SystemCCNA 200-301

NTP Authentication Key Mismatch — Peers Not Syncing

Presenting Symptom

NTP peers show 'NTP is not syncing' and the clock remains unsynchronized despite correct NTP server configuration.

Network Context

A small branch office with a Cisco 4321 router (IOS XE 16.9) acting as NTP client to a core router (NTP server) at headquarters. The branch router's NTP configuration includes authentication keys, but the server's key ID or key string does not match. The network uses NTP version 4.

Diagnostic Steps

Check NTP association status

show ntp associations

  address         ref clock     st  when  poll reach  delay  offset  disp
*~192.168.1.1    .INIT.          16   -    64    0     0.0    0.0   16000.
~192.168.1.1    .INIT.          16   -    64    0     0.0    0.0   16000.

The asterisk indicates the peer selected for synchronization. If the ref clock shows .INIT. and reach is 0, the peer is not reachable or authentication is failing. Normal output would show a stratum number (e.g., 4) and non-zero reach.

Verify NTP authentication status

show ntp status

Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19
reference time is 0.0.0.0 (00:00:00.000 UTC Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
loopfilter state is 'CTRL' (Normal), drift is 0.000000000 s/s
system poll interval is 64, last update was 0 sec ago.

If clock is unsynchronized and stratum is 16, the router is not syncing. This confirms the problem but does not pinpoint the cause.

Check NTP authentication keys configuration

show ntp authentication-keys

Key    Type    Value
1      MD5     $1$abc123$xyz (encrypted)
2      MD5     $1$def456$uvw (encrypted)

Verify that the key ID and key string match between client and server. If the server uses key 1 with a different string, authentication will fail. Also check that the key is trusted.

Verify NTP trusted keys

show running-config | include ntp trusted-key

ntp trusted-key 1

The trusted-key command must include the key ID used for authentication. If missing, the client will not use that key for authentication.

Enable NTP debugging to see authentication failures

debug ntp authentication

NTP: authentication failed for packet from 192.168.1.1
NTP: authentication failed for packet from 192.168.1.1

This debug output directly indicates authentication failure. If you see 'authentication failed', the key mismatch is confirmed.

Root Cause

The NTP client and server have mismatched authentication keys. Either the key ID or the key string (MD5 hash) is different between the two devices. Additionally, the client may not have the key configured as trusted, causing the client to reject the server's packets.

Resolution

1. On the client, configure the correct key string matching the server: configure terminal ntp authentication-key 1 md5 cisco123 2. Ensure the key is trusted: ntp trusted-key 1 3. Enable NTP authentication: ntp authenticate 4. Point to the correct server (if not already): ntp server 192.168.1.1 key 1

Verification

1. Run 'show ntp associations' and look for an asterisk (*) next to the server with a valid stratum (e.g., 4) and non-zero reach. 2. Run 'show ntp status' and verify 'Clock is synchronized, stratum 3' (or appropriate stratum). 3. Run 'show clock' to confirm the time is correct.

Prevention

1. Use a consistent key management process to ensure NTP keys are identical on all devices. 2. Document and standardize NTP key IDs and strings across the network. 3. Use NTP authentication only when necessary; if not required, disable it to avoid misconfiguration.

CCNA Exam Relevance

On the CCNA 200-301 exam, NTP authentication appears in troubleshooting scenarios, often as a drag-and-drop or multiple-choice question. The exam tests the candidate's ability to identify why NTP peers are not syncing and to configure authentication correctly. Key facts: NTP authentication uses MD5 keys, the key must be trusted, and both sides must match.

Exam Tips

Remember that 'ntp authenticate' must be enabled globally for authentication to work.

The 'show ntp associations' output shows .INIT. when authentication fails.

Always check that the key ID and key string match exactly between client and server.

Commands Used in This Scenario

show ntp associations

Displays the status of NTP associations configured on the device, used to verify NTP synchronization and identify time sources.

show ntp status

Displays the current NTP synchronization status, including clock stratum, reference clock, and synchronization state, used to verify NTP operation and clock accuracy.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions