Re: NTP HELP!!! Authentication breaking NTP!! from Tom Kacprzynski on 2010-11-15 (Ccielab archives 11/2010)

From: Tom Kacprzynski <tom.kac_at_gmail.com>
Date: Mon, 15 Nov 2010 14:30:10 -0600

I experienced a similar problem. It appears that Cisco changed something
with later versions of IOS where you need to specify the trusted-key command
*both* on the *server and client*. Most documents only mention the client
that wants to synchronize/update its clock.

Can any one point to any new documents that mentions this change?

Thank you,

Tom Kacprzynski

On Fri, Sep 3, 2010 at 10:38 AM, karim jamali <karim.jamali_at_gmail.com>wrote:

> hi,
>
> To check NTP authentication try the command show ntp associations [detail]
>
> Regards,
>
>
> On Fri, Sep 3, 2010 at 6:06 PM, Combatant 101 <combatant101_at_gmail.com
> >wrote:
>
> > Perfect!
> >
> >
> >
> > It worked! I didn't realise you needed to specify the key as trusted to
> the
> > NTP master!
> >
> >
> >
> > How do I verify that authentication is working? Show ntp status does not
> > indicate if authentication is enabled or not (without doing debug
> commands)
> >
> >
> >
> > Thanks
> >
> >
> >
> > Sunny
> >
> >
> >
> > From: Juan Pablo Corrales [mailto:jp.corrales_at_gmail.com]
> > Sent: 03 September 2010 15:08
> > To: Combatant 101
> > Subject: Re: NTP HELP!!! Authentication breaking NTP!!
> >
> >
> >
> > Hi Sunny,
> >
> > Try to add the following to R1:
> >
> > ntp authenticate
> > ntp trusted-key 1
> >
> > That should do it.
> >
> > Regards,
> >
> > Juan
> >
> > On Fri, Sep 3, 2010 at 7:00 AM, Combatant 101 <combatant101_at_gmail.com>
> > wrote:
> >
> > Hi Guys,
> >
> >
> >
> > If I set up NTP between R1 and R2 it works fine (verified by show ntp
> > status)
> >
> >
> >
> > R1 is NTP MASTER 2
> >
> > R2 is NTP SERVER R1
> >
> >
> >
> > However, when I then introduce authentication, it no longer works!!!!
> Even
> > after a reload!! ANY IDEAS???
> >
> >
> >
> > Note: Key is identical at both ends!
> >
> >
> >
> > R1
> >
> > ntp authentication-key 1 md5 143442061C113E39702C62 7
> >
> > ntp master 2
> >
> >
> >
> > R2
> >
> > ntp authentication-key 1 md5 0528560231595A1B4D0146 7
> >
> > ntp authenticate
> >
> > ntp trusted-key 1
> >
> > ntp server 10.0.9.1 key 1
> >
> >
> >
> > show ntp status
> >
> > Clock is unsynchronized, stratum 16, no reference clock
> >
> > nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is
> 2**18
> >
> > reference time is D02B7567.BC07AC6A (13:23:51.734 UTC Fri Sep 3 2010)
> >
> > clock offset is -107.2163 msec, root delay is 76.55 msec
> >
> > root dispersion is 109.88 msec, peer dispersion is 2.40 msec
> >
> >
> >
> > DEBUG on R2
> >
> >
> >
> > .Sep 3 13:55:00.604: NTP: xmit packet to 10.0.9.1:
> >
> > .Sep 3 13:55:00.604: leap 3, mode 3, version 3, stratum 0, ppoll 64
> >
> > .Sep 3 13:55:00.604: rtdel 1399 (76.553), rtdsp 1C22 (109.894), refid
> > 0A000901
> >
> > (10.0.9.1)
> >
> > .Sep 3 13:55:00.604: ref D02B7567.BC07AC6A (13:23:51.734 UTC Fri Sep 3
> > 2010)
> >
> > .Sep 3 13:55:00.604: org D02B7C74.0D4E85E9 (13:53:56.051 UTC Fri Sep 3
> > 2010)
> >
> > .Sep 3 13:55:00.604: rec D02B7C74.AED654A1 (13:53:56.682 UTC Fri Sep 3
> > 2010)
> >
> > .Sep 3 13:55:00.604: xmt D02B7CB4.9AD24C22 (13:55:00.604 UTC Fri Sep 3
> > 2010)
> >
> > .Sep 3 13:55:00.604: Authentication key 1
> >
> > .Sep 3 13:55:00.684: NTP: rcv packet from 10.0.9.1 to 10.0.5.1 on Vlan1:
> >
> > .Sep 3 13:55:00.684: leap 0, mode 4, version 3, stratum 2, ppoll 64
> >
> > .Sep 3 13:55:00.684: rtdel 0000 (0.000), rtdsp 0019 (0.381), refid
> > 7F7F0101 (1
> >
> > 27.127.1.1)
> >
> > .Sep 3 13:55:00.684: ref D02B7CAB.EEB6365A (13:54:51.932 UTC Fri Sep 3
> > 2010)
> >
> > .Sep 3 13:55:00.684: org D02B7CB4.9AD24C22 (13:55:00.604 UTC Fri Sep 3
> > 2010)
> >
> > .Sep 3 13:55:00.684: rec D02B7CB4.0889592E (13:55:00.033 UTC Fri Sep 3
> > 2010)
> >
> > .Sep 3 13:55:00.684: xmt D02B7CB4.08AC6A53 (13:55:00.033 UTC Fri Sep 3
> > 2010)
> >
> > .Sep 3 13:55:00.684: inp D02B7CB4.AF3DD50F (13:55:00.684 UTC Fri Sep 3
> > 2010)
> >
> > .Sep 3 13:55:00.684: Authentication key 0
> >
> >
> >
> >
> >
> > DEBUG on R1
> >
> >
> >
> > Sep 3 13:53:56.049: NTP message received from 10.0.5.1 on interface
> > 'Vlan1'
> > (10
> >
> > .0.9.1).
> >
> > Sep 3 13:53:56.049: NTP Core(DEBUG): ntp_receive: message received
> >
> > Sep 3 13:53:56.049: NTP Core(DEBUG): ntp_receive: peer is 0x00000000,
> next
> > acti
> >
> > on is 3.
> >
> > Sep 3 13:53:56.049: NTP Core(DEBUG): ntp_receive: doing fast answer to
> > client.
> >
> > Sep 3 13:53:56.049: NTP message sent to 10.0.5.1, from interface 'Vlan1'
> > (10.0.
> >
> > 9.1).
> >
> > carrylift_computrad#
> >
> > carrylift_computrad#
> >
> > Sep 3 13:55:00.029: NTP message received from 10.0.5.1 on interface
> > 'Vlan1'
> > (10
> >
> > .0.9.1).
> >
> > Sep 3 13:55:00.033: NTP Core(DEBUG): ntp_receive: message received
> >
> > Sep 3 13:55:00.033: NTP Core(DEBUG): ntp_receive: peer is 0x00000000,
> next
> > acti
> >
> > on is 3.
> >
> > Sep 3 13:55:00.033: NTP Core(DEBUG): ntp_receive: doing fast answer to
> > client.
> >
> > Sep 3 13:55:00.033: NTP message sent to 10.0.5.1, from interface 'Vlan1'
> > (10.0.
> >
> > 9.1).
> >
> >
> >
> > Thanks
> >
> >
> >
> > Sunny
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Nov 15 2010 - 14:30:10 ART

This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART