06-18-2009 12:59 AM - edited 03-06-2019 06:19 AM
Hello,
We have a blade switch CBS30X0-LANBASE-M that won't sync to NTP nor authenticate to ACS.
SW1#show ntp associations detail
172.23.218.187 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 34.317
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
rcv time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
xmt time CDE47E75.1C3AB0DD (08:51:01.110 GMT Thu Jun 18 2009)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
172.23.16.181 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 34.317
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
rcv time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
xmt time CDE47E7F.1BFE3067 (08:51:11.109 GMT Thu Jun 18 2009)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
SW1#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 119.2092 Hz, actual freq is 119.2109 Hz, precision is 2**17
reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
SW1#show clock detail
.08:55:27.344 GMT Thu Jun 18 2009
Time source is NTP
SW1#
SW1#show run | i aaa|tac
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa session-id common
ip tacacs source-interface Vlan312
tacacs-server host 172.23.16.96 timeout 5
tacacs-server host 172.23.220.43 timeout 5
tacacs-server directed-request
tacacs-server key 7 xxxxxxx
SW1#show run | i ntp
ntp logging
ntp clock-period 36028310
ntp source Vlan312
ntp server 172.23.218.187
ntp server 172.23.16.181
SW1#
SW1#show debugging
NTP:
NTP clock adjustments debugging is on
NTP clock parameters debugging is on
NTP events debugging is on
NTP loop filter debugging is on
NTP packets debugging is on
NTP clock synchronization debugging is on
NTP clock selection debugging is on
NTP peer validity debugging is on
NTP reference clocks debugging is on
NTP authentication debugging is on
SW1#
This is what is in the logs over and over:
.Jun 18 08:58:29 GMT: NTP: xmit packet
We have a duplicate setup on SW2 and it is working fine.
Any help would greatly be appreciated.
Thank you.
06-18-2009 01:02 AM
Here is what is listed in the logs over and over:
.Jun 18 08:57:25 GMT: NTP: xmit packet to 172.23.218.187:
.Jun 18 08:57:25 GMT: leap 3, mode 3, version 3, stratum 0, ppoll 64
.Jun 18 08:57:25 GMT: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)
.Jun 18 08:57:25 GMT: ref 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
.Jun 18 08:57:25 GMT: org 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
.Jun 18 08:57:25 GMT: rec 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
.Jun 18 08:57:25 GMT: xmt CDE47FF5.1B17A220 (08:57:25.105 GMT Thu Jun 18 2009)
.Jun 18 08:57:35 GMT: NTP: xmit packet to 172.23.16.181:
.Jun 18 08:57:35 GMT: leap 3, mode 3, version 3, stratum 0, ppoll 64
.Jun 18 08:57:35 GMT: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)
.Jun 18 08:57:35 GMT: ref 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
.Jun 18 08:57:35 GMT: org 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
.Jun 18 08:57:35 GMT: rec 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
.Jun 18 08:57:35 GMT: xmt CDE47FFF.19DFD765 (08:57:35.101 GMT Thu Jun 18 2009)
.Jun 18 08:58:29 GMT: NTP: xmit packet to 172.23.218.187:
.Jun 18 08:58:29 GMT: leap 3, mode 3, version 3, stratum 0, ppoll 64
.Jun 18 08:58:29 GMT: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)
.Jun 18 08:58:29 GMT: ref 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
.Jun 18 08:58:29 GMT: org 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
.Jun 18 08:58:29 GMT: rec 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
.Jun 18 08:58:29 GMT: xmt CDE48035.1909C6C6 (08:58:29.097 GMT Thu Jun 18 2009)
.Jun 18 08:58:39 GMT: NTP: xmit packet to 172.23.16.181:
.Jun 18 08:58:39 GMT: leap 3, mode 3, version 3, stratum 0, ppoll 64
.Jun 18 08:58:39 GMT: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)
.Jun 18 08:58:39 GMT: ref 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
.Jun 18 08:58:39 GMT: org 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
.Jun 18 08:58:39 GMT: rec 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
.Jun 18 08:58:39 GMT: xmt CDE4803F.18CE3EC4 (08:58:39.096 GMT Thu Jun 18 2009)
06-18-2009 04:08 AM
Hi.
Does the VLAN312 IP address have connection to 172.23.218.187 and 172.23.16.181? I.e. can you do an extended PING with VLAN312 as source and those addresses as destination?
HTH
06-18-2009 04:14 AM
Hi iyde!
Here are the results:
SW1#ping 172.23.218.187 source vlan 312
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.218.187, timeout is 2 seconds:
Packet sent with a source address of 172.23.12.20
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 58/60/68 ms
SW1#ping 172.23.16.181 source vlan 312
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.16.181, timeout is 2 seconds:
Packet sent with a source address of 172.23.12.20
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
SW1#
Thank you.
06-18-2009 09:59 AM
John
I agree with Ingolf that the most likely problem is lack of IP connectivity. But the results of your ping show that there is IP connectivity.
The debug output and the output of show ntp association detail indicate that you are not getting any response from the NTP server. Is it possible that there is something between your switch and the NTP server that might be filtering traffic (access list on some layer 3 device, or firewall of some kind)and preventing the NTP request or preventing the NTP response?
It may be that the thing that is impacting NTP is also impacting TACACS so I do not want to go too far with TACACS while we are looking at the NTP issue. But if you attempt to login on the switch and then look at the reports on the TACACS server do you see the authentication request (is there anything in failed attempts or in successful attempts for this request)?
HTH
Rick
06-18-2009 02:46 PM
What is the result of the "sh ntp associate"?
06-18-2009 11:22 PM
Hello All,
I just found out that our HP Blade switch with Cisco modules is only L2 and can't do any L3 routing that is why it is failing.
Thanks to everyone for their assistance.
06-19-2009 09:31 AM
John
Thanks for posting back to the forum and indicating that you had resolved the problem and what the problem turned out to be. It makes the forum more useful when people can read about a problem and can read the solution to the problem.
HTH
Rick
06-19-2009 11:15 AM
NTP and tacacs should still work even if its L2 . It no different than say a 2950 using tacacs or ntp . Something else going on with that .
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: