Making a 4507 an NTP server

iancarder · ‎04-19-2010

Hello all,

I'd like to make a 4507 the NTP server for our organization. I figure it has the least amount of downtime of any server I would run NTP services on, doesn't get patched frequently like a traditional file server(so less downtime), and I don't plan on replacing it in the forseeable future.

I've put in a basic config, but it doesn't seem to be working(or at least my linux servers don't see it as an NTP server).

Here are the pertinant bits from the config:

interface Loopback99
 description ntp server address
 ip address 192.168.199.99 255.255.255.255

.....

ntp source Loopback99
ntp server 128.118.46.3

The NTP server command points to a stratum one server at Penn State University. I have the following config in my ASA to allow the loopback to poll the remote NTP server:

access-list Inside_access_in extended permit udp host 192.168.199.99 any eq ntp
nat (Inside) 1 192.168.199.99 255.255.255.255

Any thoughts on what I'm missing or have configured incorrectly?

Joe Clarke · ‎04-19-2010

First, make sure your 4507's clock is synced by looking at the "show ntp status" output. If it is, add the "ntp master STRATUM" command where STRATUM is 2 or higher.

Collin Clark · ‎04-19-2010

Is the switch time synchronized with the public NTP server?

iancarder · ‎04-19-2010

Joe/Collin,

It doens't look like it's properly syncronized:

AD4507-MDF#sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CF731BDF.C46E1D22 (17:24:47.767 UTC Fri Apr 16 2010)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

Collin Clark · ‎04-19-2010

I would double check your firewall logs and make sure that A) you have hit counts on your ACL and B) check your logs to see if something is getting denied. You could also debug on your router, but that may not tell you much other than it's not seeing the time for the NTP server.

iancarder · ‎04-19-2010

I'm not getting any hitcnt on that ACL(access-list Inside_access_in extended permit udp host 192.168.199.99 any eq ntp). I'll see if I can figure out if it's blocking anything.

iancarder · ‎04-19-2010

There's nothing from the firewall debug logs that shows any ntp traffic from the 4507's loopback99 interface to the remote NTP server occuring. There are no ACLs on the 4507 that would stop NTP traffic, so I'm at a loss here. Does it seem like my basic NTP commands for the 4507 are correct?

Joe Clarke · ‎04-19-2010

Yes, the commands look correct. If you're not seeing any udp/123 traffic from the switch, perhaps there is a routing issue. Do you have a route to the NTP server on the 4507? You might want to enable "debug ntp sync" and see what messages you get while the switch tries to sync.

Collin Clark · ‎04-19-2010

Config looks OK. Are there any denies on the ASA logs? Can the ASA pull time from the public NTP server?

Collin Clark · ‎04-19-2010

Config looks OK. Are there any denies on the ASA logs? Can the ASA pull time from the public NTP server?