NTP association problem

Unanswered Question
May 23rd, 2009
User Badges:

Hi,


I have Core Router, Distribution and Access router.


Objective is

Core Router will get clock from Internet

Distribution Routers will associate with Core Router for NTP clock and

access Routers will associate Distribution Router for NTP Clock.


I have configured Core router as NTP master with command "ntp master 2" and "ntp server x.x.x.x"(to rx clock from Internet)


Distribution Router

"ntp peer <ip address of Core Router>


Access router

"ntp server <ip address of distribution router>"


Is the method I followed is correct. Do I have to change any thing to achieve this. Because access routers clock is not in sync. I doubt whether i am conceptually wrong


RBK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
ldmccalla Sat, 05/23/2009 - 07:34
User Badges:

1) use "ntp server" instead of "NTP peer" on the distribution routers to create a hierarchical structure.

2) do "show ntp as" on the distribution routers to confirm that they are synced to the core routers. If the disrib. routers are not synced, the access routers will not sync.


Leon

hclisschennai Sat, 05/23/2009 - 08:22
User Badges:

Hi Leon,


I changed the configuration as you adviced. clock of Access router is in sync now. But "show ntp status" commad output shows that it not synchronized.


Please look into the attachment.


Also, I donot understand why you asked me to configure "ntp server" instead of "NTP peer" on the distribution routers. My understanding on "ntp server" command is, it will synchronize the device where this command is configured with NTP server (may be the Master server) and will not act as server or provide clock to other devices.


Is this correct.



ldmccalla Sat, 05/23/2009 - 08:47
User Badges:

its my understanding that NTP SERVER xxxx tells the client that XXXX will most likely have a better time source while NTP PEER means that the client and the source will most likely have equal information. regardless of what is configured, the NTP algorithm will still run and set the stratum accordingly.


since you have Core->Distrib->Access. i just think its better to describe the upstream server as a server. you can tie your distribution routers together as peers if you want. That's what the peer command is for


Either way the problem you have is displayed on the access router with "reach = 0". The access router has not received a reply from the distrib. router for a while. its polling every 64 seconds and the last poll was 30 seconds ago.


I use NTP on all my devices (not just cisco routers). i don't see how people survive without it.

hclisschennai Sat, 05/23/2009 - 08:55
User Badges:

Hi


Thanks for your comments. Cisco literatures are saying that "ntp server x.x.x.x" coammand will get the clock from server x.x.x.x and will not act as server or provide clock to other devices


Is it so?

ldmccalla Sat, 05/23/2009 - 11:00
User Badges:

if the doc state things exactly like that then they must be talking only about the relationship between the two devices. ie if you have NTP SERVER XXXX in the config of client YYYY then YYYY can learn the time from XXXX and NOT the other way arround. NTP PEER is usually used when two machines/servers share the time with each other.


Richard Burts Sat, 05/23/2009 - 18:00
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

RBK asks:

"Cisco literatures are saying that "ntp server x.x.x.x" coammand will get the clock from server x.x.x.x and will not act as server or provide clock to other devices".

That is not correct. Any Cisco IOS device that has learned authoritative NTP time (including if it has larned NTP from ntp server) will pass NTP time along to other devices who request it.


I would be interested to have the link to where this quote is found. Either it is talking about something different or it is incorrect and should be corrected.


If you have configured the distribution router with ntp peer, and if the core router has not learned NTP time from the Internet then the core router will attempt to learn NTP time from the distribution router. That is the nature of "peer" relationships for NTP. In peer relationships either router can learn time from the other.


I would suggest that if you want the core router to learn NTP from the Internet that you not configure the core router with ntp master. It does not need ntp master to advertise time if it has learned NTP from the Internet. And I agree that for a good hierarchial NTP setup that the core should be configured with ntp server pointing to the Internet, that the distribution router should be configured with ntp server pointing to the core router, and that the access router should be configured with ntp server pointing to the distribution router.


HTH


Rick

Richard Burts Sat, 05/23/2009 - 18:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

RBK


After I posted my response I looked at the files that you posted. They show that the distribution router is synced with the core but that the access router is not synced with the distribution.


The access router and distribution router have communicated with each other (we know this especially because in the show ntp association the access router knows with what address the distribution router has learned time). But something is preventing the access router from sync with the distribution. We do not have enough information here to know why. Perhaps if you post the output of show ntp association detail we might find what the reason is.


