NTP not synchronizing within remote lan

Unanswered Question

NTP is configured in the central site core switch to get time from master clock on the internet. Switches at central site sync off the core switch fine. My first remote site router syncs off the core switch fine. However, my three remote LAN switches, I have pointed to remote router, and will not sync off of that. (They can PING the router). Is there some type of vaiance that I need to configure for NTP to allow me to Cascade NTP references?


THANKS!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
aravindhs Fri, 10/19/2007 - 07:08
User Badges:

Hi,


Could you post the NTP related configs on the upstream routers (the routers that serve the NTP requests from the non-synching remote LAN devices). Firstly, any access-lists on the routers ?

MASTER in core site:

!

ntp clock-period 36029347

ntp source Vlan1

ntp server 129.6.15.28

end


Huntington-SW3#sho ntp status

Clock is synchronized, stratum 2, reference is 129.6.15.28

nominal freq is 119.2092 Hz, actual freq is 119.2074 Hz, precision is 2**18

reference time is CAC34E61.EECFF3CC (11:40:17.932 EDT Fri Oct 19 2007)

clock offset is -11.7683 msec, root delay is 253.54 msec

root dispersion is 37.40 msec, peer dispersion is 25.62 msec

Huntington-SW3#



----------------------------


Remote site router:


!

interface FastEthernet0/0

description ***

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex full

speed 100

no mop enabled

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 10.2.1.1 255.255.255.0

!



!

scheduler allocate 20000 1000

ntp clock-period 17180237

ntp server 10.1.1.3

!

end


Chicago-RT1#sho ntp status

Clock is synchronized, stratum 3, reference is 10.1.1.3

nominal freq is 250.0000 Hz, actual freq is 249.9946 Hz, precision is 2**18

reference time is CAC34F54.899F2E7D (10:44:20.537 CDT Fri Oct 19 2007)

clock offset is -1.1574 msec, root delay is 294.22 msec

root dispersion is 40.22 msec, peer dispersion is 1.65 msec

Chicago-RT1#



----------------------------------------

Remote site switch that will not sync:



!

ntp server 10.2.1.1

end


Chicago-SW1#sho ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**18

reference time is 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

Chicago-SW1#ping 10.2.1.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Chicago-SW1#



Danilo Dy Fri, 10/19/2007 - 07:52
User Badges:
  • Blue, 1500 points or more

Hi,


First, don't put "ntp disable" in the interface of the remote switch that is use to sync to the central site.


The service port is UDP 123 one way from switch to central site, make sure there is no ACL blocking it.


Regards,

Dandy

Richard Burts Fri, 10/19/2007 - 08:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


There is not any variance to configure with NTP to accommodate remote sites. The NTP protocol provides the variance without special configuration which should facilitate cascading NTP server references.


There are several things which might cause the symptoms. As mentioned there is the possibility that some access list might be denying traffic and you should check for that. It is also possible to configure ntp access-group which can impact learning NTP. It might be on the server or on the client. Ot there might be ntp authentication configured which could impact operations. Perhaps you can post the ntp configuration of the client which is having problems and of the router from which it is attempting to learn time? It would also be helpful to have the output of show ntp association detail. Perhaps you could post this also?


HTH


Rick

Rick,

Below is my configurations: (Thanks for looking.)MASTER in core site:

!

ntp clock-period 36029347

ntp source Vlan1

ntp server 129.6.15.28

end


Huntington-SW3#sho ntp status

Clock is synchronized, stratum 2, reference is 129.6.15.28

nominal freq is 119.2092 Hz, actual freq is 119.2074 Hz, precision is 2**18

reference time is CAC34E61.EECFF3CC (11:40:17.932 EDT Fri Oct 19 2007)

clock offset is -11.7683 msec, root delay is 253.54 msec

root dispersion is 37.40 msec, peer dispersion is 25.62 msec

Huntington-SW3#



----------------------------


Remote site router:


!

interface FastEthernet0/0

description ***

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex full

speed 100

no mop enabled

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 10.2.1.1 255.255.255.0

!



!

scheduler allocate 20000 1000

ntp clock-period 17180237

ntp server 10.1.1.3

!

end


Chicago-RT1#sho ntp status

Clock is synchronized, stratum 3, reference is 10.1.1.3

nominal freq is 250.0000 Hz, actual freq is 249.9946 Hz, precision is 2**18

reference time is CAC34F54.899F2E7D (10:44:20.537 CDT Fri Oct 19 2007)

clock offset is -1.1574 msec, root delay is 294.22 msec

root dispersion is 40.22 msec, peer dispersion is 1.65 msec

Chicago-RT1#



----------------------------------------

Remote site switch that will not sync:



!

ntp server 10.2.1.1

end


Chicago-SW1#sho ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**18

reference time is 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

Chicago-SW1#ping 10.2.1.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Chicago-SW1#






Richard Burts Fri, 10/19/2007 - 09:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


Thank you for posting additional information. It does show ntp achieving sync out to the router before the switch. And the configs posted do show no authentication and no access-groups. So it is strange that the switch is not getting to sync. Could you post the output of show ntp association detail from the switch that is not getting sync?


HTH


Rick

Rick, I also did a debug ntp packet and I see it leaving the unsynched client switch but do not see it received at the synced router. I've tried sourcing the router NTP packets from a loopback interface and tried defining a specific NTP access group peer. Again, I can PING the router, the only anomoly about the config is that it is a dot1q trunk between the switch and router. NTP is riding on the default/native vlan1.


Chicago-SW1#sho ntp associat

Chicago-SW1#sho ntp associations detail

10.2.1.1 configured, insane, invalid, unsynced, stratum 16

ref ID 0.0.0.0, time 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000

delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00

precision 2**5, version 3

org time 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

rcv time 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

xmt time AF3BF7D8.5A3BED80 (20:47:52.352 CST Sun Feb 28 1993)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0


Chicago-SW1#sho ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**18

reference time is 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

Chicago-SW1#debug ntp packet

NTP packets debugging is on

Chicago-SW1#term mon

Chicago-SW1#

Chicago-SW1#

Chicago-SW1#

Chicago-SW1#

Chicago-SW1#

Chicago-SW1#

Chicago-SW1#

Chicago-SW1#

Chicago-SW1#

Chicago-SW1#

Chicago-SW1#

Chicago-SW1#

*Mar 1 02:53:12: NTP: xmit packet to 10.2.1.1:

*Mar 1 02:53:12: leap 3, mode 3, version 3, stratum 0, ppoll 64

*Mar 1 02:53:12: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0

.0.0.0)

*Mar 1 02:53:12: ref 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

*Mar 1 02:53:12: org 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

*Mar 1 02:53:12: rec 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

*Mar 1 02:53:12: xmt AF3BF918.5A48D69F (20:53:12.352 CST Sun Feb 28 1993)



Rmote site router NTP debug:

022862: Oct 19 13:43:59.703 CDT: NTP: xmit packet to 10.1.1.3:

022863: Oct 19 13:43:59.703 CDT: leap 0, mode 3, version 3, stratum 3, ppoll 64

022864: Oct 19 13:43:59.703 CDT: rtdel 59B6 (350.433), rtdsp 1490 (80.322), ref

id 0A010103 (10.1.1.3)

022865: Oct 19 13:43:59.703 CDT: ref CAC377AF.BC35268D (13:36:31.735 CDT Fri Oc

t 19 2007)

022866: Oct 19 13:43:59.703 CDT: org CAC377AF.B6DE21B9 (13:36:31.714 CDT Fri Oc

t 19 2007)

022867: Oct 19 13:43:59.703 CDT: rec CAC377AF.BC35268D (13:36:31.735 CDT Fri Oc

t 19 2007)

022868: Oct 19 13:43:59.703 CDT: xmt CAC3796F.B43406DC (13:43:59.703 CDT Fri Oc

t 19 2007)



Thanks for your assistance.

b-ulrich Fri, 10/19/2007 - 11:03
User Badges:
  • Bronze, 100 points or more

Hello,


This should work.


On the router create an access-list like

access-list 4 per any


Then


ntp access-group serve-only 4


The switch should sync up to the router.


Or you could just add the ntp server address you have on the router to the switch. That should work as well.

b-ulrich Fri, 10/19/2007 - 11:38
User Badges:
  • Bronze, 100 points or more


Do you have a loopback address on the router?


Or on the router, try 'ntp source fa x/x'


Or on the router, try 'ntp source lo0'


Then on the switch point to the loopback address or the fa address.


I got it to sync on a 8021q trunk similiar to yours.

Richard Burts Fri, 10/19/2007 - 11:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


With all due respect to Bill I would suggest that you not configure an ntp access-group - at least not yet. Until you have the basic functionality going I do not believe it is wise to start complexity like ntp access-group.


Would it be possible for you to post the output of a traceroute from the switch to the ntp router and from the ntp router to the switch? I would like to see traffic patterns in both directions.


HTH


Rick

Edison Ortiz Fri, 10/19/2007 - 12:27
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Do us a favor and manually change the time in the switch to a date closer to the present date.


The current time in the switch is unreal, I didn't think it was possible to have a default time set so far back.


Per your log


*Mar 1 02:53:12: ref 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

*Mar 1 02:53:12: org 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)

*Mar 1 02:53:12: rec 00000000.00000000 (18:00:00.000 CST Thu Dec 31 1899)


December 31st 1899 ? WOW. I believe when trying to sync the time with your cascading NTP server, they can't agree.



Danilo Dy Fri, 10/19/2007 - 18:44
User Badges:
  • Blue, 1500 points or more

Hi Michael,


I think I see your problem.


This is your current configuration

CORE Switch sync to 129.6.15.28 (time-a.nist.gov). Successful!

CORE Switch is NTP Master (Stratum 3).

Remote Router sync to CORE Switch (10.1.1.3). Successful!

Remote Switches sync to Remote Router (10.2.1.1). Fail, because NTP Server is not running in Remote Router!


Recommended solution:

Run NTP Server in Remote Router, add the command line "ntp master 8" to run NTP Server in Stratum 8.


Do not put any ACL/Access-group until you have successfully sync the time (CORE Switch, Remote Router, and Remote Switches). If you put ACL/Access-group in Remote Router, include the folllowing IP Addresses;

CORE Switch IP Address: 10.1.1.3

Remote Switches IP Address: ?


Regards,

Dandy

Richard Burts Sat, 10/20/2007 - 09:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dandy


It is not necessary to configure ntp master to have an IOS device serve as an NTP server. And unintended consequences can result from configuring ntp master on a device that does not have a reliable time source.


In Cisco's implementation of NTP in IOS when a device has learned authoritative time it will function as an NTP server and no other configuration is required to get the device to function as an NTP server.


HTH


Rick

aravindhs Mon, 10/22/2007 - 05:57
User Badges:

Hi,

My suggestion --


Why don't you try to run NTP in the 'broadcast' mode instead of server-client mode ?


Or You could enable a specific multicast group for NTP for this remote site.


I wouldn't suggest you set up a 'peer'ing association with the router but since your server-client mode isn't working, you could try multicast/bcast client out with authentication keys & md5 ..


And, FYI, 'ntp disable' on the switch won't stop it from sending out NTP requests to its connected router. It just stops the switch from acting as an NTP server on the disabled interface.


HTH.


Please let us all know how you get on with this.


Cheers

arav




r.catallo Mon, 10/22/2007 - 07:00
User Badges:

I ran into a similar problem. It was due to pasting in a 'ntp clock-period' command (copied from another router). This value should never be configured/copy-pasted from another router. It is computed and inserted into the config by the router when it successfully time sync's.

Actions

This Discussion