NTP not synced

christopher_hall · ‎05-20-2008

Greetings,

I posted a question previously about how to configure NTP to keep it from accepting queries or broadcasting. Now I'm running into problems with synchronization.

As mentioned previously, I'm trying to sync an internal router with an external router (internet facing). I've tried a couple different time servers, but the message I'm getting is this:

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18

reference time is CBD577B6.75A21916 (10:37:42.459 EST Wed May 14 2008)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.02 msec, peer dispersion is 0.02 msec

I get this message on both ROUTER1 (outside the firewall) and ROUTER2 (inside the firewall). Our security provider states that no 'hole' needs to be punched through the f/w.

Internally (ROUTER2), the config is as simple as such...

ntp server <ip_of_external_router>

The external router (ROUTER1) is configured as such...

access-list 20 permit <ip_of_ROUTER2>

access-list 20 deny any

ntp access-group peer 20

ntp server 207.46.130.100

ntp peer <ip_of_ROUTER2>

Any suggestions are appreciated.

Chris

Richard Burts · ‎05-20-2008

Chris

I believe that your issue is a misunderstanding of the ntp access-group functions. The ntp access-group peer controls who you will learn NTP time from. As such your access list 20 should permit 207.46.130.100 rather than permit the address of ROUTER2. An easy way to prove this would be to remove (at least temporarily) the ntp access-group peer 20 and see if you do not sync with the external server.

I would also suggest that if you are going to specify an ntp access-group for peer that you also specify an ntp access-group for serve-only (which would permit ROUTER2). In my experience with ntp access-group it does not work well to specify only a single access-group (unless the router will sync to a server but not serve time to others).

[edit] in looking again at your post I would add that while it is fine to configure this:

ntp peer

it is not required. When ROUTer1 has synced with the external server at that point ROUTER1 will function as a server and will respond to requests that it receives (subject to restrictions in access-group) and does not need the specific configuration of peers.

HTH

Rick

HTH

Rick

christopher_hall · ‎05-20-2008

Rick,

Thanks for the clarification. I removed (temporarily) the access-group command and ROUTER1 (External) synced in no time;> Pun intended! ROUTER2 is still not synchronized, however. In your opinion, shouldn't access be allowed for NTP through the firewall? Using appropriate access-lists of course.

About access-group peer and serve-only...what exactly is the purpose of these commands? Looking at some information online, it seemed as though it was an either/or choice.

Richard Burts · ‎05-20-2008

Chris

I am glad that you tested by removing the ntp access-group and that the router then synced in no time (I just love a good pun).

In general I would expect the inside router to be able to sync to the outside router through the firewall without changes in the firewall. I recently did configure this for a client and it worked ok. Of course it does depend on what firewall you are using and how it is configured.

Sometimes NTP is slow to sync if there is a large difference between the time of the inside router (which is attempting to learn) and the time of the authoritative outside router. You might check the time on the inside router and if it is off by much then you might try manually setting the time on the inside router and see if that helps.

If setting the time on the inside router does not help then perhaps the output of show ntp association detail from the inside router might help. And perhaps some debug ntp on the inside router might help.

About the ntp access-groups. They are intended to give you some control, if you want it, over what the router will do in NTP. You can limit the addresses from which it will attempt to learn time (access-group peer) and it can limit the addresses to which it will respond and send time (serve-only). In my experience it is not either/or. Just about always, if I configure one then I configure both. Configuring both has worked well for me.

HTH

Rick

HTH

Rick

christopher_hall · ‎05-21-2008

Rick,

I checked this first thing this morning and it was synced! Thanks a bunch for your help!

christopher_hall · ‎05-21-2008

Rick,

So in your comments below about access-group peer, the actual PEER is the address I want to learn time FROM?

I had found a resource online that seems to cloud the water a bit....

http://www.oreilly.com/catalog/hardcisco/chapter/ch10.html

Unless I'm reading this wrong, it seems that it states the opposite of what you say, though I could be reading this wrong.

So, if I wanted to restrict who I'd learn time from, I'd code as such...

ntp server

ntp peer

access-list 20 permit 0.0.0.0

access-list 20 deny any

ntp access-group peer 20

And to restrict who learns time from me:

access-list 21 permit 255.255.255.255

acccess-list 21 deny any

ntp access-group serve-only 21

Does this sound about right?

christopher_hall · ‎05-21-2008

Mis-typed...Let me try this again...

So, if I wanted to restrict who I'd learn time from, I'd code as such...

ntp server

ntp peer

access-list 20 permit 0.0.0.0

access-list 20 deny any

ntp access-group peer 20

And to restrict who learns time from me:

access-list 21 permit 255.255.255.255

acccess-list 21 deny any

ntp access-group serve-only 21

Does this sound about right?

Richard Burts · ‎05-21-2008

Chris

With one small exception I believe that this is right. If you have coded ntp server then you do not need ntp peer .

I looked at the chapter referenced in your previous post. I like the explanation of the types of access list (slightly edited):

peer - Allows the router to synchronize itself to remote systems that pass the ACL

serve-only - Allows time synchronization requests from systems that pass the ACL

But then the example that they give has problems as far as I can tell. I believe that the serve-only list is ok. But the peer list allows router one to sync to router two but does not have any permits that allow the external servers.

HTH

Rick

HTH

Rick

christopher_hall · ‎05-21-2008

Excellent! Thanks, Rick!