HTH


Rick

hclisschennai Sat, 05/23/2009 - 22:21
User Badges:

Hi Rick,


I appreciate your response. It is very helpful.


I have configured the setup as you suggested as below


CORE ROUTER IP:192.168.1.2/30

DISTRIBUTION ROUTER IP:192.168.1.5/30

ACESS ROUTER IP:192.168.1.6/30


In distribution router: ntp server 192.168.1.2

In access router: ntp server 192.168.1.5


The clock is sync in all the routers. But in Access router when, "show ntp association details" is seen it is showing as "192.168.1.5 configured, insane, invalid,"


Pleas see the attachment. Thanks in advance




Attachment: 
Just Kennie Sun, 05/24/2009 - 01:20
User Badges:

Well, from experience...it takes time for client to master synchronize. I will prefer you wait for a while...and debug too.

ldmccalla Sun, 05/24/2009 - 03:15
User Badges:

I'm going to go out on a limb here. Does your CORE router have internet access to stabilize its clock? are these congested serial links?


based on the distribution information, the NTP data received from core clock is varying more than 140ms in 8 samples. This being said, Distribution clock is probably varying too much for the Access clock to consider it a reliable source.


Given that all your routers are within 1 hop of each other you can have your access router sync directly to your core router to see how things look.


I have a few routers in a rack and they all sync to my server which has syncs to ntp.org. my routers show 1ms dispersion across the last 8 samples


Leon



Attachment: 
hclisschennai Sun, 05/24/2009 - 03:38
User Badges:

Hi,


I appreciate your involvement in providing the solution to the issue. Thanks.Does the delay matters? How you are calculating the dispersion.


And more over I am using IOS 12.3. In one of m router I am using 12.4, where I donot see the command syntax "ntp server a.b.c.d" instead it have syntax "ntp server vrf a.b.c.d".


I didn't configure vrf in the router. So I am not able to use this syntax. How to configure NTP in IOS 12.4.


thanks in advance

RBK

Richard Burts Sun, 05/24/2009 - 14:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

RBK


I have configured lots of routers running 12.4 to use NTP using the ntp server a.b.c.d command. It was my understanding that the vrf parameter was optional. Have you tried entering the ntp server a/b/c/d command on your 12.4 router? If it is not working could you post the screen output when you try to do it and the response that you receive?


HTH


Rick

hclisschennai Mon, 05/25/2009 - 01:42
User Badges:

Hi Rick


Please find the attached "show version" and "ntp server " command. You can see here that after "ntp server" i have option to enter only vrf info and not the ip address.


RBK



Attachment: 
guruprasadr Mon, 05/25/2009 - 05:19
User Badges:
  • Gold, 750 points or more

HI RBK,


I have a 3640 Router in my Network with IOS: c3640-d-mz.122-31.bin


The Configuration register is 0x101


The NTP Server runs very well. Could you please check once again with the IOS and the 'Configuration register'


Hope you are in the Password Recovery Mode, could you please reset your Configuration register to 0x101 (or) 0x2102 (factory-default setting for the configuration register)


Please be informed, once router is reloaded, the new configuration register setting becomes active.


Hope I am Informative.


Pls RATE if HELPS


Best Regards,


Guru Prasad R

Richard Burts Mon, 05/25/2009 - 07:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

RBK


Thank you for posting the additional information that I suggested. I notice several things about it:

- there seems to be some issue about what caused it to boot (and perhaps whether it booted correctly):

System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0

x0, BOOT_COUNT 0, BOOTDATA 19

- the show version does not indicate any active interfaces. Either you left out part of the show version output or there is a real issue with how the router is operating. Can you clarify about this?


Even if entering the address of the ntp server does not show up as an option in help, what happens if you enter the address as the next parameter in the command (is it possible that there is a flaw in on line help)?


HTH


Rick

hclisschennai Mon, 05/25/2009 - 08:54
User Badges:

Hi Rick,


You spotted this correctly. I intentionally removed the cards details from the "show version" output.


Next, even if I enter the address of the NTP server, it is rejecting saying "invalid command".


It is not the problem for me now. I am ready to upgrage the IOS rather.

Actions

This Discussion