1 Reply Latest reply: Jul 16, 2011 2:16 AM by Aaron RSS

    ntp asa and pix and a router key mismatch but still ntp synchs




      I have had some odd results using NTP. I tried setting up NTP on an ASA in GNS3 using a Cisco Router as the NTP master. It would not synch or at least would not always synch, but as this is not an actual device couldn't be sure if this was a GNS problem or a problem with my config. So I repeated the experiment on a physical PIX and a router using the same version (8.03 as I had used on the ASA in GNS3), with the router as the NTP master which worked fine with the PIX synching very rapidly.  I then set up authentication for NTP between the PIX and the router, this worked fine.  However, even when I deliberately mismatched the key between the PIX and the router the pix still happily synched to the router, despite the mismatched key. This was still the case after saving the config and rebooting both devices.  So not too sure what is happening in terms of ntp authentication.  Anybody got any ideas.




      Chris M

        • 1. Re: ntp asa and pix and a router key mismatch but still ntp synchs



          I've seen this behavior somewhere I don't remember. After further investigation, configuring NTP authentication does not require all clients to use NTP auth, enables clients to use NTP auth. This means that your router will still respond to NTP unauthenticated request.

          So, the best thing you can do after configuring NTP auth in server and client it's to limit access to the master by using NTP ACLs or even IP ACLs.