cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2960
Views
0
Helpful
7
Replies

NTP Peer Authentication

johnlloyd_13
Level 9
Level 9

hi all,

i've tried configuring and simulating authentication for NTP in gns3 but i don't see the peer getting authenticated. please see below configs and the show ntp associations detail output on router2. thanks in advance!

Router1#sh run | i ntp

ntp authentication-key 1 md5 094F471A1A0A464058 7

ntp authenticate

ntp trusted-key 1

ntp master 1

Router2#sh run | i ntp

ntp authentication-key 1 md5 104D000A061843595F 7

ntp authenticate

ntp trusted-key 1

ntp clock-period 17179953

ntp server 10.10.10.1

Router2#sh ntp asso det

10.10.10.1 configured, our_master, sane, valid, stratum 1

ref ID .LOCL., time D33081A1.6A66B000 (22:18:09.415 UTC Wed Apr 11 2012)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.03, reach 377, sync dist 99.045

delay 148.32 msec, offset 14.2696 msec, dispersion 24.86

precision 2**18, version 3

org time D33081B5.B62B4D30 (22:18:29.711 UTC Wed Apr 11 2012)

rcv time D33081B5.D060C657 (22:18:29.813 UTC Wed Apr 11 2012)

xmt time D33081B5.A345CF8A (22:18:29.637 UTC Wed Apr 11 2012)

filtdelay =   176.18  148.32  188.19  280.04  200.01  172.16  171.97  140.00

filtoffset =  -14.28   14.27   -7.48   28.80   22.93   31.13   49.10   37.31

filterror =     0.02    0.99    1.97    2.94    3.92    4.90    5.87    7.83

1 Accepted Solution

Accepted Solutions

Please add "key 1" to the "ntp server X.X.X.X" command on R2 as highlighted below.

Router2#sh run | i ntp

ntp authentication-key 1 md5 104D000A061843595F 7

ntp authenticate

ntp trusted-key 1

ntp server 10.10.10.1 key 1

That should help authenticate the server (Please note that in case of NTP , the client authenticates the server) Hence we have to mention key.

Please let me know if this helps. Thanks.

View solution in original post

7 Replies 7

Hi John,

Since you work in GNS you can easily troubleshoot your topology by running the relevant NTP debug commands and check e.g. ntp auth failure etc.

You can find below the most useful NTP commands that can help you to isolate the problem


debug ntp packet (NTP packet)

To view actual NTP packet and various parameters


debug ntp authentication (NTP authentication debug)

To show what authentication key ID is being used during NTP authentication.


debug ntp events (NTP events)

To show system NTP events like the followings: System Restart, System Fault, Synchronization Change, Peer Stratum Change, Clock Reset, Bad Date/Time, Clock Exception. Also Peer NTP events like these: IP Error, Authentication Failure, Peer Unreachable, Peer Reachable, Peer Clock.

Finally, did you set the system clock to your NTP server first? The software clock must have been set from some source, including manual setting, before the ntp master. Yiu can use the next command

clock set hh:mm:ss date month year

Hope that helps!

Vasilis

hi vasilis,

i've tried to manually set the clock on router1 and  ran some debugs on router2, but i still can't see router2 being  authenticated. im running two 7200s joined together. any ideas?

Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(2)T, RELEASE SOFTWARE (fc1)

Router1#clock set 06:48:00 12 Apr 2012

Router2#

.Apr 12 06:51:50.608: NTP: xmit packet to 10.10.10.1:

.Apr 12 06:51:50.608:  leap 3, mode 3, version 3, stratum 0, ppoll 64

.Apr 12 06:51:50.608:  rtdel 3F7A (247.955), rtdsp 4216A5 (66088.455), refid 0A0A0A01 (10.10.10.1)

.Apr 12 06:51:50.612:  ref D330F9F8.11CC31CE (06:51:36.069 UTC Thu Apr 12 2012)

.Apr 12 06:51:50.612:  org 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)

.Apr 12 06:51:50.612:  rec 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)

.Apr 12 06:51:50.612:  xmt D330FA06.9BC82ED2 (06:51:50.608 UTC Thu Apr 12 2012)

.Apr 12 06:51:50.836: NTP: rcv packet from 10.10.10.1 to 10.10.10.2 on FastEthernet1/0:

.Apr 12 06:51:50.836:  leap 0, mode 4, version 3, stratum 1, ppoll 64

.Apr 12 06:51:50.840:  rtdel 0000 (0.000), rtdsp 0002 (0.031), refid 4C4F434C (76.79.67.76)

.Apr 12 06:51:50.840:  ref D330F9FE.23D80AFD (06:51:42.140 UTC Thu Apr 12 2012)

.Apr 12 06:51:50.840:  org D330FA06.9BC82ED2 (06:51:50.608 UTC Thu Apr 12 2012)

.Apr 12 06:51:50.844:  rec D330FA06.B74ABBE4 (06:51:50.715 UTC Thu Apr 12 2012)

.Apr 12 06:51:50.844:  xmt D330FA06.B74ABBE4 (06:51:50.715 UTC Thu Apr 12 2012)

.Apr 12 06:51:50.844:  inp D330FA06.D6247EF7 (06:51:50.836 UTC Thu Apr 12 2012)

Apr 12 06:51:50.848: NTP: 10.10.10.1 synced to new peer

Apr 12 06:51:50.848: NTP: sync change

Apr 12 06:51:50.848: NTP: peer stratum change

Apr 12 06:51:50.852: NTP: 10.10.10.1 reachable

Router2#sh ntp ass det | i 10.10.10.1

10.10.10.1 configured, our_master, sane, valid, stratum 1    <<< I SHOULD SEE "AUTHENTICATED" HERE

10.10.10.1 configured, our_master, sane, valid, stratum 1

Correct me if I'm wrong here but isn't "sane" and "valid" a good thing?

hey leo,

yes, that's normal. i'm actually trying to simulate from what i read in ccna security regarding NTP but i'm not getting the same results. please see snapshot below.

Please add "key 1" to the "ntp server X.X.X.X" command on R2 as highlighted below.

Router2#sh run | i ntp

ntp authentication-key 1 md5 104D000A061843595F 7

ntp authenticate

ntp trusted-key 1

ntp server 10.10.10.1 key 1

That should help authenticate the server (Please note that in case of NTP , the client authenticates the server) Hence we have to mention key.

Please let me know if this helps. Thanks.

Hi,

I'll try out what you've suggested and let you know the results. Thanks!

Sent from Cisco Technical Support iPhone App

hi nandan,

got it working man! you're awesome! thanks!

Router2#sh ntp assoc det

10.10.10.1 configured, authenticated, our_master, sane, valid, stratum 1

ref ID .LOCL., time D3343226.9060FCB4 (17:28:06.563 UTC Sat Apr 14 2012)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.03, reach 3, sync dist 7897.003

delay 39.92 msec, offset 4.0285 msec, dispersion 7877.01

precision 2**18, version 3

org time D3343228.4BCD54D0 (17:28:08.296 UTC Sat Apr 14 2012)

rcv time D3343228.4FE16FF0 (17:28:08.312 UTC Sat Apr 14 2012)

xmt time D3343228.45A133DE (17:28:08.271 UTC Sat Apr 14 2012)

filtdelay =    39.92   47.91    0.00    0.00    0.00    0.00    0.00    0.00

filtoffset =    4.03    0.03    0.00    0.00    0.00    0.00    0.00    0.00

filterror =     0.02    0.03 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco