Cannot synchronize time with Cisco IOS router set as NTP master

Unanswered Question
Aug 22nd, 2009

Hi folks!

Don't know if this is right section of NetPro forum to bring up my problem.

I have 871 router configured as NTP master. It works as a gateway for a small windows network with a domain controller. I want DC to pull the time from the router and configured the router as follows:

Router:

ntp source Vlan1

ntp access-group peer 11

ntp access-group serve 1

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 11 permit 128.249.1.1

access-list 11 permit 192.5.41.41

ntp master

ntp server 128.249.1.1

ntp server 192.5.41.41 prefer

interface Vlan1

description Internal User's segment

ip address 192.168.1.1 255.255.255.0

ip access-group vl1-in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip inspect FW in

ip virtual-reassembly

ip tcp adjust-mss 1452

ip access-list extended vl1-in

permit tcp host 192.168.1.10 any eq smtp

deny tcp 192.168.1.0 0.0.0.255 any eq smtp

permit ip any any

Domain Controller is configured according to Microsoft recommendations and I believe they are correct. This is what happens when DC starts synching with the router (I debugged NTP on the router)

174073: Aug 22 18:53:29.348: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).

174074: Aug 22 18:53:29.348: NTP Core(DEBUG): ntp_receive: message received

174075: Aug 22 18:53:29.348: NTP Core(DEBUG): ntp_receive: peer is 0x00000000, next action is 5.

174076: Aug 22 18:53:29.348: NTP Core (NOTICE): ntp_receive: dropping message: AM_NEWPASS, auth error..

My question is what kind of authentication should I configure on the router?

Kindly and hopefully

Eugene

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Lucien Avramov Sun, 08/23/2009 - 08:28

If you are running a T train of IOS on your 871 with 12.4.20 or higher, you are impacted by bug : CSCsw30737

That bug is fixed from 12.4(24)T.

zheka_pefti Sun, 08/23/2009 - 12:00

Thanks a lot for a reference to a bug but the router does run the required release:

GIBSGW#sh ver

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)

Are there any latest releases?

Eugene

Lucien Avramov Sun, 08/23/2009 - 22:20

Okay. You are running a fine version of it.

You have an inbound acl and ntp source from that same vlan.

Have you tried to remove the ACL from the interface to see if this helps?

The other thing would be to disable the FW from the interface and see what that does.

Mohamed Sobair Sun, 08/23/2009 - 14:16

Hi Eugene,

what does the (Inspect-FW) inspects? Do you have inspection rule for UDP port 123?

On the other hand, you should have NTP association before configuring any authentication.

The debug message ensure that its miss authentication, could you also double check if your domain controller has NTP authentication configured?

Apart from that, on the router you can configure MD5 NTP authentication method.

HTH

Mohamed

zheka_pefti Sun, 08/23/2009 - 22:22

Hey Mohamed, appreciations for looking into my problem.

I've got the following inspect FW line:

"ip inspect name FW udp". I believe NTP falls into this rule as well.

Can you please elaborate on what you meant by NTP associations?

My problem is that I couldn't find anything on Microsoft sites how to configure NTP authentication. They mention about some Kerberos authentication. If this is the case how could it be configured on the router? And how will I conigure MD5 authentication on the router?

Eugene

Lucien Avramov Sun, 08/23/2009 - 22:27

Eugene,

There is no such thing as support for kerberos on IOS.

Its the very first time I hear kerberos to be related to NTP and honestly I don't see the point of doing such.

In any case, regarding how to configure NTP auth, here is the example:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008010e97e.shtml#using_ntp

zheka_pefti Sun, 08/23/2009 - 22:29

Just tried to remove FW from vlan 1 interface. No luck. Still same "ntp_receive: dropping message: AM_NEWPASS, auth error" during NTP debug.

zheka_pefti Sun, 08/23/2009 - 22:38

I've never experienced problems with synching time between Cisco gear. The irony is about having Windows DC synch its time with Cisco router. I don't believe no one has done it. There must be a way as it wouldn't have any sense at all. DCs can authenticate with external sources. I just proved it with configuring the DC with a public NTP:

Event Type: Information

Event Source: W32Time

Event Category: None

Event ID: 35

Date: 8/23/2009

Time: 11:36:39 PM

User: N/A

Computer: MERLIN

Description:

The time service is now synchronizing the system time with the time source 24.215.0.24 (ntp.m|0x1|192.168.1.10:123->24.215.0.24:123).

Eugene

zheka_pefti Fri, 08/28/2009 - 13:46

Anyone please! It drives me mad. The DC can sync the time with a public NTP source but not with IOS router set as master NTP. Help !!!!

srue Fri, 08/28/2009 - 13:56

remove the ntp master command.

post the output of "show ntp assoc" before and after you remove it.

zheka_pefti Fri, 08/28/2009 - 14:20

Before "no ntp master"

GIBSGW#sh ntp associations

address ref clock st when poll reach delay offset disp

~127.127.1.1 .LOCL. 7 6 16 377 0.000 0.000 0.245

+~128.249.1.1 129.7.1.66 2 52 64 377 0.000 -103.97 3.780

*~192.5.41.41 .USNO. 1 12 64 377 0.000 -98.679 3.655

* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

GIBSGW#

008988: Aug 28 22:14:58.336: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).

008989: Aug 28 22:14:58.336: NTP Core(DEBUG): ntp_receive: message received

008990: Aug 28 22:14:58.336: NTP Core(DEBUG): ntp_receive: peer is 0x00000000, next action is 5.

008991: Aug 28 22:14:58.336: NTP Core (NOTICE): ntp_receive: dropping message: AM_NEWPASS, auth error..

After "no ntp master"

GIBSGW(config)#do sh ntp asso

address ref clock st when poll reach delay offset disp

+~128.249.1.1 129.7.1.66 2 63 64 377 0.000 -103.97 4.078

*~192.5.41.41 .USNO. 1 21 64 377 0.000 -97.718 3.079

* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

same error during NTP debugging and of course Windows DC can't sync time with the router.

srue Fri, 08/28/2009 - 16:09

on your windows server, go to a dos prompt and type in "net time /querysntp" and post the response.

keep the ntp master command out of there. it's not needed. can the server ping the ntp server by the configured IP?

how did you set the ntp server on windows? through the registry? or command line (net time /setsntp:x.x.x.x)

zheka_pefti Fri, 08/28/2009 - 17:01

Here you go:

On Windows box:

C:\Program Files\Far>net time /querysntp

The current SNTP value is: 192.168.1.1

The command completed successfully.

The windows server can reach NTP server because it is its default gateway. I followed Microsoft guide to configure NTP both using registry and CLI.

Pasting the output from Windows CLI:

C:\Program Files\Far>net time /setsntp:192.168.1.1

The command completed successfully.

C:\Program Files\Far>net time /querysntp

The current SNTP value is: 192.168.1.1

The command completed successfully.

C:\Program Files\Far>w32tm /resync /rediscover

Sending resync command to local computer...

The computer did not resync because no time data was available.

srue Sat, 08/29/2009 - 16:48

192.168.1.1 is the router that you're trying to use as your ntp server?

can you ping it from this windows server?

remove the ntp acl's while testing also.

zheka_pefti Sat, 08/29/2009 - 17:39

Hi!

I really appreciate your attempt to help. Thanks a lot!

I've removed access-lists for NTP configuration, this how it looks now:

ntp logging

ntp source FastEthernet4

ntp access-group peer 11

ntp server 128.249.1.1

ntp server 192.5.41.41 prefer

access-list 11 permit 128.249.1.1

access-list 11 permit 192.5.41.41

And this is an access-list applied to vlan1 interface:

ip access-list extended vl1-in

permit tcp host 192.168.1.10 any eq smtp

deny tcp 192.168.1.0 0.0.0.255 any eq smtp

permit ip any any

After manually having Windows box resync its time with the router I see the following messages while debugging NTP:

GIBSGW#

011378: Aug 30 01:32:48.599: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).

011379: Aug 30 01:32:48.599: NTP Core(DEBUG): ntp_receive: message received

011380: Aug 30 01:32:48.599: NTP Core (NOTICE): ntp_receive: dropping message: restricted..

GIBSGW#

And 192.168.1.1 is the router's IP address and it is reachable from DC (192.168.1.10), see the above access-list.

Eugene

srue Mon, 08/31/2009 - 05:18

can you install wireshark on the server and just capture the ntp packets then post here?

Richard Burts Mon, 08/31/2009 - 07:13

Eugene

I suggest that you also remove this line from your config:

ntp access-group peer 11

I had a similar experience where I had one of the ntp access lists (peer and serve-only) but not the other. It seems that IOS implementation of NTP works best if both access lists are used or if no access list is used.

HTH

Rick

zheka_pefti Mon, 08/31/2009 - 17:51

Well, I removed the line "ntp access-group peer 11" with the corresponding access-list. To my great suprise the Windows box was able to sync time with the router but it happened only once. All subsequent attempt to synchronize time failed again.

I'm attaching the capture done on this Windows box.

Strange enough "show ntp association" gives the following output:

GIBSGW#sh ntp assoc

address ref clock st when poll reach delay offset disp

+~128.249.1.1 129.7.1.66 2 58 128 377 0.000 -10.388 11.325

192.168.1.10 .INIT. 16 - 32768 0 0.000 0.000 15937.

*~192.5.41.41 .USNO. 1 10 128 377 0.000 -4.852 6.113

* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

Looks like NTP client got stuck in INIT process.

And ntp debug now shows different:

039820: Sep 1 01:50:19.081: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).

039821: Sep 1 01:50:19.081: NTP Core(DEBUG): ntp_receive: message received

039822: Sep 1 01:50:19.081: NTP Core(DEBUG): ntp_receive: peer is 0x833A8050, next action is 1.

039823: Sep 1 01:50:19.081: NTP Core (NOTICE): ntp_receive: dropping message: unsynch.

Now it is a pure access issue. Starting to pull my hair....

Attachment: 
Richard Burts Tue, 09/01/2009 - 02:49

Eugene

It might be helpful if you would post the output of show ntp association detail

HTH

Rick

zheka_pefti Tue, 09/01/2009 - 21:37

Hi Rick,

Here it is, for me messages about NTP client being insane look very weird. What I noticed is that when I remove "ntp master" entry and then add it again the windows box sync its time with the router and then all subsequent attempts fail.

GIBSGW#sh ntp assoc detail

127.127.1.1 configured, insane, invalid, stratum 7

ref ID .LOCL., time CE4881B2.33E9474D (22:31:30.202 PDT Tue Sep 1 2009)

our mode active, peer mode passive, our poll intvl 16, peer poll intvl 16

root delay 0.00 msec, root disp 0.00, reach 377, sync dist 0.00

delay 0.00 msec, offset 0.0000 msec, dispersion 0.25

precision 2**16, version 4

org time CE4881B2.33E9474D (22:31:30.202 PDT Tue Sep 1 2009)

rec time CE4881B2.33E9DE4C (22:31:30.202 PDT Tue Sep 1 2009)

xmt time CE4881B2.33E8E2A4 (22:31:30.202 PDT Tue Sep 1 2009)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

minpoll = 4, maxpoll = 4

192.168.1.10 configured, insane, invalid, stratum 3

ref ID 192.168.1.1 , time CE48800C.561092F5 (22:24:28.336 PDT Tue Sep 1 2009)

our mode active, peer mode active, our poll intvl 512, peer poll intvl 1024

root delay 0.12 msec, root disp 66.52, reach 377, sync dist 0.27

delay 0.00 msec, offset 3.1615 msec, dispersion 20.54

precision 2**6, version 4

org time CE4881A5.EDCAC083 (22:31:17.928 PDT Tue Sep 1 2009)

rec time CE4881A5.EB8F689A (22:31:17.920 PDT Tue Sep 1 2009)

xmt time CE48800C.52A3231C (22:24:28.322 PDT Tue Sep 1 2009)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 -0.00 0.00 0.00 0.00 -0.00 0.00

filterror = 0.01 0.02 0.02 0.02 0.03 0.03 0.03 0.04

minpoll = 6, maxpoll = 10

192.168.1.10 dynamic, insane, invalid, unsynced, stratum 16

ref ID .INIT., time 00000000.00000000 (16:00:00.000 PST Wed Dec 31 1899)

our mode passive, peer mode unspec, our poll intvl 32768, peer poll intvl 131072

root delay 0.00 msec, root disp 0.00, reach 0, sync dist 15.98

delay 0.00 msec, offset 0.0000 msec, dispersion 15937.50

precision 2**16, version 3

org time CE472519.27020C49 (21:44:09.152 PDT Mon Aug 31 2009)

rec time CE472518.772BFF01 (21:44:08.465 PDT Mon Aug 31 2009)

xmt time CE48764A.08C9296C (21:42:50.034 PDT Tue Sep 1 2009)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16.00 16.00 16.00 16.00 16.00 16.00 16.00 16.00

minpoll = 15, maxpoll = 17

192.5.41.41 configured, our_master, sane, valid, stratum 1

ref ID .USNO., time CE488024.4F4D77DD (22:24:52.309 PDT Tue Sep 1 2009)

our mode client, peer mode server, our poll intvl 512, peer poll intvl 512

root delay 0.00 msec, root disp 0.32, reach 377, sync dist 0.06

delay 0.00 msec, offset -1.5672 msec, dispersion 9.10

precision 2**20, version 4

org time CE48802A.5C18C02F (22:24:58.359 PDT Tue Sep 1 2009)

rec time CE48802A.67D1E232 (22:24:58.405 PDT Tue Sep 1 2009)

xmt time CE48802A.5077B0A7 (22:24:58.314 PDT Tue Sep 1 2009)

filtdelay = 0.09 0.08 0.09 0.09 0.09 0.17 0.12 0.09

filtoffset = -0.00 -0.00 0.00 0.00 0.00 0.00 0.01 -0.00

filterror = 0.00 0.00 0.01 0.01 0.01 0.02 0.02 0.03

minpoll = 6, maxpoll = 10

This is what I'm getting in Windows system event log:

Time Provider NtpClient: No valid response has been received from manually configured peer 192.168.1.1,0x4 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name.

Eugene

Richard Burts Wed, 09/02/2009 - 04:31

Eugene

I believe that the good news in what you have posted is this line:

192.5.41.41 configured, our_master, sane, valid, stratum 1

This indicates that you are successfully learning NTP time from an authoritative external source. If you are learning NTP from the external source then you do not need to configure ntp master. I believe that configuring ntp master is confusing the situation and I suggest that you remove ntp master from the configuration.

I also notice that there are 2 entries for 192.168.1.10. One of the entries indicates that this device is learning NTP from this device and the second entry indicates that it is dynamic and is not learning NTP from this device. Can you clarify whether 192.168.1.10 is in the configuration and what is going on with that device?

HTH

Rick

zheka_pefti Wed, 09/02/2009 - 22:28

Hi Rick,

This is the whole point about 192.168.1.10 device. It is windows domain controller that I want to sync its time with the router (192.168.1.1)

The DC behaves very weird. Right before I deleted "ntp master" from the router I found three events in DC's system log related to NTP activity. They happened within 5 minutes interval:

Event Type: Information

Event Source: W32Time

Event Category: None

Event ID: 38

Date: 9/1/2009

Time: 10:48:57 PM

User: N/A

Computer: MERLIN

Description:

The time provider NtpClient cannot reach or is currently receiving invalid time data from 192.168.1.1 (ntp.m|0x4|192.168.1.10:123->192.168.1.1:123).

Event Type: Information

Event Source: W32Time

Event Category: None

Event ID: 37

Date: 9/1/2009

Time: 10:50:05 PM

User: N/A

Computer: MERLIN

Description:

The time provider NtpClient is currently receiving valid time data from 192.168.1.1 (ntp.m|0x4|192.168.1.10:123->192.168.1.1:123).

Event Type: Information

Event Source: W32Time

Event Category: None

Event ID: 38

Date: 9/1/2009

Time: 10:50:50 PM

User: N/A

Computer: MERLIN

Description:

The time provider NtpClient cannot reach or is currently receiving invalid time data from 192.168.1.1 (ntp.m|0x4|192.168.1.10:123->192.168.1.1:123).

How should I understand it? First NTP Client on DC can't reach NTP server and then in a couple of minutes it successfuly sync its time. Weird.

I removed "ntp master" from the router and then windows box was able to sync the time with the router again. I debugged NTP and saw this:

GIBSGW#

073449: Sep 3 06:25:41.833: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).

073450: Sep 3 06:25:41.833: NTP Core(DEBUG): ntp_receive: message received

073451: Sep 3 06:25:41.833: NTP Core(DEBUG): ntp_receive: peer is 0x833A7B70, next action is 1.

073452: Sep 3 06:25:41.833: NTP Core (NOTICE): ntp_receive: dropping message: unsynch.

GIBSGW#

073453: Sep 3 06:25:49.619: NTP message sent to 192.168.1.10, from interface 'Vlan1' (192.168.1.1).

Let's see if the problem reproduces again.

Eugene

Gordiep13 Wed, 05/09/2012 - 07:38

Hi,

I was having this same problem and found a section on the Microsoft site which talked about the W32Time service sending symmetric packets instead of client mode packets.  The suggestion was to force the server to use normal requests instead of symmetric using the following command -

w32tm /config /manualpeerlist:172.19.60.253,0x8 /syncfromflags:MANUAL

I stopped and started the W32time service and this resolved the issue.

Hope this helps anyone else who gets this error and can see past the endless useless expert-exchange websites!

Gordon

swregistrations Tue, 10/21/2014 - 15:43

It sure did, thankyou Gordon

Actions

Login or Register to take actions

This Discussion

Posted August 22, 2009 at 10:56 AM
Stats:
Replies:24 Overall Rating:5
Views:10697 Votes:0
Shares:0
Tags: No tags.