NTP Forged Packets?!

My internal ASA and ESX host are pointing to NIST for NTP. The packets I'm receiving at 4 minutes faster than the actual time. I've tried several different NTP servers, and still 4 minutes off. Laptops offsite have the correct time, and it screws up domain authentication. on the ASA it thinks it's getting good time info, and all the VMs are in sync with that no problem. So is Comcast forging the NTP replies to me?

Responses

xz4gb8

Problem solver

•

117 Messages

9 years ago

I would not expect Comcast to be forging NTP packets. It would cost them time and effort they don't want to spend.

Have you configured multiple NTP servers on the ASA? Four is a good number. Pick from sources well separated both administratively and by network topology.

What do the following commands show: [obscure any proprietary data]

show ntp status

show ntp associations detail

0

skymeat

New problem solver

•

39 Messages

9 years ago

Thing is everything internal is synced to the asa, and if I point another internal device (esx) to nist then it's the same time. If I tether my laptop and point to the same ntp server then it's correct. So multiple devices inside are getting different ntp data than outside.

0

skymeat

New problem solver

•

39 Messages

9 years ago

I should add that at work I have 1000 node network pointing to the same ntp server, and it's correct too.

0

skymeat

New problem solver

•

39 Messages

9 years ago

It's not the asa. Any device I point outside gets the same time.

0

VBSSP-RICH

Advocate

•

1.4K Messages

9 years ago

Sounds like you need to check the ASA FW and config settings. Cisco tech support could provide assistance to you on this.

0

VBSSP-RICH

Advocate

•

1.4K Messages

9 years ago

Hello again skymeat,

The Comcast Gateways do nothing with respect to any NTP facility. This client server protocol must be setup for connection to a NTP Server. I know in the old days, Windows 2K, use to use a psuedo-NTP W32Time service but that was changed in recent MS Window versions. Definitely sounds like you need to revisit your ASA NIST interconnect.

0

train_wreck

Gold Problem solver

•

610 Messages

9 years ago

What servers are you specifically using? I have always had very good luck with [0-3].pool.ntp.org

0

skymeat

New problem solver

•

39 Messages

9 years ago

I've tried the Legrand, boulder, and redmond. They sync with the same time. I swear it's not me.

0

train_wreck

Gold Problem solver

•

610 Messages

9 years ago

@skymeat wrote:
If I tether my laptop and point to the same ntp server then it's correct.

"Tether" to where? Are you saying you tether a laptop to the Comcast gateway and it retrieves the correct time?

0

skymeat

New problem solver

•

39 Messages

9 years ago

I tried with a DC and the esx server.

0

train_wreck

Gold Problem solver

•

610 Messages

9 years ago

Just for grins, could you possibly try bypassing the ASA & seeing if a direct-connected laptop still retrieves the wrong time? Just to rule the ASA out?

0

skymeat

New problem solver

•

39 Messages

9 years ago

Laptop tethered to the phone. Also work network(that I set up), and the other 2 sysadmins are using the same ntp servers. And that's spot on. All those networks are CenturyLink or att.

0

train_wreck

Gold Problem solver

•

610 Messages

9 years ago

Weird. Does a packet trace show anything out of place?

0

skymeat

New problem solver

•

39 Messages

9 years ago

I took Wireshark captures, and didn't see anything odd, except they were both about the same, no anomaly. I'll take some tomorrow and save them, and share. Somethings going on.

0

xz4gb8

Problem solver

•

117 Messages

9 years ago

What do the following ASA commands show: [obscure any proprietary data]

show ntp status

show ntp associations detail

0

1
2