NTP on a router picking up a bogus server

Discussion in 'Cisco' started by John Caruso, Nov 23, 2005.

  1. John Caruso

    John Caruso Guest

    I've got a 2621 router running 12.3(12a). Client machines use it as their
    NTP server, and it in turn is configured to use 172.16.1.1 as its NTP server.
    The router itself is at 10.1.1.3, and it's typically the master for HSRP
    address 10.1.1.1 (which is the address the clients use as their NTP server).
    One of these clients is a Windows 2003 server at 10.1.1.81 (configurations
    have been anonymized to protect the innocent, of course, though the details
    are all accurate).

    But this is what I'm seeing:

    router#show ntp assoc
    address ref clock st when poll reach delay offset disp
    # 10.1.1.81 10.1.1.1 4 21 256 105 0.0 0.00 16000.
    ~172.16.1.1 128.9.176.30 2 711 1024 377 2.8 -2.84 0.0
    * master (synced), # master (unsynced), + selected, - candidate, ~ configured

    The router has actually decided to use the 10.1.1.81 client machine as a
    a time source...and not only that, but 10.1.1.81 is using 10.1.1.1 (i.e.,
    the router) as *its* time source. Ack! I've never seen this happen before...
    the routers only ever show time sources that are explicitly configured, and
    the NTP configuration on this router is extremely simple:

    router# show run | include ntp
    ntp clock-period 17179981
    ntp server 172.16.1.1

    What's going on here? What could cause a Cisco router to decide to use
    a Windows 2003 client machine as a time source, even though it has an
    explicitly configured NTP server (which is not that Windows machine)?

    - John
     
    John Caruso, Nov 23, 2005
    #1
    1. Advertising

  2. John Caruso

    Merv Guest

    try configuring your 2621 as backup master with a stratum below
    128.9.176.30 at stratum 2

    i.e.configure " ntp master 3"
     
    Merv, Nov 23, 2005
    #2
    1. Advertising

  3. John Caruso

    John Caruso Guest

    On 2005-11-23, Merv <> wrote:
    > try configuring your 2621 as backup master with a stratum below
    > 128.9.176.30 at stratum 2
    >
    > i.e.configure " ntp master 3"


    I don't want this router to use its own clock as a master clock--I do in
    fact want it to synchronize to the configured master server. My question
    is why it would decide to "adopt" one of its clients as an NTP server,
    which I've never seen happen before.

    This particular Windows 2003 box happens to be an Active Directory controller,
    and it was the first one configured for the forest, and so (according to
    Microsoftdocs ) it is in fact configured automatically as an NTP time
    source. However, I don't see any reason for the 2621 to start using it.

    Here's the output of "show ntp assoc detail" while this was occurring:

    router#show ntp assoc detail

    10.1.1.81 dynamic, our_master, sane, valid, stratum 4
    ref ID 10.1.1.1, time C72F491E.9B616DD9 (12:01:34.606 PST Wed Nov 23 2005)
    our mode passive, peer mode active, our poll intvl 256, peer poll intvl 1024
    root delay 168.47 msec, root disp 228.36, reach 42, sync dist 29.602
    delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
    precision 2**6, version 3
    org time C72F550E.A7699F00 (12:52:30.653 PST Wed Nov 23 2005)
    rcv time C72F550E.A28C3CC8 (12:52:30.634 PST Wed Nov 23 2005)
    xmt time C72F555D.89B4DC4B (12:53:49.537 PST Wed Nov 23 2005)
    filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
    filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
    filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

    172.16.1.1 configured, insane, invalid, stratum 2
    ref ID 128.9.176.30, time C72F53FD.012B5835 (12:47:57.004 PST Wed Nov 23 2005)
    our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
    root delay 42.34 msec, root disp 1886.84, reach 377, sync dist 1909.470
    delay 2.82 msec, offset -2.8446 msec, dispersion 0.03
    precision 2**18, version 3
    org time C72F545C.88F5388B (12:49:32.534 PST Wed Nov 23 2005)
    rcv time C72F545C.8A0C925D (12:49:32.539 PST Wed Nov 23 2005)
    xmt time C72F545C.894F3E8B (12:49:32.536 PST Wed Nov 23 2005)
    filtdelay = 2.82 2.90 2.85 2.85 2.91 2.85 2.93 4.47
    filtoffset = -2.84 -2.87 -2.82 -2.81 -2.80 -2.86 -2.84 -2.38
    filterror = 0.02 0.03 0.05 0.06 0.08 0.09 0.11 0.12

