NTP Access Group Blocking Legitimate NTP Server
Presenting Symptom
The router's clock is not synchronizing with the configured NTP server, and 'show ntp status' shows the clock is unsynchronized.
Network Context
A small branch office router (Cisco ISR 4331, IOS XE 16.9) is configured to obtain NTP time from a central NTP server at 192.168.1.10. The router has an NTP access group configured to restrict NTP associations to a specific ACL. The network is otherwise functional, and the router can reach the NTP server via ping.
Diagnostic Steps
Check NTP status and associations
show ntp statusClock is unsynchronized, stratum 16, no reference clock
If the clock is unsynchronized, NTP is not working. Normal output would show synchronized, stratum <15, and a reference clock.
Check NTP associations
show ntp associationsNo associations or address 192.168.1.10 is not listed as a sys.peer
If the NTP server is not listed or is not selected as sys.peer, the router is not receiving NTP updates. Normal output would show the server with a sys.peer flag.
Verify NTP access group configuration
show running-config | include ntp access-groupntp access-group serve-only 10
This shows an NTP access group is configured. The ACL '10' may be blocking the NTP server. Check the ACL contents.
Check the ACL used by the NTP access group
show access-lists 10Standard IP access list 10
10 deny 192.168.1.10
20 permit anyThe ACL denies the NTP server (192.168.1.10) and permits all others. This is the root cause: the NTP access group is blocking the legitimate NTP server.
Root Cause
The NTP access group 'serve-only' is applied with ACL 10, which explicitly denies the NTP server's IP address (192.168.1.10). This prevents the router from accepting NTP packets from that server, causing the clock to remain unsynchronized.
Resolution
Verification
1. show ntp status Expected: Clock is synchronized, stratum 2 (or appropriate), reference clock 192.168.1.10 2. show ntp associations Expected: 192.168.1.10 configured, sys.peer, reachable, synced
Prevention
1. Always verify that NTP access group ACLs permit the intended NTP servers before applying. 2. Use named ACLs for clarity and review ACL entries regularly. 3. Test NTP synchronization after any ACL changes to ensure connectivity.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why NTP is not synchronizing. The exam tests understanding of NTP access groups and ACLs. Key fact: NTP access groups filter NTP packets based on ACLs; a misconfigured ACL can block legitimate servers.
Exam Tips
Remember that 'ntp access-group' can use keywords like 'serve', 'serve-only', 'query-only', and 'peer' — each controls different NTP operations.
The exam may present a 'show ntp associations' output showing the server is 'configured' but not 'sys.peer' — this indicates a reachability or authentication issue.
Know that 'clear ntp association *' resets all NTP associations and forces the router to re-poll servers.
Commands Used in This Scenario
show access-lists
Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.
show ntp associations
Displays the status of NTP associations configured on the device, used to verify NTP synchronization and identify time sources.
show ntp status
Displays the current NTP synchronization status, including clock stratum, reference clock, and synchronization state, used to verify NTP operation and clock accuracy.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions