I'd like to make a 4507 the NTP server for our organization. I figure it has the least amount of downtime of any server I would run NTP services on, doesn't get patched frequently like a traditional file server(so less downtime), and I don't plan on replacing it in the forseeable future.
I've put in a basic config, but it doesn't seem to be working(or at least my linux servers don't see it as an NTP server).
Here are the pertinant bits from the config:
description ntp server address
ip address 192.168.199.99 255.255.255.255
ntp source Loopback99
ntp server 220.127.116.11
The NTP server command points to a stratum one server at Penn State University. I have the following config in my ASA to allow the loopback to poll the remote NTP server:
access-list Inside_access_in extended permit udp host 192.168.199.99 any eq ntp
nat (Inside) 1 192.168.199.99 255.255.255.255
Any thoughts on what I'm missing or have configured incorrectly?
First, make sure your 4507's clock is synced by looking at the "show ntp status" output. If it is, add the "ntp master STRATUM" command where STRATUM is 2 or higher.
It doens't look like it's properly syncronized:
AD4507-MDF#sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CF731BDF.C46E1D22 (17:24:47.767 UTC Fri Apr 16 2010)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec
I would double check your firewall logs and make sure that A) you have hit counts on your ACL and B) check your logs to see if something is getting denied. You could also debug on your router, but that may not tell you much other than it's not seeing the time for the NTP server.
I'm not getting any hitcnt on that ACL(access-list Inside_access_in extended permit udp host 192.168.199.99 any eq ntp). I'll see if I can figure out if it's blocking anything.
There's nothing from the firewall debug logs that shows any ntp traffic from the 4507's loopback99 interface to the remote NTP server occuring. There are no ACLs on the 4507 that would stop NTP traffic, so I'm at a loss here. Does it seem like my basic NTP commands for the 4507 are correct?
Yes, the commands look correct. If you're not seeing any udp/123 traffic from the switch, perhaps there is a routing issue. Do you have a route to the NTP server on the 4507? You might want to enable "debug ntp sync" and see what messages you get while the switch tries to sync.