    So apparently the router thought 172.16.1.1 was "insane", and wouldn't trust
    it. And it identified 10.1.1.81 as being a "dynamic" server (as opposed to
    "configured"), apparently meaning that it was learned dynamically. So I
    guess what I'm saying is, I didn't realize a Cisco router would do this.
    And I guess my questions are:

    1) Is this really how NTP is supposed to work by default in IOS?

    2) Does this only occur when the configured time servers are acting wonky
    (or "insane") for some reason? It appears so, since once the router became
    happy with 172.16.1.1 again, the "dynamic" entry for 10.1.1.81 disappeared.

    3) Is there any way to tell the router to use *only* the configured time
    servers, and not to learn any dynamically? I suppose I could use "ntp
    max-associations" to limit the number of associations to the number that's
    configured statically, but that seems a bit hokey.

    - John
     
    John Caruso, Nov 23, 2005
    #3
  4. * John Caruso wrote:
    > This particular Windows 2003 box happens to be an Active Directory controller,
    > and it was the first one configured for the forest, and so (according to
    > Microsoftdocs ) it is in fact configured automatically as an NTP time
    > source. However, I don't see any reason for the 2621 to start using it.


    W2k3 announces its NTP service using broadcast in the local network and
    using multicast (224.0.1.1). IOS is able to learn NTP sources from those
    announcements.
     
    Lutz Donnerhacke, Nov 24, 2005
    #4
  5. John Caruso

    Merv Guest

    Take a look at the ntp access-group command to see if you can control
    who you accept time from
     
    Merv, Nov 24, 2005
    #5
  6. "John Caruso" <> wrote in message
    news:...

    > But this is what I'm seeing:
    >
    > router#show ntp assoc
    > address ref clock st when poll reach delay offset
    > disp
    > # 10.1.1.81 10.1.1.1 4 21 256 105 0.0 0.00
    > 16000.
    > ~172.16.1.1 128.9.176.30 2 711 1024 377 2.8 -2.84
    > 0.0
    > * master (synced), # master (unsynced), + selected, - candidate, ~
    > configured
    >
    > The router has actually decided to use the 10.1.1.81 client machine as a
    > a time source...and not only that, but 10.1.1.81 is using 10.1.1.1 (i.e.,
    > the router) as *its* time source.


    Well in this output, you are showing us that the refernce clock is just
    "configured." The router has lost contact with the stratum 2 clock, so it
    is now relying on the stratum 4 clock. Why has it lost contact with
    128.9.176.30? Are you allowed to use timekeeper.isi.edu? They may be
    blocking you.

    > router# show run | include ntp
    > ntp clock-period 17179981
    > ntp server 172.16.1.1


    Who is the NTP server? How is 172.16.1.1 configured?

    > What's going on here? What could cause a Cisco router to decide to use
    > a Windows 2003 client machine as a time source, even though it has an
    > explicitly configured NTP server (which is not that Windows machine)?


    He is a valid stratum 4 clock. Unless we have somethign better, we depend
    on that.

    The devices will mutually synchronize to each other in the absence of a
    master. Best way to prevent that is to have 2 or more trustworthy startum 2
    peers to sync with.
     
    Phillip Remaker, Nov 26, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jim Williams

    Cisco Router as a NTP Server

    Jim Williams, Dec 17, 2003, in forum: Cisco
    Replies:
    3
    Views:
    29,155
    Pete Mainwaring
    Dec 18, 2003
  2. Scott Crabb

    ntp from ntp.org

    Scott Crabb, Aug 5, 2004, in forum: Cisco
    Replies:
    5
    Views:
    3,702
  3. Choowie
    Replies:
    1
    Views:
    2,197
  4. AD
    Replies:
    0
    Views:
    391
  5. snowy

    NTP Server on a Cisco Router

    snowy, Mar 19, 2008, in forum: Cisco
    Replies:
    7
    Views:
    5,344
    Vincent C Jones
    Apr 3, 2008
Loading...

Share This Page