NTP is not synchronizing

asfar.zaidi · ‎08-16-2008

Hi Guys

I have configuered my devices with the following ntp command

ntp server 10.20.20.21 source GigabitEthernet0/0

but when I check following

sh ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18

reference time is 00000000.00000000 (04:00:00.000 AEU Mon Jan 1 1900)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

show ntp association

address ref clock st when poll reach delay offset disp

~10.20.20.21 0.0.0.0 16 7 64 0 0.0 0.00 16000.

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

when I run the debug its like this

*Aug 16 09:59:33.918: NTP: xmit packet to 10.20.20.21:

*Aug 16 09:59:33.918: leap 3, mode 3, version 3, stratum 0, ppoll 64

*Aug 16 09:59:33.918: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)

*Aug 16 09:59:33.918: ref 00000000.00000000 (04:00:00.000 AEU Mon Jan 1 1900)

*Aug 16 09:59:33.918: org CC512323.E51CB984 (13:57:55.894 AEU Sat Aug 16 2008)

*Aug 16 09:59:33.918: rec CC512345.EB95ECC8 (13:58:29.920 AEU Sat Aug 16 2008)

*Aug 16 09:59:33.918: xmt CC512385.EB28F81D (13:59:33.918 AEU Sat Aug 16 2008)

*Aug 16 09:59:33.918: NTP: rcv packet from 10.20.20.21 to 192.168.50.1 on GigabitEthesh ntp associations

*Aug 16 09:59:33.918: leap 3, mode 4, version 3, stratum 0, ppoll 64

*Aug 16 09:59:33.918: rtdel 0000 (0.000), rtdsp 06DC (26.794), refid 494E4954 (73.78.73.84)

*Aug 16 09:59:33.918: ref 00000000.00000000 (04:00:00.000 AEU Mon Jan 1 1900)

*Aug 16 09:59:33.918: org CC512385.EB28F81D (13:59:33.918 AEU Sat Aug 16 2008)

*Aug 16 09:59:33.918: rec CC512363.E5383F23 (13:58:59.895 AEU Sat Aug 16 2008)

*Aug 16 09:59:33.918: xmt CC512363.E53AA23A (13:58:59.895 AEU Sat Aug 16 2008)

*Aug 16 09:59:33.918: inp CC512385.EB854926 (13:59:33.920 AEU Sat Aug 16 2008)

the local clock detail is

sh clock detail

*14:02:04.318 AEU Sat Aug 16 2008

Time source is NTP

Am I missing some thing why my devices are not synchronizing with NTP time, as I need it badly for my MARS Server.

Regards/Asfar

johnakeating · ‎08-16-2008

Try this with a public server mybe yours is firewalled or something.....

http://www.learnios.com/viewtopic.php?f=72&t=36

John

asfar.zaidi · ‎08-16-2008

Hi

But configuring public ntp servers on all devices is a security hole, can I configure my Internet routers as public ntp servers and for rest of devices these routers will be ntp server.

Regards/Asfar

andrew.butterworth · ‎08-16-2008

Asfar, your idea is good. Depending on the size of the private network you might want to use NTP servers per location or per distribution block - Make it a hierarchy, with the top most being your internet facing routers.

Back to the problem though... Are your internet facing routers sucessfully syncing with external NTP sources? Is it just your internal IOS devices that can't sync? I have a similar setup with my internet facing router configured with 3 public NTP servers and then my internal IOS devices configured to sync from my router (it's a small network so no multi-layered hierarchy).

HTH

Andy

asfar.zaidi · ‎08-16-2008

Hi Andy

I have a large network existing of 8 firewalls , 2 x 6509 Core switches , 56 x Access Switches and comprising of more than 30 VLANs , for this network I have to deploy standalone MARS Server but the first basic thing is to sync every network device , my 2 x Internet Perimeter Routers are synced with the 3 external NTP servers , now I dont want my other devices to go out Internet to sync NTP.

Any advice how to achieve that and if I will sync my Internal IOS devices to the Internet Router ; how to achieve it , can you send me the set of commands used.

I have no objection in setting my Internet routers to go out to Internet and synced with External NTP Source but I dont want other devices to do so.

Regards/Asfar

andrew.butterworth · ‎08-16-2008

Asfar, Based on that equipment list it sounds like you have a collapsed Core/Distribution model with access switches connected back to the core using 802.1q trunks? If that's the case I would sync the two core 6509's to the Internet facing routers and then peer them together:

!Core #1

ntp server 10.1.1.1 (Internet Facing Router #1)

ntp server 10.1.2.1 (Internet Facing Router #2)

ntp peer 10.10.10.10 (Core 6509 #2)

ntp source loopback 0

!Core #2

ntp server 10.1.1.1 (Internet Facing Router #1)

ntp server 10.1.2.1 (Internet Facing Router #2)

ntp peer 10.10.10.20 (Core 6509 #1)

ntp source loopback 0

You should then point all your access switches to the two 6500's:

ntp server 10.10.10.20 (Core 6509 #1)

ntp server 10.10.10.10 (Core 6509 #2)

Unless you want to perform any NTP authentication that should be it. If it isn't working you need work backwards and verify each part is working - i.e. are the Internet facing routers sync'd? Then move on to the 6500's, the the access switches.

If the 6500's aren't sync'd you need to verify they can reach the routers and UDP 123 is allowed (it could be a firewall issue as I assume there are firewalls between the Internet facing routers and the 6500's?)

The reason for the loopbacks is they are predictable, stable interfaces and I would recommend tying all your management protocols to loopbacks on Layer-3 IOS devices.

HTH

Andy

asfar.zaidi · ‎08-16-2008

Andy , what about firewalls they will also sync'd with the core switches or Internet Router.

andrew.butterworth · ‎08-16-2008

Yes, sync the firewalls off the core switches. Bear in mind the PIX & ASA will physically try and send the NTP packets out of the interface if you include this in the configuration:

ntp server 10.1.1.1 source inside

This is unlike the behaviour of an IOS router which will just set the source IP address of the packets.

HTH

Andy