NTP issue on 2621 router

Answered Question
Sep 21st, 2009

2621 router running 12.2(46a). Configured a public NTP server, but the clock will not update. Wireshark shows the ntp packet going from the router to the ntp server and the reply back to the router. "Debug ntp packet" shows the packet sent, but no reply. "debug ntp event" and all other ntp debugs have no output. Partial config is attached below. (tried to attache, but got server errors)

interface FastEthernet0/0

description NAT Outside

ip address <removed>

ip access-group Inbound in

ip nat outside

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

interface FastEthernet0/1

description NAT Inside

ip address <removed>

ip nat inside

duplex auto

speed auto

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static <removed> <removed>

ip classless

ip route 0.0.0.0 0.0.0.0 <removed>

no ip http server

!

!

ip access-list extended Inbound

permit tcp any any established

deny 53 any any

deny 55 any any

deny 77 any any

deny pim any any

deny ip 0.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 224.0.0.0 15.255.255.255 any

deny ip 240.0.0.0 7.255.255.255 any

deny ip host 0.0.0.0 any

deny ip host 255.255.255.255 any

permit icmp any any packet-too-big

permit icmp any any time-exceeded

permit icmp any any port-unreachable

permit icmp any any echo

permit icmp any any echo-reply

deny icmp any any

deny tcp any any eq telnet

deny udp any any eq tftp

deny tcp any any range 135 139

deny udp any any range 135 netbios-ss

deny tcp any any eq 445

deny udp any any eq 445

deny udp any any eq syslog

deny udp any any eq snmp

deny udp any any eq snmptrap

permit ip any any

access-list 1 permit 192.168.0.0 0.0.0.255

no cdp run

!

dial-peer cor custom

!

!

!

!

!

line con 0

logging synchronous

line aux 0

line vty 0 4

login

!

ntp server 135.89.154.147

ntp server 129.6.15.29

ntp server 64.202.112.75

end

I have this problem too.
0 votes
Correct Answer by Lucien Avramov about 7 years 2 months ago

Great.

Have you tried then to source the ntp from an interface on the router that is INSIDE and add this to your nat translation? That should do the trick.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Leo Laohoo Mon, 09/21/2009 - 14:44

I don't know if it's a good idea to synchronize to your ISP's server (135.89.154.147, for example, belongs to AT&T). Why don't you try looking at the list from Microsoft (http://support.microsoft.com/kb/262680). You can choose from the list whether you want Stratum 1, 2 or 3. It's from this list that I synchronize my home time with.

Hope this helps.

Lucien Avramov Mon, 09/21/2009 - 14:50

We need to do some ntp troubleshooting as it seems not to work at all.

Post your "show ntp ass"

forumhealth Tue, 09/22/2009 - 05:12

Hi Lucien,

Thanks for looking. Here is the output you requested, along with some other (perhaps helpful) information. The ntp server 129.6.15.29 is used successfully with other routers.

Regards,

Al Stiver

Output of "debug ntp events" (similar output for each of the configured ntp servers):

*Mar 1 17:09:33: NTP: xmit packet to 129.6.15.29:

*Mar 1 17:09:33: leap 3, mode 3, version 3, stratum 0, ppoll 64

*Mar 1 17:09:33: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)

*Mar 1 17:09:33: ref 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

*Mar 1 17:09:33: org 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

*Mar 1 17:09:33: rec 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

*Mar 1 17:09:33: xmt AF3D081D.CF2702B5 (17:09:33.809 EST Mon Mar 1 1993)

ohb-test-2621#sh ntp a

address ref clock st when poll reach delay offset disp

~135.89.154.147 0.0.0.0 16 - 64 0 0.0 0.00 16000.

~129.6.15.29 0.0.0.0 16 - 64 0 0.0 0.00 16000.

~64.202.112.75 0.0.0.0 16 - 64 0 0.0 0.00 16000.

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

ohb-test-2621#sh ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18

reference time is 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

And, for what it's worth:

ohb-test-2621#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.2(46a), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2007 by cisco Systems, Inc.

Compiled Wed 11-Jul-07 20:22 by pwade

Image text-base: 0x8000808C, data-base: 0x812948AC

ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)

ohb-test-2621 uptime is 22 hours, 13 minutes

System returned to ROM by power-on

System image file is "flash:c2600-ik9s-mz.122-46a.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

[email protected].

cisco 2621 (MPC860) processor (revision 0x00) with 44032K/5120K bytes of memory.

Processor board ID JAD06400DKG (1397657735)

M860 processor: part number 0, mask 49

Bridging software.

X.25 software, Version 3.0.0.

2 FastEthernet/IEEE 802.3 interface(s)

1 Serial network interface(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

forumhealth Tue, 09/22/2009 - 05:42

Additional information:

ohb-test-2621>sh ntp a detail

135.89.154.147 configured, insane, invalid, unsynced, stratum 16

ref ID 0.0.0.0, time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000

delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00

precision 2**5, version 3

org time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

rcv time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

xmt time AF3D10B4.CF1D141D (17:46:12.809 EST Mon Mar 1 1993)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

129.6.15.29 configured, insane, invalid, unsynced, stratum 16

ref ID 0.0.0.0, time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000

delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00

precision 2**5, version 3

org time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

rcv time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

xmt time AF3D109D.CF1BCBA3 (17:45:49.809 EST Mon Mar 1 1993)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

64.202.112.75 configured, insane, invalid, unsynced, stratum 16

ref ID 0.0.0.0, time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000

delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00

precision 2**5, version 3

org time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

rcv time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

xmt time AF3D10AF.CF1C685C (17:46:07.809 EST Mon Mar 1 1993)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

Lucien Avramov Tue, 09/22/2009 - 08:26

There are no defects on your IOS version regarding NTP, this should work.

None of your 3 ntp servers are synchronizing, which indicates that most likely NTP protool (UDP 123) is blocked somewhere between your router and your ISP.

Can you first remove :

ip access-group Inbound in from f0/0 and see if that makes any changes to NTP?

forumhealth Tue, 09/22/2009 - 08:41

I removed the inbound access list from f0/0, but there is no change. The clock is still not synchronizing. There are devices on the inside of the router which have been able to synchronize their clocks to 129.6.15.29, even with the access list in place.

Lucien Avramov Tue, 09/22/2009 - 09:15

The clock will not synced as NTP is not synced yet on the router.

Can you specify the outbound interface in your ntp statement?

ntp server x.x.x.x source INTERFACE

Also what NTP version is used from the server? You can specify the version with adding the version keyword after the interface.

forumhealth Tue, 09/22/2009 - 10:57

I did as you suggested, but to no avail.

I have found the problem, however: "ip nat outside" is configured on the outward-facing interface f0/0, and there is a static nat mapping. Apparently,the incoming ntp packets were being translated to the inside address, thus bypassing the router management interface. Once I removed the "ip nat outside" statement, debug ntp packets shows the received packets from the ntp server, and the router has sync'ed its clock. It seems that ntp and static nat are not compatible on the same interface. Static nat is a requirement for my application, so it appears that ntp will need to be sacrificed - not the worst thing that can happen.

Thank you for your assistance.

Cheers.

Correct Answer
Lucien Avramov Tue, 09/22/2009 - 16:09

Great.

Have you tried then to source the ntp from an interface on the router that is INSIDE and add this to your nat translation? That should do the trick.

forumhealth Wed, 09/23/2009 - 05:23

That worked like a charm. I also have dynamic nat overload configured, so all I had to do was source ntp from f0/1. I didn't know you could do that - I thought that it had to be sourced from the interface which faced the ntp server. I learned something new today.

Thanks.

Lucien Avramov Tue, 09/22/2009 - 16:10

Thats not the problem here.

Either one of the 3 ntp servers was getting synced, it's not a matter of prefering one of them.

When you prefer one of them, that means the time from this one will be syncing the clock if available. In this case neither of the 3 was syncing, so prefer would not change anything.

The issue was nating as explained bellow.

Actions

This Discussion