Re: NTP HELP!!! Authentication breaking NTP!! from Tom Kacprzynski on 2010-11-15 (Ccielab archives 11/2010)

From: Tom Kacprzynski <tom.kac_at_gmail.com>
Date: Mon, 15 Nov 2010 16:10:50 -0600

My email was regarding trusted-key, not the ntp authenticate. I see that
someone in the comments mentions the need for requiring "trusted-key" on
both the server and client.

Thanks for the link.

Tom Kacprzynski

On Mon, Nov 15, 2010 at 3:11 PM, garry baker <baker.garry_at_gmail.com> wrote:

> seen this on INE blog a while back, a mention in the comments about the
> need for auth on both, but never in a cisco doc:
>
> http://blog.ine.com/2007/12/28/how-does-ntp-authentication-work/
>
>
> --
> Garry L. Baker
>
> "There is no 'patch' for stupidity." - www.sqlsecurity.com
>
>
>
> On Mon, Nov 15, 2010 at 2:30 PM, Tom Kacprzynski <tom.kac_at_gmail.com>wrote:
>
>> I experienced a similar problem. It appears that Cisco changed something
>> with later versions of IOS where you need to specify the trusted-key
>> command
>> *both* on the *server and client*. Most documents only mention the client
>> that wants to synchronize/update its clock.
>>
>>
>> Can any one point to any new documents that mentions this change?
>>
>> Thank you,
>>
>>
>> Tom Kacprzynski
>>
>>
>>
>> On Fri, Sep 3, 2010 at 10:38 AM, karim jamali <karim.jamali_at_gmail.com
>> >wrote:
>>
>> > hi,
>> >
>> > To check NTP authentication try the command show ntp associations
>> [detail]
>> >
>> > Regards,
>> >
>> >
>> > On Fri, Sep 3, 2010 at 6:06 PM, Combatant 101 <combatant101_at_gmail.com
>> > >wrote:
>> >
>> > > Perfect!
>> > >
>> > >
>> > >
>> > > It worked! I didn't realise you needed to specify the key as trusted
>> to
>> > the
>> > > NTP master!
>> > >
>> > >
>> > >
>> > > How do I verify that authentication is working? Show ntp status does
>> not
>> > > indicate if authentication is enabled or not (without doing debug
>> > commands)
>> > >
>> > >
>> > >
>> > > Thanks
>> > >
>> > >
>> > >
>> > > Sunny
>> > >
>> > >
>> > >
>> > > From: Juan Pablo Corrales [mailto:jp.corrales_at_gmail.com]
>> > > Sent: 03 September 2010 15:08
>> > > To: Combatant 101
>> > > Subject: Re: NTP HELP!!! Authentication breaking NTP!!
>> > >
>> > >
>> > >
>> > > Hi Sunny,
>> > >
>> > > Try to add the following to R1:
>> > >
>> > > ntp authenticate
>> > > ntp trusted-key 1
>> > >
>> > > That should do it.
>> > >
>> > > Regards,
>> > >
>> > > Juan
>> > >
>> > > On Fri, Sep 3, 2010 at 7:00 AM, Combatant 101 <combatant101_at_gmail.com
>> >
>> > > wrote:
>> > >
>> > > Hi Guys,
>> > >
>> > >
>> > >
>> > > If I set up NTP between R1 and R2 it works fine (verified by show ntp
>> > > status)
>> > >
>> > >
>> > >
>> > > R1 is NTP MASTER 2
>> > >
>> > > R2 is NTP SERVER R1
>> > >
>> > >
>> > >
>> > > However, when I then introduce authentication, it no longer works!!!!
>> > Even
>> > > after a reload!! ANY IDEAS???
>> > >
>> > >
>> > >
>> > > Note: Key is identical at both ends!
>> > >
>> > >
>> > >
>> > > R1
>> > >
>> > > ntp authentication-key 1 md5 143442061C113E39702C62 7
>> > >
>> > > ntp master 2
>> > >
>> > >
>> > >
>> > > R2
>> > >
>> > > ntp authentication-key 1 md5 0528560231595A1B4D0146 7
>> > >
>> > > ntp authenticate
>> > >
>> > > ntp trusted-key 1
>> > >
>> > > ntp server 10.0.9.1 key 1
>> > >
>> > >
>> > >
>> > > show ntp status
>> > >
>> > > Clock is unsynchronized, stratum 16, no reference clock
>> > >
>> > > nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is
>> > 2**18
>> > >
>> > > reference time is D02B7567.BC07AC6A (13:23:51.734 UTC Fri Sep 3 2010)
>> > >
>> > > clock offset is -107.2163 msec, root delay is 76.55 msec
>> > >
>> > > root dispersion is 109.88 msec, peer dispersion is 2.40 msec
>> > >
>> > >
>> > >
>> > > DEBUG on R2
>> > >
>> > >
>> > >
>> > > .Sep 3 13:55:00.604: NTP: xmit packet to 10.0.9.1:
>> > >
>> > > .Sep 3 13:55:00.604: leap 3, mode 3, version 3, stratum 0, ppoll 64
>> > >
>> > > .Sep 3 13:55:00.604: rtdel 1399 (76.553), rtdsp 1C22 (109.894),
>> refid
>> > > 0A000901
>> > >
>> > > (10.0.9.1)
>> > >
>> > > .Sep 3 13:55:00.604: ref D02B7567.BC07AC6A (13:23:51.734 UTC Fri Sep
>> 3
>> > > 2010)
>> > >
>> > > .Sep 3 13:55:00.604: org D02B7C74.0D4E85E9 (13:53:56.051 UTC Fri Sep
>> 3
>> > > 2010)
>> > >
>> > > .Sep 3 13:55:00.604: rec D02B7C74.AED654A1 (13:53:56.682 UTC Fri Sep
>> 3
>> > > 2010)
>> > >
>> > > .Sep 3 13:55:00.604: xmt D02B7CB4.9AD24C22 (13:55:00.604 UTC Fri Sep
>> 3
>> > > 2010)
>> > >
>> > > .Sep 3 13:55:00.604: Authentication key 1
>> > >
>> > > .Sep 3 13:55:00.684: NTP: rcv packet from 10.0.9.1 to 10.0.5.1 on
>> Vlan1:
>> > >
>> > > .Sep 3 13:55:00.684: leap 0, mode 4, version 3, stratum 2, ppoll 64
>> > >
>> > > .Sep 3 13:55:00.684: rtdel 0000 (0.000), rtdsp 0019 (0.381), refid
>> > > 7F7F0101 (1
>> > >
>> > > 27.127.1.1)
>> > >
>> > > .Sep 3 13:55:00.684: ref D02B7CAB.EEB6365A (13:54:51.932 UTC Fri Sep
>> 3
>> > > 2010)
>> > >
>> > > .Sep 3 13:55:00.684: org D02B7CB4.9AD24C22 (13:55:00.604 UTC Fri Sep
>> 3
>> > > 2010)
>> > >
>> > > .Sep 3 13:55:00.684: rec D02B7CB4.0889592E (13:55:00.033 UTC Fri Sep
>> 3
>> > > 2010)
>> > >
>> > > .Sep 3 13:55:00.684: xmt D02B7CB4.08AC6A53 (13:55:00.033 UTC Fri Sep
>> 3
>> > > 2010)
>> > >
>> > > .Sep 3 13:55:00.684: inp D02B7CB4.AF3DD50F (13:55:00.684 UTC Fri Sep
>> 3
>> > > 2010)
>> > >
>> > > .Sep 3 13:55:00.684: Authentication key 0
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > DEBUG on R1
>> > >
>> > >
>> > >
>> > > Sep 3 13:53:56.049: NTP message received from 10.0.5.1 on interface
>> > > 'Vlan1'
>> > > (10
>> > >
>> > > .0.9.1).
>> > >
>> > > Sep 3 13:53:56.049: NTP Core(DEBUG): ntp_receive: message received
>> > >
>> > > Sep 3 13:53:56.049: NTP Core(DEBUG): ntp_receive: peer is 0x00000000,
>> > next
>> > > acti
>> > >
>> > > on is 3.
>> > >
>> > > Sep 3 13:53:56.049: NTP Core(DEBUG): ntp_receive: doing fast answer
>> to
>> > > client.
>> > >
>> > > Sep 3 13:53:56.049: NTP message sent to 10.0.5.1, from interface
>> 'Vlan1'
>> > > (10.0.
>> > >
>> > > 9.1).
>> > >
>> > > carrylift_computrad#
>> > >
>> > > carrylift_computrad#
>> > >
>> > > Sep 3 13:55:00.029: NTP message received from 10.0.5.1 on interface
>> > > 'Vlan1'
>> > > (10
>> > >
>> > > .0.9.1).
>> > >
>> > > Sep 3 13:55:00.033: NTP Core(DEBUG): ntp_receive: message received
>> > >
>> > > Sep 3 13:55:00.033: NTP Core(DEBUG): ntp_receive: peer is 0x00000000,
>> > next
>> > > acti
>> > >
>> > > on is 3.
>> > >
>> > > Sep 3 13:55:00.033: NTP Core(DEBUG): ntp_receive: doing fast answer
>> to
>> > > client.
>> > >
>> > > Sep 3 13:55:00.033: NTP message sent to 10.0.5.1, from interface
>> 'Vlan1'
>> > > (10.0.
>> > >
>> > > 9.1).
>> > >
>> > >
>> > >
>> > > Thanks
>> > >
>> > >
>> > >
>> > > Sunny
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> > --
>> > KJ
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Nov 15 2010 - 16:10:50 ART

This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART