTP time synchronization?

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card