10-10-2007 09:56 PM - edited 02-21-2020 10:19 AM
I am setting up NTP master server on Catalyst 4000 series switch. I would like to implement authentication between the server and the client. I have the following commands which does not work.
Whats wrong with the below commands?
Server:
ntp authentication-key 1 md5 xxx
ntp authenticate
ntp master 6
ntp max-associations 10
Client:
ntp authentication-key 1 md5 xxx
ntp authenticate
ntp server 10.0.0.1 key 1
Solved! Go to Solution.
10-16-2007 06:26 PM
Av
I believe that there are two separate issues here and they are really not related to each other. One issue is whether your switch should be configured as ntp master. If the switch is configured as ntp master then it will offer its version of time whether it is authoritative or not (is correct or not). I think that this is a bad idea and hope that this is not something that you did intentionally.
The other issue is why the switch is not learning time from the Navy server. It seems that there are a couple of reasons why this may happen. It is possible that you NTP requests are not getting to the server or that the responses from the server are not getting to you. My guess is that this is likely the case since the show ntp association does not show a reference clock for the Navy server. Or it is possible that the NTP response is getting to you but that there is enough variability in traffic through the network that the switch is not able to sync with the server. I have seen a customer network where this was an issue for a while.
I would suggest that the next step might be to run debug ntp packet and see if you are sending to the right address and to see if you are getting responses.
HTH
Rick
10-13-2007 11:26 AM
avil
You need to add:
ntp trusted-key 1
on both the server and the client.
Try it and let us know if it works now.
HTH
Rick
10-14-2007 08:37 PM
Thanks, it worked.
One more query, I have configured the NTP server to get the time from the US Navy Server. But it does not sync its time.
The NTP command on the Server is given below.
ntp master 6
ntp server 192.5.41.41
I am alost attaching the show ntp commands.
In my firewall logs I can see the ntp access from the switch to the US navy server, but the switch does not updates its clock.
10-15-2007 01:51 AM
Try using:
ntp server 192.5.41.41 prefer
10-15-2007 09:03 AM
avil
Thanks for posting the additional information. There are several parts of the output that show quite clearly that your device has not established NTP communication with the US Navy server.
Your post mentions messages in the firewall logs. Could you provide some details of what the firewall is saying?
At this point it is a bit hard to tell whether the problem is that you are not getting to the server or whether the server response is not getting back to you. I wonder if the firewall is denying NTP packets.
Also I am not clear why you have configured your device with ntp master 6. Perhaps you can explain why this is configured? In the meantime while we try to resolve the issue with the Navy server I suggest that you remove the ntp master 6 from the config. It may simplify the troubleshooting.
HTH
Rick
10-15-2007 04:18 PM
Hi Rick,
I change my config on the switch as below
ntp master
ntp server 192.5.41.41 prefer
Still it does not update its time. On the firewall logs, it shows the ntp request getting accepted. Its not a firewall issue as we have other UNIX servers inside LAN getting time from the same US Navy NTP server, which comes under the same firewall rule.
Thanks
Av
10-15-2007 08:57 PM
Av
ntp master 6 or ntp master - there is not much significant difference. Can you explain to us why you are configuring this as an ntp master?
Are you sure that the firewall rule that permits your Unix servers also permits this device?
HTH
Rick
10-15-2007 09:22 PM
I am configuring this as NTP master because I want this switch to act as a NTP server to other NTP clients(Inside LAN).
Yes, the firewall permits ntp access to this device.
10-16-2007 06:27 AM
Av
You do not need to configure ntp master to have the switch act as an NTP server for other devices. If the switch has learned authoritative time from an NTP source it is automatically enabled to act as an NTP server to other devices.
Configuring ntp master means that the switch would act as a server even if it did not have authoritative time. Is that what you want?
HTH
Rick
10-16-2007 04:56 PM
Rick,
I removed the command "NTM MASTER", still the same issue. Also noted that when I remove that command client doesnot sync their time with the NTP Server(Switch).
My Requirement is that, L3 Switch should get its time from US Navy NTP Server. Our other internal L2 switches should get the time from the L3 switch.
Thanks
Av
10-16-2007 06:26 PM
Av
I believe that there are two separate issues here and they are really not related to each other. One issue is whether your switch should be configured as ntp master. If the switch is configured as ntp master then it will offer its version of time whether it is authoritative or not (is correct or not). I think that this is a bad idea and hope that this is not something that you did intentionally.
The other issue is why the switch is not learning time from the Navy server. It seems that there are a couple of reasons why this may happen. It is possible that you NTP requests are not getting to the server or that the responses from the server are not getting to you. My guess is that this is likely the case since the show ntp association does not show a reference clock for the Navy server. Or it is possible that the NTP response is getting to you but that there is enough variability in traffic through the network that the switch is not able to sync with the server. I have seen a customer network where this was an issue for a while.
I would suggest that the next step might be to run debug ntp packet and see if you are sending to the right address and to see if you are getting responses.
HTH
Rick
10-16-2007 09:09 PM
Thank You Rick.
It seems like a connection issue between the L3switch and the US Navy NTP server. The firewall logs shows that for the NTP access, the L3 switch uses both source/destination port 123. Where as other UNIX servers use source port >1024 and destination port 123.
We have acl's at the internet edge router, which might be blocking ntp reply from the US navy NTP server.
I wonder why for NTP access L3 switch uses both source/destination port 123.
Thank You for the feedback
10-16-2007 10:51 PM
How can I disable the router from becoming a NTP server but still it should get time from external NTP server?
Thanks
Av
10-17-2007 03:03 PM
Av
It is common behavior in IOS to use 123 as both the source port and the destination port. I am not aware of anything configuration option to change this.
I am somewhat puzzled at the most recent question. It seems like in previous posts you want it to be an NTP server for other devices on your network and now you are asking how to block it from being an NTP server. In IOS if a device has learned authoritative time then it is willing to serve as an NTP server for other devices. If you want to prevent this I believe that you can use the ntp access-group server command to prevent this.
Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read about an issue and can know that they will read a solution that resolved the issue.
I encourage you to continue your participation in the forum.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: