Re: Cannot synchronize time with Cisco IOS router set as NTP mas - Page 2

zheka_pefti · ‎08-22-2009

Hi folks!

Don't know if this is right section of NetPro forum to bring up my problem.

I have 871 router configured as NTP master. It works as a gateway for a small windows network with a domain controller. I want DC to pull the time from the router and configured the router as follows:

Router:

ntp source Vlan1

ntp access-group peer 11

ntp access-group serve 1

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 11 permit 128.249.1.1

access-list 11 permit 192.5.41.41

ntp master

ntp server 128.249.1.1

ntp server 192.5.41.41 prefer

interface Vlan1

description Internal User's segment

ip address 192.168.1.1 255.255.255.0

ip access-group vl1-in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip inspect FW in

ip virtual-reassembly

ip tcp adjust-mss 1452

ip access-list extended vl1-in

permit tcp host 192.168.1.10 any eq smtp

deny tcp 192.168.1.0 0.0.0.255 any eq smtp

permit ip any any

Domain Controller is configured according to Microsoft recommendations and I believe they are correct. This is what happens when DC starts synching with the router (I debugged NTP on the router)

174073: Aug 22 18:53:29.348: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).

174074: Aug 22 18:53:29.348: NTP Core(DEBUG): ntp_receive: message received

174075: Aug 22 18:53:29.348: NTP Core(DEBUG): ntp_receive: peer is 0x00000000, next action is 5.

174076: Aug 22 18:53:29.348: NTP Core (NOTICE): ntp_receive: dropping message: AM_NEWPASS, auth error..

My question is what kind of authentication should I configure on the router?

Kindly and hopefully

Eugene

zheka_pefti · ‎08-29-2009

Hi!

I really appreciate your attempt to help. Thanks a lot!

I've removed access-lists for NTP configuration, this how it looks now:

ntp logging

ntp source FastEthernet4

ntp access-group peer 11

ntp server 128.249.1.1

ntp server 192.5.41.41 prefer

access-list 11 permit 128.249.1.1

access-list 11 permit 192.5.41.41

And this is an access-list applied to vlan1 interface:

ip access-list extended vl1-in

permit tcp host 192.168.1.10 any eq smtp

deny tcp 192.168.1.0 0.0.0.255 any eq smtp

permit ip any any

After manually having Windows box resync its time with the router I see the following messages while debugging NTP:

GIBSGW#

011378: Aug 30 01:32:48.599: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).

011379: Aug 30 01:32:48.599: NTP Core(DEBUG): ntp_receive: message received

011380: Aug 30 01:32:48.599: NTP Core (NOTICE): ntp_receive: dropping message: restricted..

GIBSGW#

And 192.168.1.1 is the router's IP address and it is reachable from DC (192.168.1.10), see the above access-list.

Eugene

srue · ‎08-31-2009

can you install wireshark on the server and just capture the ntp packets then post here?

Richard Burts · ‎08-31-2009

Eugene

I suggest that you also remove this line from your config:

ntp access-group peer 11

I had a similar experience where I had one of the ntp access lists (peer and serve-only) but not the other. It seems that IOS implementation of NTP works best if both access lists are used or if no access list is used.

HTH

Rick

HTH

Rick

zheka_pefti · ‎08-31-2009

Well, I removed the line "ntp access-group peer 11" with the corresponding access-list. To my great suprise the Windows box was able to sync time with the router but it happened only once. All subsequent attempt to synchronize time failed again.

I'm attaching the capture done on this Windows box.

Strange enough "show ntp association" gives the following output:

GIBSGW#sh ntp assoc

address ref clock st when poll reach delay offset disp

+~128.249.1.1 129.7.1.66 2 58 128 377 0.000 -10.388 11.325

192.168.1.10 .INIT. 16 - 32768 0 0.000 0.000 15937.

*~192.5.41.41 .USNO. 1 10 128 377 0.000 -4.852 6.113

* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

Looks like NTP client got stuck in INIT process.

And ntp debug now shows different:

039820: Sep 1 01:50:19.081: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).

039821: Sep 1 01:50:19.081: NTP Core(DEBUG): ntp_receive: message received

039822: Sep 1 01:50:19.081: NTP Core(DEBUG): ntp_receive: peer is 0x833A8050, next action is 1.

039823: Sep 1 01:50:19.081: NTP Core (NOTICE): ntp_receive: dropping message: unsynch.

Now it is a pure access issue. Starting to pull my hair....

Richard Burts · ‎09-01-2009

Eugene

It might be helpful if you would post the output of show ntp association detail

HTH

Rick

HTH

Rick

zheka_pefti · ‎09-01-2009

Hi Rick,

Here it is, for me messages about NTP client being insane look very weird. What I noticed is that when I remove "ntp master" entry and then add it again the windows box sync its time with the router and then all subsequent attempts fail.

GIBSGW#sh ntp assoc detail

127.127.1.1 configured, insane, invalid, stratum 7

ref ID .LOCL., time CE4881B2.33E9474D (22:31:30.202 PDT Tue Sep 1 2009)

our mode active, peer mode passive, our poll intvl 16, peer poll intvl 16

root delay 0.00 msec, root disp 0.00, reach 377, sync dist 0.00

delay 0.00 msec, offset 0.0000 msec, dispersion 0.25

precision 2**16, version 4

org time CE4881B2.33E9474D (22:31:30.202 PDT Tue Sep 1 2009)

rec time CE4881B2.33E9DE4C (22:31:30.202 PDT Tue Sep 1 2009)

xmt time CE4881B2.33E8E2A4 (22:31:30.202 PDT Tue Sep 1 2009)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

minpoll = 4, maxpoll = 4

192.168.1.10 configured, insane, invalid, stratum 3

ref ID 192.168.1.1 , time CE48800C.561092F5 (22:24:28.336 PDT Tue Sep 1 2009)

our mode active, peer mode active, our poll intvl 512, peer poll intvl 1024

root delay 0.12 msec, root disp 66.52, reach 377, sync dist 0.27

delay 0.00 msec, offset 3.1615 msec, dispersion 20.54

precision 2**6, version 4

org time CE4881A5.EDCAC083 (22:31:17.928 PDT Tue Sep 1 2009)

rec time CE4881A5.EB8F689A (22:31:17.920 PDT Tue Sep 1 2009)

xmt time CE48800C.52A3231C (22:24:28.322 PDT Tue Sep 1 2009)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 -0.00 0.00 0.00 0.00 -0.00 0.00

filterror = 0.01 0.02 0.02 0.02 0.03 0.03 0.03 0.04

minpoll = 6, maxpoll = 10

192.168.1.10 dynamic, insane, invalid, unsynced, stratum 16

ref ID .INIT., time 00000000.00000000 (16:00:00.000 PST Wed Dec 31 1899)

our mode passive, peer mode unspec, our poll intvl 32768, peer poll intvl 131072

root delay 0.00 msec, root disp 0.00, reach 0, sync dist 15.98

delay 0.00 msec, offset 0.0000 msec, dispersion 15937.50

precision 2**16, version 3

org time CE472519.27020C49 (21:44:09.152 PDT Mon Aug 31 2009)

rec time CE472518.772BFF01 (21:44:08.465 PDT Mon Aug 31 2009)

xmt time CE48764A.08C9296C (21:42:50.034 PDT Tue Sep 1 2009)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16.00 16.00 16.00 16.00 16.00 16.00 16.00 16.00

minpoll = 15, maxpoll = 17

192.5.41.41 configured, our_master, sane, valid, stratum 1

ref ID .USNO., time CE488024.4F4D77DD (22:24:52.309 PDT Tue Sep 1 2009)

our mode client, peer mode server, our poll intvl 512, peer poll intvl 512

root delay 0.00 msec, root disp 0.32, reach 377, sync dist 0.06

delay 0.00 msec, offset -1.5672 msec, dispersion 9.10

precision 2**20, version 4

org time CE48802A.5C18C02F (22:24:58.359 PDT Tue Sep 1 2009)

rec time CE48802A.67D1E232 (22:24:58.405 PDT Tue Sep 1 2009)

xmt time CE48802A.5077B0A7 (22:24:58.314 PDT Tue Sep 1 2009)

filtdelay = 0.09 0.08 0.09 0.09 0.09 0.17 0.12 0.09

filtoffset = -0.00 -0.00 0.00 0.00 0.00 0.00 0.01 -0.00

filterror = 0.00 0.00 0.01 0.01 0.01 0.02 0.02 0.03

minpoll = 6, maxpoll = 10

This is what I'm getting in Windows system event log:

Time Provider NtpClient: No valid response has been received from manually configured peer 192.168.1.1,0x4 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name.

