Making a 4507 an NTP server

Unanswered Question
Apr 19th, 2010

Hello all,

I'd like to make a 4507 the NTP server for our organization.  I figure it has the least amount of downtime of any server I would run NTP services on, doesn't get patched frequently like a traditional file server(so less downtime), and I don't plan on replacing it in the forseeable future.

I've put in a basic config, but it doesn't seem to be working(or at least my linux servers don't see it as an NTP server).

Here are the pertinant bits from the config:

interface Loopback99<br/> description ntp server address<br/> ip address<br/><br/>.....<br/><br/>ntp source Loopback99<br/>ntp server<br/>

The NTP server command points to a stratum one server at Penn State University.  I have the following config in my ASA to allow the loopback to poll the remote NTP server:

access-list Inside_access_in extended permit udp host any eq ntp
nat (Inside) 1

Any thoughts on what I'm missing or have configured incorrectly?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joe Clarke Mon, 04/19/2010 - 08:37

First, make sure your 4507's clock is synced by looking at the "show ntp status" output.  If it is, add the "ntp master STRATUM" command where STRATUM is 2 or higher.

iancarder Mon, 04/19/2010 - 09:33


It doens't look like it's properly syncronized:

AD4507-MDF#sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CF731BDF.C46E1D22 (17:24:47.767 UTC Fri Apr 16 2010)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

Collin Clark Mon, 04/19/2010 - 09:36

I would double check your firewall logs and make sure that A) you have hit counts on your ACL and B) check your logs to see if something is getting denied. You could also debug on your router, but that may not tell you much other than it's not seeing the time for the NTP server.

iancarder Mon, 04/19/2010 - 10:38

I'm not getting any hitcnt on that ACL(access-list Inside_access_in extended permit udp host any eq ntp).  I'll see if I can figure out if it's blocking anything.

iancarder Mon, 04/19/2010 - 11:19

There's nothing from the firewall debug logs that shows any ntp traffic from the 4507's loopback99 interface to the remote NTP server occuring.  There are no ACLs on the 4507 that would stop NTP traffic, so I'm at a loss here.  Does it seem like my basic NTP commands for the 4507 are correct?

Joe Clarke Mon, 04/19/2010 - 11:23

Yes, the commands look correct.  If you're not seeing any udp/123 traffic from the switch, perhaps there is a routing issue.  Do you have a route to the NTP server on the 4507?  You might want to enable "debug ntp sync" and see what messages you get while the switch tries to sync.

Collin Clark Mon, 04/19/2010 - 11:25

Config looks OK. Are there any denies on the ASA logs? Can the ASA pull time from the public NTP server?

Collin Clark Mon, 04/19/2010 - 11:25

Config looks OK. Are there any denies on the ASA logs? Can the ASA pull time from the public NTP server?


This Discussion