- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-21-2022 12:12 PM - edited 10-21-2022 12:24 PM
Hi @Pras
- There seems to be NTP communication between the client (FW) and the server, your server-side captures confirm that.
- Reference ID (refid): 32-bit code identifying the particular server or reference clock. So this isn't the issue.
- keyid: Symmetric key ID for the 128-bit MD5 key used to generate and verify the MAC.
The client and server or peer can use different values, but they must map to the same key.
Please try resetting your PSK (use something simple for the testing purpose)
- Have a look at the current NTPv4 RFC 5905 “Network Time Protocol Version 4: Protocol and Algorithms Specification” in order to understand the packets and protocol details.
Looking at the wire you should understand the packet header (section 7.3 in the RFC).
- your "show ntp" output shows the server NTP is being 'rejected'.
admin@W01(active)> show NTP
NTP state:
NTP not synched, using local clock
NTP server: x.x.x.134
status: rejected << here
reachable: no
authentication-type: symmetric key
- NTP will refuse to synch if the time is too far off, due to its methodology, which is to slow or speed the clock and adjust gradually.
I see you mentioned you've manually adjusted your clock to a time closer to actual time for you time zone.
- NTPv4 is an extension of NTPv3 that supports IPv4 and IPv6. It is backward compatible with NTPv3, offers some new features, and time synchronization
is faster and more precise. Security has improved, NTPv4 supports public key cryptography and standard X509 certificates.
So although server side and client side use different NTP version this should not be an issue. But to rule out any possibility
I would align these two.
- Please comment on these two previously proposed steps:
1- Please also use "show counter global filter delta yes packet-filter yes" combined with a pcap filter. (mandatory)
and share the findings (make sure to generate the NTP traffic)
2- If we still have no progress, at this stage I would try and rule out the NTP server. If you have a Cisco at hand
you can easily configure it to act as an NTP server.