08-22-2009 10:56 AM - edited 03-06-2019 07:22 AM
Hi folks!
Don't know if this is right section of NetPro forum to bring up my problem.
I have 871 router configured as NTP master. It works as a gateway for a small windows network with a domain controller. I want DC to pull the time from the router and configured the router as follows:
Router:
ntp source Vlan1
ntp access-group peer 11
ntp access-group serve 1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 11 permit 128.249.1.1
access-list 11 permit 192.5.41.41
ntp master
ntp server 128.249.1.1
ntp server 192.5.41.41 prefer
interface Vlan1
description Internal User's segment
ip address 192.168.1.1 255.255.255.0
ip access-group vl1-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect FW in
ip virtual-reassembly
ip tcp adjust-mss 1452
ip access-list extended vl1-in
permit tcp host 192.168.1.10 any eq smtp
deny tcp 192.168.1.0 0.0.0.255 any eq smtp
permit ip any any
Domain Controller is configured according to Microsoft recommendations and I believe they are correct. This is what happens when DC starts synching with the router (I debugged NTP on the router)
174073: Aug 22 18:53:29.348: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).
174074: Aug 22 18:53:29.348: NTP Core(DEBUG): ntp_receive: message received
174075: Aug 22 18:53:29.348: NTP Core(DEBUG): ntp_receive: peer is 0x00000000, next action is 5.
174076: Aug 22 18:53:29.348: NTP Core (NOTICE): ntp_receive: dropping message: AM_NEWPASS, auth error..
My question is what kind of authentication should I configure on the router?
Kindly and hopefully
Eugene
08-23-2009 08:28 AM
If you are running a T train of IOS on your 871 with 12.4.20 or higher, you are impacted by bug : CSCsw30737
That bug is fixed from 12.4(24)T.
08-23-2009 12:00 PM
Thanks a lot for a reference to a bug but the router does run the required release:
GIBSGW#sh ver
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
Are there any latest releases?
Eugene
08-23-2009 10:20 PM
Okay. You are running a fine version of it.
You have an inbound acl and ntp source from that same vlan.
Have you tried to remove the ACL from the interface to see if this helps?
The other thing would be to disable the FW from the interface and see what that does.
08-23-2009 02:16 PM
Hi Eugene,
what does the (Inspect-FW) inspects? Do you have inspection rule for UDP port 123?
On the other hand, you should have NTP association before configuring any authentication.
The debug message ensure that its miss authentication, could you also double check if your domain controller has NTP authentication configured?
Apart from that, on the router you can configure MD5 NTP authentication method.
HTH
Mohamed
08-23-2009 10:22 PM
Hey Mohamed, appreciations for looking into my problem.
I've got the following inspect FW line:
"ip inspect name FW udp". I believe NTP falls into this rule as well.
Can you please elaborate on what you meant by NTP associations?
My problem is that I couldn't find anything on Microsoft sites how to configure NTP authentication. They mention about some Kerberos authentication. If this is the case how could it be configured on the router? And how will I conigure MD5 authentication on the router?
Eugene
08-23-2009 10:27 PM
Eugene,
There is no such thing as support for kerberos on IOS.
Its the very first time I hear kerberos to be related to NTP and honestly I don't see the point of doing such.
In any case, regarding how to configure NTP auth, here is the example:
08-23-2009 10:29 PM
Just tried to remove FW from vlan 1 interface. No luck. Still same "ntp_receive: dropping message: AM_NEWPASS, auth error" during NTP debug.
08-23-2009 10:38 PM
I've never experienced problems with synching time between Cisco gear. The irony is about having Windows DC synch its time with Cisco router. I don't believe no one has done it. There must be a way as it wouldn't have any sense at all. DCs can authenticate with external sources. I just proved it with configuring the DC with a public NTP:
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: 8/23/2009
Time: 11:36:39 PM
User: N/A
Computer: MERLIN
Description:
The time service is now synchronizing the system time with the time source 24.215.0.24 (ntp.m|0x1|192.168.1.10:123->24.215.0.24:123).
Eugene
08-28-2009 01:46 PM
Anyone please! It drives me mad. The DC can sync the time with a public NTP source but not with IOS router set as master NTP. Help !!!!
08-28-2009 01:56 PM
remove the ntp master command.
post the output of "show ntp assoc" before and after you remove it.
08-28-2009 02:20 PM
Before "no ntp master"
GIBSGW#sh ntp associations
address ref clock st when poll reach delay offset disp
~127.127.1.1 .LOCL. 7 6 16 377 0.000 0.000 0.245
+~128.249.1.1 129.7.1.66 2 52 64 377 0.000 -103.97 3.780
*~192.5.41.41 .USNO. 1 12 64 377 0.000 -98.679 3.655
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
GIBSGW#
008988: Aug 28 22:14:58.336: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).
008989: Aug 28 22:14:58.336: NTP Core(DEBUG): ntp_receive: message received
008990: Aug 28 22:14:58.336: NTP Core(DEBUG): ntp_receive: peer is 0x00000000, next action is 5.
008991: Aug 28 22:14:58.336: NTP Core (NOTICE): ntp_receive: dropping message: AM_NEWPASS, auth error..
After "no ntp master"
GIBSGW(config)#do sh ntp asso
address ref clock st when poll reach delay offset disp
+~128.249.1.1 129.7.1.66 2 63 64 377 0.000 -103.97 4.078
*~192.5.41.41 .USNO. 1 21 64 377 0.000 -97.718 3.079
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
same error during NTP debugging and of course Windows DC can't sync time with the router.
08-28-2009 04:09 PM
on your windows server, go to a dos prompt and type in "net time /querysntp" and post the response.
keep the ntp master command out of there. it's not needed. can the server ping the ntp server by the configured IP?
how did you set the ntp server on windows? through the registry? or command line (net time /setsntp:x.x.x.x)
08-28-2009 05:01 PM
Here you go:
On Windows box:
C:\Program Files\Far>net time /querysntp
The current SNTP value is: 192.168.1.1
The command completed successfully.
The windows server can reach NTP server because it is its default gateway. I followed Microsoft guide to configure NTP both using registry and CLI.
Pasting the output from Windows CLI:
C:\Program Files\Far>net time /setsntp:192.168.1.1
The command completed successfully.
C:\Program Files\Far>net time /querysntp
The current SNTP value is: 192.168.1.1
The command completed successfully.
C:\Program Files\Far>w32tm /resync /rediscover
Sending resync command to local computer...
The computer did not resync because no time data was available.
08-29-2009 04:48 PM
192.168.1.1 is the router that you're trying to use as your ntp server?
can you ping it from this windows server?
remove the ntp acl's while testing also.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide