NTP and Tacacs not working

Unanswered Question
Jun 18th, 2009

Hello,

We have a blade switch CBS30X0-LANBASE-M that won't sync to NTP nor authenticate to ACS.

SW1#show ntp associations detail

172.23.218.187 configured, insane, invalid, unsynced, stratum 16

ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.00, reach 0, sync dist 34.317

delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00

precision 2**5, version 3

org time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

rcv time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

xmt time CDE47E75.1C3AB0DD (08:51:01.110 GMT Thu Jun 18 2009)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

172.23.16.181 configured, insane, invalid, unsynced, stratum 16

ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.00, reach 0, sync dist 34.317

delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00

precision 2**5, version 3

org time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

rcv time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

xmt time CDE47E7F.1BFE3067 (08:51:11.109 GMT Thu Jun 18 2009)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

SW1#show ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 119.2092 Hz, actual freq is 119.2109 Hz, precision is 2**17

reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

SW1#show clock detail

.08:55:27.344 GMT Thu Jun 18 2009

Time source is NTP

SW1#

SW1#show run | i aaa|tac

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa session-id common

ip tacacs source-interface Vlan312

tacacs-server host 172.23.16.96 timeout 5

tacacs-server host 172.23.220.43 timeout 5

tacacs-server directed-request

tacacs-server key 7 xxxxxxx

SW1#show run | i ntp

ntp logging

ntp clock-period 36028310

ntp source Vlan312

ntp server 172.23.218.187

ntp server 172.23.16.181

SW1#

SW1#show debugging

NTP:

NTP clock adjustments debugging is on

NTP clock parameters debugging is on

NTP events debugging is on

NTP loop filter debugging is on

NTP packets debugging is on

NTP clock synchronization debugging is on

NTP clock selection debugging is on

NTP peer validity debugging is on

NTP reference clocks debugging is on

NTP authentication debugging is on

SW1#

This is what is in the logs over and over:

.Jun 18 08:58:29 GMT: NTP: xmit packet

We have a duplicate setup on SW2 and it is working fine.

Any help would greatly be appreciated.

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bulgogi09 Thu, 06/18/2009 - 01:02

Here is what is listed in the logs over and over:

.Jun 18 08:57:25 GMT: NTP: xmit packet to 172.23.218.187:

.Jun 18 08:57:25 GMT: leap 3, mode 3, version 3, stratum 0, ppoll 64

.Jun 18 08:57:25 GMT: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)

.Jun 18 08:57:25 GMT: ref 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:57:25 GMT: org 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:57:25 GMT: rec 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:57:25 GMT: xmt CDE47FF5.1B17A220 (08:57:25.105 GMT Thu Jun 18 2009)

.Jun 18 08:57:35 GMT: NTP: xmit packet to 172.23.16.181:

.Jun 18 08:57:35 GMT: leap 3, mode 3, version 3, stratum 0, ppoll 64

.Jun 18 08:57:35 GMT: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)

.Jun 18 08:57:35 GMT: ref 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:57:35 GMT: org 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:57:35 GMT: rec 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:57:35 GMT: xmt CDE47FFF.19DFD765 (08:57:35.101 GMT Thu Jun 18 2009)

.Jun 18 08:58:29 GMT: NTP: xmit packet to 172.23.218.187:

.Jun 18 08:58:29 GMT: leap 3, mode 3, version 3, stratum 0, ppoll 64

.Jun 18 08:58:29 GMT: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)

.Jun 18 08:58:29 GMT: ref 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:58:29 GMT: org 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:58:29 GMT: rec 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:58:29 GMT: xmt CDE48035.1909C6C6 (08:58:29.097 GMT Thu Jun 18 2009)

.Jun 18 08:58:39 GMT: NTP: xmit packet to 172.23.16.181:

.Jun 18 08:58:39 GMT: leap 3, mode 3, version 3, stratum 0, ppoll 64

.Jun 18 08:58:39 GMT: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)

.Jun 18 08:58:39 GMT: ref 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:58:39 GMT: org 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:58:39 GMT: rec 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:58:39 GMT: xmt CDE4803F.18CE3EC4 (08:58:39.096 GMT Thu Jun 18 2009)

iyde Thu, 06/18/2009 - 04:08

Hi.

Does the VLAN312 IP address have connection to 172.23.218.187 and 172.23.16.181? I.e. can you do an extended PING with VLAN312 as source and those addresses as destination?

HTH

bulgogi09 Thu, 06/18/2009 - 04:14

Hi iyde!

Here are the results:

SW1#ping 172.23.218.187 source vlan 312

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.23.218.187, timeout is 2 seconds:

Packet sent with a source address of 172.23.12.20

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 58/60/68 ms

SW1#ping 172.23.16.181 source vlan 312

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.23.16.181, timeout is 2 seconds:

Packet sent with a source address of 172.23.12.20

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

SW1#

Thank you.

Richard Burts Thu, 06/18/2009 - 09:59

John

I agree with Ingolf that the most likely problem is lack of IP connectivity. But the results of your ping show that there is IP connectivity.

The debug output and the output of show ntp association detail indicate that you are not getting any response from the NTP server. Is it possible that there is something between your switch and the NTP server that might be filtering traffic (access list on some layer 3 device, or firewall of some kind)and preventing the NTP request or preventing the NTP response?

It may be that the thing that is impacting NTP is also impacting TACACS so I do not want to go too far with TACACS while we are looking at the NTP issue. But if you attempt to login on the switch and then look at the reports on the TACACS server do you see the authentication request (is there anything in failed attempts or in successful attempts for this request)?

HTH

Rick

bulgogi09 Thu, 06/18/2009 - 23:22

Hello All,

I just found out that our HP Blade switch with Cisco modules is only L2 and can't do any L3 routing that is why it is failing.

Thanks to everyone for their assistance.

Richard Burts Fri, 06/19/2009 - 09:31

John

Thanks for posting back to the forum and indicating that you had resolved the problem and what the problem turned out to be. It makes the forum more useful when people can read about a problem and can read the solution to the problem.

HTH

Rick

glen.grant Fri, 06/19/2009 - 11:15

NTP and tacacs should still work even if its L2 . It no different than say a 2950 using tacacs or ntp . Something else going on with that .

Actions

This Discussion