Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NTP and Tacacs not working

Hello,

We have a blade switch CBS30X0-LANBASE-M that won't sync to NTP nor authenticate to ACS.

SW1#show ntp associations detail

172.23.218.187 configured, insane, invalid, unsynced, stratum 16

ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.00, reach 0, sync dist 34.317

delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00

precision 2**5, version 3

org time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

rcv time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

xmt time CDE47E75.1C3AB0DD (08:51:01.110 GMT Thu Jun 18 2009)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

172.23.16.181 configured, insane, invalid, unsynced, stratum 16

ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.00, reach 0, sync dist 34.317

delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00

precision 2**5, version 3

org time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

rcv time 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

xmt time CDE47E7F.1BFE3067 (08:51:11.109 GMT Thu Jun 18 2009)

filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

SW1#show ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 119.2092 Hz, actual freq is 119.2109 Hz, precision is 2**17

reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

SW1#show clock detail

.08:55:27.344 GMT Thu Jun 18 2009

Time source is NTP

SW1#

SW1#show run | i aaa|tac

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa session-id common

ip tacacs source-interface Vlan312

tacacs-server host 172.23.16.96 timeout 5

tacacs-server host 172.23.220.43 timeout 5

tacacs-server directed-request

tacacs-server key 7 xxxxxxx

SW1#show run | i ntp

ntp logging

ntp clock-period 36028310

ntp source Vlan312

ntp server 172.23.218.187

ntp server 172.23.16.181

SW1#

SW1#show debugging

NTP:

NTP clock adjustments debugging is on

NTP clock parameters debugging is on

NTP events debugging is on

NTP loop filter debugging is on

NTP packets debugging is on

NTP clock synchronization debugging is on

NTP clock selection debugging is on

NTP peer validity debugging is on

NTP reference clocks debugging is on

NTP authentication debugging is on

SW1#

This is what is in the logs over and over:

.Jun 18 08:58:29 GMT: NTP: xmit packet

We have a duplicate setup on SW2 and it is working fine.

Any help would greatly be appreciated.

Thank you.

8 REPLIES
New Member

Re: NTP and Tacacs not working

Here is what is listed in the logs over and over:

.Jun 18 08:57:25 GMT: NTP: xmit packet to 172.23.218.187:

.Jun 18 08:57:25 GMT: leap 3, mode 3, version 3, stratum 0, ppoll 64

.Jun 18 08:57:25 GMT: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)

.Jun 18 08:57:25 GMT: ref 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:57:25 GMT: org 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:57:25 GMT: rec 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:57:25 GMT: xmt CDE47FF5.1B17A220 (08:57:25.105 GMT Thu Jun 18 2009)

.Jun 18 08:57:35 GMT: NTP: xmit packet to 172.23.16.181:

.Jun 18 08:57:35 GMT: leap 3, mode 3, version 3, stratum 0, ppoll 64

.Jun 18 08:57:35 GMT: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)

.Jun 18 08:57:35 GMT: ref 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:57:35 GMT: org 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:57:35 GMT: rec 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:57:35 GMT: xmt CDE47FFF.19DFD765 (08:57:35.101 GMT Thu Jun 18 2009)

.Jun 18 08:58:29 GMT: NTP: xmit packet to 172.23.218.187:

.Jun 18 08:58:29 GMT: leap 3, mode 3, version 3, stratum 0, ppoll 64

.Jun 18 08:58:29 GMT: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)

.Jun 18 08:58:29 GMT: ref 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:58:29 GMT: org 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:58:29 GMT: rec 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:58:29 GMT: xmt CDE48035.1909C6C6 (08:58:29.097 GMT Thu Jun 18 2009)

.Jun 18 08:58:39 GMT: NTP: xmit packet to 172.23.16.181:

.Jun 18 08:58:39 GMT: leap 3, mode 3, version 3, stratum 0, ppoll 64

.Jun 18 08:58:39 GMT: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)

.Jun 18 08:58:39 GMT: ref 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:58:39 GMT: org 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:58:39 GMT: rec 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

.Jun 18 08:58:39 GMT: xmt CDE4803F.18CE3EC4 (08:58:39.096 GMT Thu Jun 18 2009)

Bronze

Re: NTP and Tacacs not working

Hi.

Does the VLAN312 IP address have connection to 172.23.218.187 and 172.23.16.181? I.e. can you do an extended PING with VLAN312 as source and those addresses as destination?

HTH

New Member

Re: NTP and Tacacs not working

Hi iyde!

Here are the results:

SW1#ping 172.23.218.187 source vlan 312

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.23.218.187, timeout is 2 seconds:

Packet sent with a source address of 172.23.12.20

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 58/60/68 ms

SW1#ping 172.23.16.181 source vlan 312

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.23.16.181, timeout is 2 seconds:

Packet sent with a source address of 172.23.12.20

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

SW1#

Thank you.

Hall of Fame Super Silver

Re: NTP and Tacacs not working

John

I agree with Ingolf that the most likely problem is lack of IP connectivity. But the results of your ping show that there is IP connectivity.

The debug output and the output of show ntp association detail indicate that you are not getting any response from the NTP server. Is it possible that there is something between your switch and the NTP server that might be filtering traffic (access list on some layer 3 device, or firewall of some kind)and preventing the NTP request or preventing the NTP response?

It may be that the thing that is impacting NTP is also impacting TACACS so I do not want to go too far with TACACS while we are looking at the NTP issue. But if you attempt to login on the switch and then look at the reports on the TACACS server do you see the authentication request (is there anything in failed attempts or in successful attempts for this request)?

HTH

Rick

Hall of Fame Super Gold

Re: NTP and Tacacs not working

What is the result of the "sh ntp associate"?

New Member

Re: NTP and Tacacs not working

Hello All,

I just found out that our HP Blade switch with Cisco modules is only L2 and can't do any L3 routing that is why it is failing.

Thanks to everyone for their assistance.

Hall of Fame Super Silver

Re: NTP and Tacacs not working

John

Thanks for posting back to the forum and indicating that you had resolved the problem and what the problem turned out to be. It makes the forum more useful when people can read about a problem and can read the solution to the problem.

HTH

Rick

Purple

Re: NTP and Tacacs not working

NTP and tacacs should still work even if its L2 . It no different than say a 2950 using tacacs or ntp . Something else going on with that .

492
Views
0
Helpful
8
Replies