Solved: NTP synchronization problem

jgtheodor · ‎07-30-2007

Hi,

I have been trying for three days now to configure ntp in a Cisco router 3662 [(12.2(13)T16]. First i tried to obtain clock from a windows DC Server 2000 unsuccessful. The configuration is simple. I have added only the command ntp server <IP address>. I read somewhere that windows servers distribute clocking only to windows machines. Is that true? Then i tried to obtain clocking from a public ntp server. From debbuging i had activated i realized that no ntp reply was caming back. Can anyone help me...

Urgent....Thanks in advance!

RF_IESFAFE · ‎07-30-2007

Hi jgtheodor,

I believe 172.16.1.53 is your windows server.

Again you must have in consideration that you cannot mix ntp client with sntp server, as you can see in the debug that the ntp client in your Cisco router does not accept your windows server as a valid time source.

If you dont need your router to have a time precision of less than 100ms, and if you dont need your router to act as a ntp time server itself, then you can use your windows server as the time source using sntp and maybe it is the best solution for you.

Try to check if your router accepts the "sntp server" command in cli configuration mode. I know of at least 3 different models from the 8xx series that has *both* features together, ntp and sntp.

In the event it does not have the sntp feature, you can look and find a public ntp server that best feats your situation (i.e. closest to your location) at http://www.pool.ntp.org

Regards,

Rui

View solution in original post

graemeporter · ‎07-30-2007

Hi there,

Is there an access list applied that is perhaps blocking NTP (UDP port 123)? Either the router in question, or perhaps a firewall or some other router between you and the NTP server may be blocking that port.

Windows will act as a timeserver for anything; we use our domain controllers as time servers for our Cisco devices here without issue.

Hope this helps!

Kind regards,

Graeme

royalblues · ‎07-30-2007

All you need on the Cisco router is the command ntp server

You can definitely use the windows machine as your NTP server.

Check whether NTP is disabled on the specific inerface which leads to the NTP source?

Check for access-lists that mighr block NTP

Make sure the NTP service is running in the wondows machine.

have a look at this link

http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html

http://support.microsoft.com/kb/216734

HTH

Narayan

Richard Burts · ‎07-30-2007

John

I am not so sure about learning NTP from Windows, but I will defer to my colleagues on this point and speak to your difficulty in learning NTP from an outside time server. My first suggestion is to verify IP connectivity. Can you ping the address that you have configured as the NTP server? (if you have specified NTP source address, then ping using extended ping and in the extended ping specify the source address as your NTP source address). Assuming that this works my next thought would be about the NTP server and if it is external does your traffic go through a firewall? If so is it possible that the firewall is blocking the NTP traffic? (it could be blocking your request outbound, or it could be blocking the response inbound).

If none of these get past the problem then I would ask that you post the configuration of the router and also to post the output of show ntp association detail.

HTH

Rick

HTH

Rick

RF_IESFAFE · ‎07-30-2007

Hi,

Windows 2000 does not come shipped with any ntp service.

Its integrated time service is designed to serve other windows clients, it may respond to ntp queries but its not suitable or even fully compatible to serve ntp clients, in fact ntp clients may even consider it an invalid time source.

You can however install a 3rd-party ntp service software (but you must disable the windows time service first), and you can find a windows port of the *nix ntp package at http://www.ntp.org

If you cant get the time even from public ntp servers, then:

- the public ntp server is not working or is not public anymore, or

- ntp traffic is blocked at the firewall, or

- ntp queries are sent through the wrong route/interface.

Regards,

Rui

RF_IESFAFE · ‎07-30-2007

Hi again,

Just to make an update to my previous post.

The windows time service uses a variation and simplified version of the NTP protocol, the SNTP protocol.

You can indeed use the windows time service to serve time for your Cisco using this protocol, but you must use the cli command "sntp server" instead of "ntp server".

Regards,

Rui

jgtheodor · ‎07-30-2007

Hi,

As far i know, SNTP generally is supported on those platforms that do not provide support for NTP, such as the Cisco 1000 series, 1600 series, and 1700 series platforms, so i cannot use it in 3662. This router has Version 12.2(13)T16 and the only command i have added is ntp server 172.16.1.53 (PDC Root Domain Emulator). I am also sending you the relevant .txt debugging. There is no access-list at all in the path from ntp client to ntp server. Is there any public ntp server active you know to try again obtaining clocking from internet?

Thanks guys

RF_IESFAFE · ‎07-30-2007

Hi jgtheodor,

I believe 172.16.1.53 is your windows server.

Again you must have in consideration that you cannot mix ntp client with sntp server, as you can see in the debug that the ntp client in your Cisco router does not accept your windows server as a valid time source.

If you dont need your router to have a time precision of less than 100ms, and if you dont need your router to act as a ntp time server itself, then you can use your windows server as the time source using sntp and maybe it is the best solution for you.

Try to check if your router accepts the "sntp server" command in cli configuration mode. I know of at least 3 different models from the 8xx series that has *both* features together, ntp and sntp.

In the event it does not have the sntp feature, you can look and find a public ntp server that best feats your situation (i.e. closest to your location) at http://www.pool.ntp.org

Regards,

Rui

RF_IESFAFE · ‎07-30-2007

Just for reference, acording to your debug output, the lines referencing where the validity check fails are:

...

NTP: rcv packet from 172.16.1.53 to 172.16.11.2 on FastEthernet0/0:

...

rtdel 0000 (0.000), rtdsp 91DC488 (2333767.700), refid AC100133 (172.16.1.51)

...

Root delay/dispersion failed boundary check

rtdel == Root delay;

rtdsp == Root dispersion;

refid == the time source of the ntp server (Root).

dispersion = 2333767.700 seconds (very huge, unacceptable??)

Perhaps your windows server does not have a correct time sync itself with a valid time source, thus making this huge dispersion, and maybe its what is really causing the 3662 to not accept it.

Regards,

Rui

jgtheodor · ‎07-31-2007

Hi,

Unfortunately SNTP is not supported in platform 3600. I configured 3 public NTP Servers but again tha same results, not NTP replies. I contucted with my ISP and the NOC guys inform me that NTP packets are filtered at ISP side without further notification...I asked to open the UDP port 123, and i resolve this issue...my goodeness!!!!

thanks again for your assistance!

purohit_810 · ‎07-30-2007

Hi,

You are configuring good.

But please ansure following points:

1) Check locally on server 123 Port is working or not by following DOS command.

telnet {Local IP} 123

Blank Screen Mean : OK otherwise your NTP is not working on that server localy.\

2) Open Inboud Access for Port 123 by access-list.

3) If you have Firewall in beetween ROUTER and SERVER please open PORT 123 on firewall.

4) If still it is not been able to to sychronize use " NTP BROADCACAST " comand.

Regards,

Dharmesh Purohit

RF_IESFAFE · ‎07-30-2007

Hi Dharmesh Purohit,

Sorry I have to disagree with you, but you are missing the fact that ntp uses UDP and not TCP, telnet uses TCP and not UDP, so your method for testing the ntp server by using telnet is not valid.

Regards,

Rui