Eugene

Richard Burts · ‎09-02-2009

Eugene

I believe that the good news in what you have posted is this line:

192.5.41.41 configured, our_master, sane, valid, stratum 1

This indicates that you are successfully learning NTP time from an authoritative external source. If you are learning NTP from the external source then you do not need to configure ntp master. I believe that configuring ntp master is confusing the situation and I suggest that you remove ntp master from the configuration.

I also notice that there are 2 entries for 192.168.1.10. One of the entries indicates that this device is learning NTP from this device and the second entry indicates that it is dynamic and is not learning NTP from this device. Can you clarify whether 192.168.1.10 is in the configuration and what is going on with that device?

HTH

Rick

HTH

Rick

zheka_pefti · ‎09-02-2009

Hi Rick,

This is the whole point about 192.168.1.10 device. It is windows domain controller that I want to sync its time with the router (192.168.1.1)

The DC behaves very weird. Right before I deleted "ntp master" from the router I found three events in DC's system log related to NTP activity. They happened within 5 minutes interval:

Event Type: Information

Event Source: W32Time

Event Category: None

Event ID: 38

Date: 9/1/2009

Time: 10:48:57 PM

User: N/A

Computer: MERLIN

Description:

The time provider NtpClient cannot reach or is currently receiving invalid time data from 192.168.1.1 (ntp.m|0x4|192.168.1.10:123->192.168.1.1:123).

Event Type: Information

Event Source: W32Time

Event Category: None

Event ID: 37

Date: 9/1/2009

Time: 10:50:05 PM

User: N/A

Computer: MERLIN

Description:

The time provider NtpClient is currently receiving valid time data from 192.168.1.1 (ntp.m|0x4|192.168.1.10:123->192.168.1.1:123).

Event Type: Information

Event Source: W32Time

Event Category: None

Event ID: 38

Date: 9/1/2009

Time: 10:50:50 PM

User: N/A

Computer: MERLIN

Description:

The time provider NtpClient cannot reach or is currently receiving invalid time data from 192.168.1.1 (ntp.m|0x4|192.168.1.10:123->192.168.1.1:123).

How should I understand it? First NTP Client on DC can't reach NTP server and then in a couple of minutes it successfuly sync its time. Weird.

I removed "ntp master" from the router and then windows box was able to sync the time with the router again. I debugged NTP and saw this:

GIBSGW#

073449: Sep 3 06:25:41.833: NTP message received from 192.168.1.10 on interface 'Vlan1' (192.168.1.1).

073450: Sep 3 06:25:41.833: NTP Core(DEBUG): ntp_receive: message received

073451: Sep 3 06:25:41.833: NTP Core(DEBUG): ntp_receive: peer is 0x833A7B70, next action is 1.

073452: Sep 3 06:25:41.833: NTP Core (NOTICE): ntp_receive: dropping message: unsynch.

GIBSGW#

073453: Sep 3 06:25:49.619: NTP message sent to 192.168.1.10, from interface 'Vlan1' (192.168.1.1).

Let's see if the problem reproduces again.

Eugene

Gordiep13 · ‎05-09-2012

Hi,

I was having this same problem and found a section on the Microsoft site which talked about the W32Time service sending symmetric packets instead of client mode packets. The suggestion was to force the server to use normal requests instead of symmetric using the following command -

w32tm /config /manualpeerlist:172.19.60.253,0x8 /syncfromflags:MANUAL

I stopped and started the W32time service and this resolved the issue.

Hope this helps anyone else who gets this error and can see past the endless useless expert-exchange websites!

Gordon

swregistrations · ‎10-21-2014

It sure did, thankyou Gordon

canexan · ‎04-08-2019

Yes, it did! Thank you!

Cannot synchronize time with Cisco IOS router set as NTP master