NTP Peer Authentication

Answered Question
Apr 11th, 2012

hi all,

i've tried configuring and simulating authentication for NTP in gns3 but i don't see the peer getting authenticated. please see below configs and the show ntp associations detail output on router2. thanks in advance!

Router1#sh run | i ntp

ntp authentication-key 1 md5 094F471A1A0A464058 7

ntp authenticate

ntp trusted-key 1

ntp master 1

Router2#sh run | i ntp

ntp authentication-key 1 md5 104D000A061843595F 7

ntp authenticate

ntp trusted-key 1

ntp clock-period 17179953

ntp server 10.10.10.1

Router2#sh ntp asso det

10.10.10.1 configured, our_master, sane, valid, stratum 1

ref ID .LOCL., time D33081A1.6A66B000 (22:18:09.415 UTC Wed Apr 11 2012)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.03, reach 377, sync dist 99.045

delay 148.32 msec, offset 14.2696 msec, dispersion 24.86

precision 2**18, version 3

org time D33081B5.B62B4D30 (22:18:29.711 UTC Wed Apr 11 2012)

rcv time D33081B5.D060C657 (22:18:29.813 UTC Wed Apr 11 2012)

xmt time D33081B5.A345CF8A (22:18:29.637 UTC Wed Apr 11 2012)

filtdelay =   176.18  148.32  188.19  280.04  200.01  172.16  171.97  140.00

filtoffset =  -14.28   14.27   -7.48   28.80   22.93   31.13   49.10   37.31

filterror =     0.02    0.99    1.97    2.94    3.92    4.90    5.87    7.83

I have this problem too.
0 votes
Correct Answer by Nandan Mathure about 2 years 6 days ago

Please add "key 1" to the "ntp server X.X.X.X" command on R2 as highlighted below.

Router2#sh run | i ntp

ntp authentication-key 1 md5 104D000A061843595F 7

ntp authenticate

ntp trusted-key 1

ntp server 10.10.10.1 key 1

That should help authenticate the server (Please note that in case of NTP , the client authenticates the server) Hence we have to mention key.

Please let me know if this helps. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Vasileios Bouloukos Wed, 04/11/2012 - 15:10

Hi John,

Since you work in GNS you can easily troubleshoot your topology by running the relevant NTP debug commands and check e.g. ntp auth failure etc.

You can find below the most useful NTP commands that can help you to isolate the problem


debug ntp packet (NTP packet)

To view actual NTP packet and various parameters


debug ntp authentication (NTP authentication debug)

To show what authentication key ID is being used during NTP authentication.


debug ntp events (NTP events)

To show system NTP events like the followings: System Restart, System Fault, Synchronization Change, Peer Stratum Change, Clock Reset, Bad Date/Time, Clock Exception. Also Peer NTP events like these: IP Error, Authentication Failure, Peer Unreachable, Peer Reachable, Peer Clock.

Finally, did you set the system clock to your NTP server first? The software clock must have been set from some source, including manual setting, before the ntp master. Yiu can use the next command

clock set hh:mm:ss date month year

Hope that helps!

Vasilis

johnlloyd_13 Wed, 04/11/2012 - 16:11

hi vasilis,

i've tried to manually set the clock on router1 and  ran some debugs on router2, but i still can't see router2 being  authenticated. im running two 7200s joined together. any ideas?

Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(2)T, RELEASE SOFTWARE (fc1)

Router1#clock set 06:48:00 12 Apr 2012

Router2#

.Apr 12 06:51:50.608: NTP: xmit packet to 10.10.10.1:

.Apr 12 06:51:50.608:  leap 3, mode 3, version 3, stratum 0, ppoll 64

.Apr 12 06:51:50.608:  rtdel 3F7A (247.955), rtdsp 4216A5 (66088.455), refid 0A0A0A01 (10.10.10.1)

.Apr 12 06:51:50.612:  ref D330F9F8.11CC31CE (06:51:36.069 UTC Thu Apr 12 2012)

.Apr 12 06:51:50.612:  org 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)

.Apr 12 06:51:50.612:  rec 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)

.Apr 12 06:51:50.612:  xmt D330FA06.9BC82ED2 (06:51:50.608 UTC Thu Apr 12 2012)

.Apr 12 06:51:50.836: NTP: rcv packet from 10.10.10.1 to 10.10.10.2 on FastEthernet1/0:

.Apr 12 06:51:50.836:  leap 0, mode 4, version 3, stratum 1, ppoll 64

.Apr 12 06:51:50.840:  rtdel 0000 (0.000), rtdsp 0002 (0.031), refid 4C4F434C (76.79.67.76)

.Apr 12 06:51:50.840:  ref D330F9FE.23D80AFD (06:51:42.140 UTC Thu Apr 12 2012)

.Apr 12 06:51:50.840:  org D330FA06.9BC82ED2 (06:51:50.608 UTC Thu Apr 12 2012)

.Apr 12 06:51:50.844:  rec D330FA06.B74ABBE4 (06:51:50.715 UTC Thu Apr 12 2012)

.Apr 12 06:51:50.844:  xmt D330FA06.B74ABBE4 (06:51:50.715 UTC Thu Apr 12 2012)

.Apr 12 06:51:50.844:  inp D330FA06.D6247EF7 (06:51:50.836 UTC Thu Apr 12 2012)

Apr 12 06:51:50.848: NTP: 10.10.10.1 synced to new peer

Apr 12 06:51:50.848: NTP: sync change

Apr 12 06:51:50.848: NTP: peer stratum change

Apr 12 06:51:50.852: NTP: 10.10.10.1 reachable

Router2#sh ntp ass det | i 10.10.10.1

10.10.10.1 configured, our_master, sane, valid, stratum 1    <<< I SHOULD SEE "AUTHENTICATED" HERE

Leo Laohoo Wed, 04/11/2012 - 16:15
10.10.10.1 configured, our_master, sane, valid, stratum 1

Correct me if I'm wrong here but isn't "sane" and "valid" a good thing?

johnlloyd_13 Wed, 04/11/2012 - 16:39

hey leo,

yes, that's normal. i'm actually trying to simulate from what i read in ccna security regarding NTP but i'm not getting the same results. please see snapshot below.

Correct Answer
Nandan Mathure Fri, 04/13/2012 - 07:28

Please add "key 1" to the "ntp server X.X.X.X" command on R2 as highlighted below.

Router2#sh run | i ntp

ntp authentication-key 1 md5 104D000A061843595F 7

ntp authenticate

ntp trusted-key 1

ntp server 10.10.10.1 key 1

That should help authenticate the server (Please note that in case of NTP , the client authenticates the server) Hence we have to mention key.

Please let me know if this helps. Thanks.

johnlloyd_13 Fri, 04/13/2012 - 07:43

Hi,

I'll try out what you've suggested and let you know the results. Thanks!

Sent from Cisco Technical Support iPhone App

johnlloyd_13 Sat, 04/14/2012 - 02:31

hi nandan,

got it working man! you're awesome! thanks!

Router2#sh ntp assoc det

10.10.10.1 configured, authenticated, our_master, sane, valid, stratum 1

ref ID .LOCL., time D3343226.9060FCB4 (17:28:06.563 UTC Sat Apr 14 2012)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.03, reach 3, sync dist 7897.003

delay 39.92 msec, offset 4.0285 msec, dispersion 7877.01

precision 2**18, version 3

org time D3343228.4BCD54D0 (17:28:08.296 UTC Sat Apr 14 2012)

rcv time D3343228.4FE16FF0 (17:28:08.312 UTC Sat Apr 14 2012)

xmt time D3343228.45A133DE (17:28:08.271 UTC Sat Apr 14 2012)

filtdelay =    39.92   47.91    0.00    0.00    0.00    0.00    0.00    0.00

filtoffset =    4.03    0.03    0.00    0.00    0.00    0.00    0.00    0.00

filterror =     0.02    0.03 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

Actions

Login or Register to take actions

This Discussion

Posted April 11, 2012 at 2:49 PM
Stats:
Replies:7 Avg. Rating:5
Views:1056 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
155
77
70
69
50