We run 6509 core routers as NTP servers to other IOS routers/switches & servers of several OS flavours.
Recently added some Nexus 5000s and cannot get them to lock.
No firewalls or ACLs in the path
6509 (1 of 4) state:
LNPSQ01CORR01>sh ntp ass
address ref clock st when poll reach delay offset disp
+ 10.0.1.2 18.104.22.168 2 223 1024 377 0.5 -6.23 0.7
+~22.214.171.124 .PPS. 1 885 1024 377 33.7 -0.26 0.8
*~126.96.36.199 .GPS. 1 680 1024 377 22.7 -2.15 1.0
+~188.8.131.52 .ACTS. 1 720 1024 377 84.9 -3.37 0.6
+~184.108.40.206 .ACTS. 1 855 1024 377 84.8 -3.30 2.3
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
BL01R01B10SRVS01# sh ntp peer-status
Total peers : 4
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote local st poll reach delay
=10.0.1.1 10.0.201.11 16 64 0 0.00000
=10.0.1.2 10.0.201.11 16 64 0 0.00000
=10.0.1.3 10.0.201.11 16 64 0 0.00000
=10.0.1.4 10.0.201.11 16 64 0 0.00000
ntp server 10.0.1.1
ntp server 10.0.1.2
ntp server 10.0.1.3
ntp server 10.0.1.4
ntp source 10.0.201.11
ip address 10.0.201.11/24
vrf context management
ip route 0.0.0.0/0 10.0.201.254
Reachability to the NTP source...
BL01R01B10SRVS01# ping 10.0.1.1 vrf management source 10.0.201.11
PING 10.0.1.1 (10.0.1.1) from 10.0.201.11: 56 data bytes
64 bytes from 10.0.1.1: icmp_seq=0 ttl=253 time=3.487 ms
64 bytes from 10.0.1.1: icmp_seq=1 ttl=253 time=4.02 ms
64 bytes from 10.0.1.1: icmp_seq=2 ttl=253 time=3.959 ms
64 bytes from 10.0.1.1: icmp_seq=3 ttl=253 time=4.053 ms
64 bytes from 10.0.1.1: icmp_seq=4 ttl=253 time=4.093 ms
--- 10.0.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 3.487/3.922/4.093 ms
Are we missing some NTP or managment vrf setup in the Nexus 5Ks??
I don't have a Nexus 5K with which to test, but I think you need to add "use-vrf management" to your NTP server lines. For example:
ntp server 10.0.1.1 use-vrf management
Pull out all your NTP server lines, then add them back with the correct VRF.
Hi I see the same behaviour in our installation, the only difference is that we are using an additional vrf for management purpose (the vrf management we use for vpc-keepalive) and I am not really sure if an additional vrf is supported on pure L2-N5K5, that was my first assumption, but seems not to be the case because you run the same problem with vrf management. we are running 5.0.3.N2.1
I'm experiencing the same behaviour using a VSS as NTP server and N7K as client. The N7K has no problem getting its NTP from external NTP servers, but when pointing it to the VSS, it never gets synced. Obviously routing issues, acls and so on is out of the question. Is the 7K platform handling the NTP part different from IOS devices?
I'm seeing some cases internally that mention a huge NTP overhaul that went into 5.2(1). Customers that were experiencing issues with NX-to-IOS NTP sync were no longer seeing the issue in 5.2(1). The bug that tracked the update is CSCsv33349. Not sure what version you're running, but an upgrade may get things working.
Many thanks for your reply, Joseph.
The 7Ks are running 5.2(1) for the time beeing, but the customer is planning an upgrade to 5.2(4) i June. I will have a check on the NTP sync after this.
Benweber, thanks for this post. This worked for me! I had two Nexus 5ks that needed to be synced with the ntp server and it wasn't working until I added the command into the config.
I'd like to add I did force the sync using the command after adding 'clock protocol ntp'.
I had the same problem. This happens, when you use the management interface for the ntp traffic. Since this interface is in the vrf management, you have to announce the ntp servers in that vrf, like Joseph Clarke mentioned in his first post.
So in my case,
ntp server 10.0.1.1 use-vrf management
I have multiple 5020's, 5548's, and 5596's, and they all experience this same problem. Mind you I run strictly layer 2. I don't even have feature interface-vlan enabled. I tried: "ntp server X.X.X.X use-vrf management" as well as "clock protocol ntpt". These didn't help.
I was told by TAC that there is a bug (sorry I do not have the ID), but basically NTP will not work over the management VRF. The only way I got NTP to work, was by enabling the feature interface-vlan, and adding a vlan interface with an IP and retrieving NTP through this interface.
I upgraded to 5.2 (1) in hopes that this would fix the issue. but it did not.
same issue, can't believe they make something as simple as ntp, so difficult. I don't want to add a layer 3 vlan on the 5k.... it needs to work using the vrf....