Wireless Access

Reply
Frequent Contributor II
Posts: 134
Registered: ‎03-01-2013

ntp authenticate without keys

We have a customer that is using NTP, but does not have a key associated with it.

 

NTP has not been working correctly with the servers entered properly. 

 

Is the NTP authenticate command needed even though there is no key? 

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: ntp authenticate without keys

[ Edited ]

What does your NTP config look like?

 

I have a controller simply configured with no authentication with the following command:

 

ntp server <domain controller ip>

 

Are there any ACLs that could be blocking NTP packets?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 134
Registered: ‎03-01-2013

Re: ntp authenticate without keys

[ Edited ]

Thats what is currently in the controller, but I still have to go set time manually.

 

Also, the local controllers aren't taking that command. Is it master only?

 

I dont believe any ACLs are in place blocking that. They already have their LAN using ntp with no problems.


cappalli wrote:

ntp server <ip>


 

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: ntp authenticate without keys

Can you run:

 

show ntp status

and

show ntp servers


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 134
Registered: ‎03-01-2013

Re: ntp authenticate without keys


cappalli wrote:

Can you run:

 

show ntp status

and

show ntp servers


(Master-Aruba3600) #show ntp status
Authentication: disabled
system uptime: 6025530
time since reset: 6025530
bad stratum in packet: 0
old version packets: 186982
new version packets: 0
unknown version number: 1
bad packet format: 0
packets processed: 186806
bad authentication: 0
packets rejected: 0
system peer: 0.0.0.0
system peer mode: unspec
leap indicator: 11
stratum: 16
precision: -18
root distance: 0.00000 s
root dispersion: 90.38295 s
reference ID: [0.0.0.0]
reference time: 00000000.00000000 Thu, Feb 7 2036 1:28:16.000
system flags: auth monitor ntp kernel stats 
jitter: 0.000000 s
stability: 0.000 ppm
broadcastdelay: 0.003998 s
authdelay: 0.000000 s

 

 

(Master-Aruba3600) #show ntp servers
remote local st poll reach delay offset disp
=======================================================================
=10.243.2.1 10.242.12.1 1 64 377 0.00075 16.490877 0.01649
=10.242.2.55 10.242.12.1 2 64 377 0.00066 16.488094 0.01651

 

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: ntp authenticate without keys

Is the time off by a few hours or are the minutes and seconds drastically off too? Did you configure the time zone?

 

clock timezone EST -5


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 134
Registered: ‎03-01-2013

Re: ntp authenticate without keys

Yes, we configured the time zone.

 

I dont know if their actual time is correct though. Let me see if I can get into their ntp server.


cappalli wrote:

Is the time off by a few hours or are the minutes and seconds drastically off too? Did you configure the time zone?

 

clock timezone EST -5


 

MVP
Posts: 4,228
Registered: ‎07-20-2011

Re: ntp authenticate without keys

Do you have other devices in your network that are to communicate properly with your NTP server ?

Like cappalli make sure you don't have access-group applied to the interface going to your uplink switch blocking port 123 ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: ntp authenticate without keys

[ Edited ]

It looks like your controller is successfully connecting to the NTP server (based on the show ntp status output). I would definitely check to see that the NTP server is correct. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,228
Registered: ‎07-20-2011

Re: ntp authenticate without keys

Check the show ntp peer to see if there's any communication in/out between the two

(beta-7200-controller) #show  ntp peer 10.2.2.1

remote 10.63.250.21, local 10.10.10.1
hmode client, pmode mode#255, stratum 3, precision -24
leap 00, refid [18.26.4.105], rootdistance 0.00789, rootdispersion 0.04784
ppoll 10, hpoll 10, keyid 0, version 4, association 6572
reach 377, unreach 0, flash 0x0000, boffset 0.00400, ttl/mode 0
timer 14s, flags system_peer, config, bclient
reference time:      d64b5132.5eefbcaa  Thu, Dec  5 2013 14:23:30.370
originate timestamp: d64b5794.e6e6ae41  Thu, Dec  5 2013 14:50:44.901
receive timestamp:   d64b5794.e71e7d99  Thu, Dec  5 2013 14:50:44.902
transmit timestamp:  d64b5794.e6f294dd  Thu, Dec  5 2013 14:50:44.902
filter delay:  0.00058  0.00061  0.00055  0.00075
               0.00060  0.00069  0.00055  0.00064
filter offset: -0.00055 -0.00054 -0.00043 -0.00043
               -0.00038 -0.00016 -0.00026 -0.00028
filter order:  0        1        2        3
               4        5        6        7
offset -0.000556, delay 0.00058, error bound 0.12175, filter error 0.00000

time last received:   789s
time until next send: 235s
reachability change:  3174455s
packets sent:         3737
packets received:     3736
bad authentication:   0
bogus origin:         0
duplicate:            0
bad dispersion:       0
bad reference time:   0
candidate order:      6

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: