09-21-2009 12:21 PM - edited 03-06-2019 07:49 AM
2621 router running 12.2(46a). Configured a public NTP server, but the clock will not update. Wireshark shows the ntp packet going from the router to the ntp server and the reply back to the router. "Debug ntp packet" shows the packet sent, but no reply. "debug ntp event" and all other ntp debugs have no output. Partial config is attached below. (tried to attache, but got server errors)
interface FastEthernet0/0
description NAT Outside
ip address <removed>
ip access-group Inbound in
ip nat outside
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
description NAT Inside
ip address <removed>
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static <removed> <removed>
ip classless
ip route 0.0.0.0 0.0.0.0 <removed>
no ip http server
!
!
ip access-list extended Inbound
permit tcp any any established
deny 53 any any
deny 55 any any
deny 77 any any
deny pim any any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 7.255.255.255 any
deny ip host 0.0.0.0 any
deny ip host 255.255.255.255 any
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any port-unreachable
permit icmp any any echo
permit icmp any any echo-reply
deny icmp any any
deny tcp any any eq telnet
deny udp any any eq tftp
deny tcp any any range 135 139
deny udp any any range 135 netbios-ss
deny tcp any any eq 445
deny udp any any eq 445
deny udp any any eq syslog
deny udp any any eq snmp
deny udp any any eq snmptrap
permit ip any any
access-list 1 permit 192.168.0.0 0.0.0.255
no cdp run
!
dial-peer cor custom
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
ntp server 135.89.154.147
ntp server 129.6.15.29
ntp server 64.202.112.75
end
Solved! Go to Solution.
09-22-2009 04:09 PM
Great.
Have you tried then to source the ntp from an interface on the router that is INSIDE and add this to your nat translation? That should do the trick.
09-21-2009 02:44 PM
I don't know if it's a good idea to synchronize to your ISP's server (135.89.154.147, for example, belongs to AT&T). Why don't you try looking at the list from Microsoft (http://support.microsoft.com/kb/262680). You can choose from the list whether you want Stratum 1, 2 or 3. It's from this list that I synchronize my home time with.
Hope this helps.
09-21-2009 02:50 PM
We need to do some ntp troubleshooting as it seems not to work at all.
Post your "show ntp ass"
09-22-2009 05:12 AM
Hi Lucien,
Thanks for looking. Here is the output you requested, along with some other (perhaps helpful) information. The ntp server 129.6.15.29 is used successfully with other routers.
Regards,
Al Stiver
Output of "debug ntp events" (similar output for each of the configured ntp servers):
*Mar 1 17:09:33: NTP: xmit packet to 129.6.15.29:
*Mar 1 17:09:33: leap 3, mode 3, version 3, stratum 0, ppoll 64
*Mar 1 17:09:33: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)
*Mar 1 17:09:33: ref 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
*Mar 1 17:09:33: org 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
*Mar 1 17:09:33: rec 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
*Mar 1 17:09:33: xmt AF3D081D.CF2702B5 (17:09:33.809 EST Mon Mar 1 1993)
ohb-test-2621#sh ntp a
address ref clock st when poll reach delay offset disp
~135.89.154.147 0.0.0.0 16 - 64 0 0.0 0.00 16000.
~129.6.15.29 0.0.0.0 16 - 64 0 0.0 0.00 16000.
~64.202.112.75 0.0.0.0 16 - 64 0 0.0 0.00 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
ohb-test-2621#sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
And, for what it's worth:
ohb-test-2621#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.2(46a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Wed 11-Jul-07 20:22 by pwade
Image text-base: 0x8000808C, data-base: 0x812948AC
ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)
ohb-test-2621 uptime is 22 hours, 13 minutes
System returned to ROM by power-on
System image file is "flash:c2600-ik9s-mz.122-46a.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
cisco 2621 (MPC860) processor (revision 0x00) with 44032K/5120K bytes of memory.
Processor board ID JAD06400DKG (1397657735)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
09-22-2009 05:42 AM
Additional information:
ohb-test-2621>sh ntp a detail
135.89.154.147 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
rcv time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
xmt time AF3D10B4.CF1D141D (17:46:12.809 EST Mon Mar 1 1993)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
129.6.15.29 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
rcv time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
xmt time AF3D109D.CF1BCBA3 (17:45:49.809 EST Mon Mar 1 1993)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
64.202.112.75 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
rcv time 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
xmt time AF3D10AF.CF1C685C (17:46:07.809 EST Mon Mar 1 1993)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
09-22-2009 08:26 AM
There are no defects on your IOS version regarding NTP, this should work.
None of your 3 ntp servers are synchronizing, which indicates that most likely NTP protool (UDP 123) is blocked somewhere between your router and your ISP.
Can you first remove :
ip access-group Inbound in from f0/0 and see if that makes any changes to NTP?
09-22-2009 08:41 AM
I removed the inbound access list from f0/0, but there is no change. The clock is still not synchronizing. There are devices on the inside of the router which have been able to synchronize their clocks to 129.6.15.29, even with the access list in place.
09-22-2009 09:15 AM
The clock will not synced as NTP is not synced yet on the router.
Can you specify the outbound interface in your ntp statement?
ntp server x.x.x.x source INTERFACE
Also what NTP version is used from the server? You can specify the version with adding the version keyword after the interface.
09-22-2009 10:57 AM
I did as you suggested, but to no avail.
I have found the problem, however: "ip nat outside" is configured on the outward-facing interface f0/0, and there is a static nat mapping. Apparently,the incoming ntp packets were being translated to the inside address, thus bypassing the router management interface. Once I removed the "ip nat outside" statement, debug ntp packets shows the received packets from the ntp server, and the router has sync'ed its clock. It seems that ntp and static nat are not compatible on the same interface. Static nat is a requirement for my application, so it appears that ntp will need to be sacrificed - not the worst thing that can happen.
Thank you for your assistance.
Cheers.
09-22-2009 04:09 PM
Great.
Have you tried then to source the ntp from an interface on the router that is INSIDE and add this to your nat translation? That should do the trick.
09-23-2009 05:23 AM
That worked like a charm. I also have dynamic nat overload configured, so all I had to do was source ntp from f0/1. I didn't know you could do that - I thought that it had to be sourced from the interface which faced the ntp server. I learned something new today.
Thanks.
09-22-2009 04:03 PM
Try this:
ntp server 138.23.180.126 prefer
09-22-2009 04:10 PM
Thats not the problem here.
Either one of the 3 ntp servers was getting synced, it's not a matter of prefering one of them.
When you prefer one of them, that means the time from this one will be syncing the clock if available. In this case neither of the 3 was syncing, so prefer would not change anything.
The issue was nating as explained bellow.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide