This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

vzamy
L2 Linker

‎10-21-2022 12:12 PM - edited ‎10-21-2022 12:24 PM

Hi @Pras 

- There seems to be NTP communication between the client (FW) and the server, your server-side captures confirm that.
- Reference ID (refid): 32-bit code identifying the particular server or reference clock. So this isn't the issue.
- keyid: Symmetric key ID for the 128-bit MD5 key used to generate and verify the MAC.
The client and server or peer can use different values, but they must map to the same key.
Please try resetting your PSK (use something simple for the testing purpose)
- Have a look at the current NTPv4 RFC 5905 “Network Time Protocol Version 4: Protocol and Algorithms Specification” in order to understand the packets and protocol details.
Looking at the wire you should understand the packet header (section 7.3 in the RFC).


- your "show ntp" output shows the server NTP is being 'rejected'.
admin@W01(active)> show NTP
NTP state:
NTP not synched, using local clock
NTP server: x.x.x.134
status: rejected << here
reachable: no
authentication-type: symmetric key

- NTP will refuse to synch if the time is too far off, due to its methodology, which is to slow or speed the clock and adjust gradually.
I see you mentioned you've manually adjusted your clock to a time closer to actual time for you time zone.

- NTPv4 is an extension of NTPv3 that supports IPv4 and IPv6. It is backward compatible with NTPv3, offers some new features, and time synchronization
is faster and more precise. Security has improved, NTPv4 supports public key cryptography and standard X509 certificates.
So although server side and client side use different NTP version this should not be an issue. But to rule out any possibility
I would align these two.

- Please comment on these two previously proposed steps:
1- Please also use "show counter global filter delta yes packet-filter yes" combined with a pcap filter. (mandatory)
and share the findings (make sure to generate the NTP traffic)
2- If we still have no progress, at this stage I would try and rule out the NTP server. If you have a Cisco at hand
you can easily configure it to act as an NTP server.

0 Likes Likes
(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks