Solved: ntp authentication fails

orsonjoon · ‎10-03-2009

Hello,

NTP authentication is supposed to be simple, but not really....

I suspect it could be an IOS issue because when I enable NTP on a Catalyst 6509 (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXI1) with NTP authentication and configure another 6509 client to autenticate against the master everything works fine (VSS enabled switches.

But when I try to do the same thing fram a catalyst 6513 (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF11) without VSS, authentication and synchronisation fails.

When I disable NTP authentication synchronisation works fine.

I'm very sure I used the right key, in fact I entered it manually, and tried to copy the ntp config from a VSS enabled switch.

But both failed, below is my config and debug output:

VSS Switch:

aaa accounting session-duration ntp-adjusted

ntp authentication-key 123 md5 secret

ntp authenticate

ntp trusted-key 123

ntp clock-period 17179785

ntp update-calendar

ntp server 10.57.66.1 key 123

ntp server 10.56.69.11

Cat 6513 switch:

ntp authentication-key 123 md5 secret

ntp authenticate

ntp trusted-key 123

ntp clock-period 17179979

ntp server 10.65.66.2 key 123

ntp server 10.56.66.1 key 123

ntp server 10.57.66.1 key 123

debug output 6513:

.Oct 3 16:27:01.489: NTP: xmit packet to 10.57.66.1:

.Oct 3 16:27:01.489: leap 3, mode 3, version 3, stratum 0, ppoll 64

.Oct 3 16:27:01.489: rtdel 05CC (22.644), rtdsp 0A9A (41.412), refid 0A384201 (10.56.66.1)

.Oct 3 16:27:01.489: ref CE7074F5.F2F51935 (14:47:49.949 CEST Fri Oct 2 2009)

.Oct 3 16:27:01.489: org CE71DD75.C6F22C40 (16:25:57.777 CEST Sat Oct 3 2009)

.Oct 3 16:27:01.489: rec CE71DD75.7DB8D2FC (16:25:57.491 CEST Sat Oct 3 2009)

.Oct 3 16:27:01.489: xmt CE71DDB5.7D665F74 (16:27:01.489 CEST Sat Oct 3 2009)

.Oct 3 16:27:01.489: Authentication key 123

.Oct 3 16:27:01.489: NTP: rcv packet from 10.57.66.1 to 10.10.2.89 on Vlan13:

.Oct 3 16:27:01.489: leap 0, mode 4, version 3, stratum 4, ppoll 64

.Oct 3 16:27:01.489: rtdel 0164 (5.432), rtdsp 0726 (27.924), refid 0A39450B (10.57.69.11)

.Oct 3 16:27:01.489: ref CE71DBAB.7BFDECCA (16:18:19.484 CEST Sat Oct 3 2009)

.Oct 3 16:27:01.489: org CE71DDB5.7D665F74 (16:27:01.489 CEST Sat Oct 3 2009)

.Oct 3 16:27:01.489: rec CE71DDB5.C70E2DBB (16:27:01.777 CEST Sat Oct 3 2009)

.Oct 3 16:27:01.489: xmt CE71DDB5.C71A3DD9 (16:27:01.777 CEST Sat Oct 3 2009)

.Oct 3 16:27:01.489: inp CE71DDB5.7DDB0D72 (16:27:01.491 CEST Sat Oct 3 2009)

.Oct 3 16:27:01.489: Authentication key 0term no

Could someone please help

Richard Burts · ‎10-09-2009

O.A.

Thank you for posting back to the forum and confirming that the problem here is confirmed as an IOS bug. It helps make the forum more useful when people can read about a problem and can know what the outcome of the problem is. Perhaps you can use the check mark to indicate that the problem is resolved and this might help users of the forum to know that this is a solved problem.

HTH

Rick

HTH

Rick

View solution in original post

Lucien Avramov · ‎10-03-2009

Can you attach more debugs:

debug ntp auth

debug ntp sync

debug ntp events

debug ntp packet

debug ntp sync

Richard Burts · ‎10-03-2009

O.A.

There is some ambiguity in your explanation. You say:"in fact I entered it manually, and tried to copy the ntp config from a VSS enabled switch". My question is: did you enter the NTP authentication key manually, or did you copy it from the working configuration?

I am not sure why Cisco did it this way, but a copy of the confiuration (including the authentication key) from a working config to a new config will insert an invalid key into the new config. The only way to get it to work properly is to manually configure the new authentication key in the new config.

HTH

Rick

HTH

Rick

orsonjoon · ‎10-09-2009

Cisco TAC confirmed this as an IOS bug, so further troubleshooting isn't nessecary. An upgrade would fix the problem.

Richard Burts · ‎10-09-2009

O.A.

Thank you for posting back to the forum and confirming that the problem here is confirmed as an IOS bug. It helps make the forum more useful when people can read about a problem and can know what the outcome of the problem is. Perhaps you can use the check mark to indicate that the problem is resolved and this might help users of the forum to know that this is a solved problem.

HTH

Rick

HTH

Rick

iyde · ‎10-10-2009

Hi.

Would it be possible to have the bug id as well?

Thanks.

Lucien Avramov · ‎10-10-2009

There is no bug on this train yet related to NTP, I checked.

I assume TAC is still doing initial review and probably asking for the same debugs I asked in this post.

Cant really troubleshoot this if there are no debugs sent.

orsonjoon · ‎10-19-2009

As this is still under investigation at TAC, no further actions from my side will be taken on the forum to resolve this issue.

This is a part of one of the replies I got from the TAC engineer:

"I did check a couple of cases with similar issue where they were having SXF11 also and NTP was not working. IOS upgrade fixed the issue and NTP started working again.

It is strange and if it is working without authentication and not with even when we configured it again manually it looks like it may be due to some bug. IOS upgrade would fix the issue however if you can send me the debugs I asked for we can have someone look into the IOS code and get it fixed."