Re: NTP HELP!!! Authentication breaking NTP!! from garry baker on 2010-11-15 (Ccielab archives 11/2010)

From: garry baker <baker.garry_at_gmail.com>
Date: Mon, 15 Nov 2010 15:11:37 -0600
seen this on INE blog a while back, a mention in the comments about the need
for auth on both, but never in a cisco doc:
http://blog.ine.com/2007/12/28/how-does-ntp-authentication-work/
--
Garry L. Baker
"There is no 'patch' for stupidity." - www.sqlsecurity.com
On Mon, Nov 15, 2010 at 2:30 PM, Tom Kacprzynski <tom.kac_at_gmail.com> wrote:
> I experienced a similar problem. It appears that Cisco changed something
> with later versions of IOS where you need to specify the trusted-key
> command
> *both* on the *server and client*. Most documents only mention the client
> that wants to synchronize/update its clock.
>
>
> Can any one point to any new documents that mentions this change?
>
> Thank you,
>
>
> Tom Kacprzynski
>
>
>
> On Fri, Sep 3, 2010 at 10:38 AM, karim jamali <karim.jamali_at_gmail.com
> >wrote:
>
> > hi,
> >
> > To check NTP authentication try the command show ntp associations
> [detail]
> >
> > Regards,
> >
> >
> > On Fri, Sep 3, 2010 at 6:06 PM, Combatant 101 <combatant101_at_gmail.com
> > >wrote:
> >
> > > Perfect!
> > >
> > >
> > >
> > > It worked! I didn't realise you needed to specify the key as trusted to
> > the
> > > NTP master!
> > >
> > >
> > >
> > > How do I verify that authentication is working? Show ntp status does
> not
> > > indicate if authentication is enabled or not (without doing debug
> > commands)
> > >
> > >
> > >
> > > Thanks
> > >
> > >
> > >
> > > Sunny
> > >
> > >
> > >
> > > From: Juan Pablo Corrales [mailto:jp.corrales_at_gmail.com]
> > > Sent: 03 September 2010 15:08
> > > To: Combatant 101
> > > Subject: Re: NTP HELP!!! Authentication breaking NTP!!
> > >
> > >
> > >
> > > Hi Sunny,
> > >
> > > Try to add the following to R1:
> > >
> > > ntp authenticate
> > > ntp trusted-key 1
> > >
> > > That should do it.
> > >
> > > Regards,
> > >
> > > Juan
> > >
> > > On Fri, Sep 3, 2010 at 7:00 AM, Combatant 101 <combatant101_at_gmail.com>
> > > wrote:
> > >
> > > Hi Guys,
> > >
> > >
> > >
> > > If I set up NTP between R1 and R2 it works fine (verified by show ntp
> > > status)
> > >
> > >
> > >
> > > R1 is NTP MASTER 2
> > >
> > > R2 is NTP SERVER R1
> > >
> > >
> > >
> > > However, when I then introduce authentication, it no longer works!!!!
> > Even
> > > after a reload!!  ANY IDEAS???
> > >
> > >
> > >
> > > Note: Key is identical at both ends!
> > >
> > >
> > >
> > > R1
> > >
> > > ntp authentication-key 1 md5 143442061C113E39702C62 7
> > >
> > > ntp master 2
> > >
> > >
> > >
> > > R2
> > >
> > > ntp authentication-key 1 md5 0528560231595A1B4D0146 7
> > >
> > > ntp authenticate
> > >
> > > ntp trusted-key 1
> > >
> > > ntp server 10.0.9.1 key 1
> > >
> > >
> > >
> > > show ntp status
> > >
> > > Clock is unsynchronized, stratum 16, no reference clock
> > >
> > > nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is
> > 2**18
> > >
> > > reference time is D02B7567.BC07AC6A (13:23:51.734 UTC Fri Sep 3 2010)
> > >
> > > clock offset is -107.2163 msec, root delay is 76.55 msec
> > >
> > > root dispersion is 109.88 msec, peer dispersion is 2.40 msec
> > >
> > >
> > >
> > > DEBUG on R2
> > >
> > >
> > >
> > > .Sep  3 13:55:00.604: NTP: xmit packet to 10.0.9.1:
> > >
> > > .Sep  3 13:55:00.604:  leap 3, mode 3, version 3, stratum 0, ppoll 64
> > >
> > > .Sep  3 13:55:00.604:  rtdel 1399 (76.553), rtdsp 1C22 (109.894), refid
> > > 0A000901
> > >
> > >  (10.0.9.1)
> > >
> > > .Sep  3 13:55:00.604:  ref D02B7567.BC07AC6A (13:23:51.734 UTC Fri Sep
> 3
> > > 2010)
> > >
> > > .Sep  3 13:55:00.604:  org D02B7C74.0D4E85E9 (13:53:56.051 UTC Fri Sep
> 3
> > > 2010)
> > >
> > > .Sep  3 13:55:00.604:  rec D02B7C74.AED654A1 (13:53:56.682 UTC Fri Sep
> 3
> > > 2010)
> > >
> > > .Sep  3 13:55:00.604:  xmt D02B7CB4.9AD24C22 (13:55:00.604 UTC Fri Sep
> 3
> > > 2010)
> > >
> > > .Sep  3 13:55:00.604:  Authentication key 1
> > >
> > > .Sep  3 13:55:00.684: NTP: rcv packet from 10.0.9.1 to 10.0.5.1 on
> Vlan1:
> > >
> > > .Sep  3 13:55:00.684:  leap 0, mode 4, version 3, stratum 2, ppoll 64
> > >
> > > .Sep  3 13:55:00.684:  rtdel 0000 (0.000), rtdsp 0019 (0.381), refid
> > > 7F7F0101 (1
> > >
> > > 27.127.1.1)
> > >
> > > .Sep  3 13:55:00.684:  ref D02B7CAB.EEB6365A (13:54:51.932 UTC Fri Sep
> 3
> > > 2010)
> > >
> > > .Sep  3 13:55:00.684:  org D02B7CB4.9AD24C22 (13:55:00.604 UTC Fri Sep
> 3
> > > 2010)
> > >
> > > .Sep  3 13:55:00.684:  rec D02B7CB4.0889592E (13:55:00.033 UTC Fri Sep
> 3
> > > 2010)
> > >
> > > .Sep  3 13:55:00.684:  xmt D02B7CB4.08AC6A53 (13:55:00.033 UTC Fri Sep
> 3
> > > 2010)
> > >
> > > .Sep  3 13:55:00.684:  inp D02B7CB4.AF3DD50F (13:55:00.684 UTC Fri Sep
> 3
> > > 2010)
> > >
> > > .Sep  3 13:55:00.684:  Authentication key 0
> > >
> > >
> > >
> > >
> > >
> > > DEBUG on R1
> > >
> > >
> > >
> > > Sep  3 13:53:56.049: NTP message received from 10.0.5.1 on interface
> > > 'Vlan1'
> > > (10
> > >
> > > .0.9.1).
> > >
> > > Sep  3 13:53:56.049: NTP Core(DEBUG): ntp_receive: message received
> > >
> > > Sep  3 13:53:56.049: NTP Core(DEBUG): ntp_receive: peer is 0x00000000,
> > next
> > > acti
> > >
> > > on is 3.
> > >
> > > Sep  3 13:53:56.049: NTP Core(DEBUG): ntp_receive: doing fast answer to
> > > client.
> > >
> > > Sep  3 13:53:56.049: NTP message sent to 10.0.5.1, from interface
> 'Vlan1'
> > > (10.0.
> > >
> > > 9.1).
> > >
> > > carrylift_computrad#
> > >
> > > carrylift_computrad#
> > >
> > > Sep  3 13:55:00.029: NTP message received from 10.0.5.1 on interface
> > > 'Vlan1'
> > > (10
> > >
> > > .0.9.1).
> > >
> > > Sep  3 13:55:00.033: NTP Core(DEBUG): ntp_receive: message received
> > >
> > > Sep  3 13:55:00.033: NTP Core(DEBUG): ntp_receive: peer is 0x00000000,
> > next
> > > acti
> > >
> > > on is 3.
> > >
> > > Sep  3 13:55:00.033: NTP Core(DEBUG): ntp_receive: doing fast answer to
> > > client.
> > >
> > > Sep  3 13:55:00.033: NTP message sent to 10.0.5.1, from interface
> 'Vlan1'
> > > (10.0.
> > >
> > > 9.1).
> > >
> > >
> > >
> > > Thanks
> > >
> > >
> > >
> > > Sunny
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > KJ
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Nov 15 2010 - 15:11:37 ART
This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART