SystemCCNA 200-301

NTP Not Synchronizing — Clock Always Wrong

Presenting Symptom

The router's clock shows the wrong time and date, and NTP synchronization fails to correct it.

Network Context

A small branch office with a Cisco 4321 router running IOS XE 16.9 connects to the corporate headquarters via a WAN link. The router is configured as an NTP client to synchronize with an NTP server at HQ (192.168.1.10). The network uses basic routing with OSPF and has no firewall filtering NTP traffic.

Diagnostic Steps

Check NTP associations

show ntp associations

  address         ref clock     st  when  poll reach  delay  offset    disp
*~192.168.1.10    .LOCL.          1    -    64    1     0.000  0.000   0.000
 (or similar with a * indicating synchronization)

If no asterisk (*) appears next to the server address, the router is not synchronized. If the server is not listed, the router cannot reach the NTP server.

Verify NTP status

show ntp status

Clock is synchronized, stratum 2, reference is 192.168.1.10
actual freq: 2500000.0000 Hz, precision 2**10
reference time: D0C5E6A7.00000000 (12:34:56.000 UTC Mon Jan 1 2024)
clock offset: 0.0000 msec, root delay: 0.00 msec
root dispersion: 0.00 msec, peer dispersion: 0.00 msec

If the output shows 'Clock is unsynchronized', NTP is not working. Check stratum level: if stratum is 16, the router considers itself unsynchronized.

Test NTP server reachability

ping 192.168.1.10

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

If ping fails, there is a Layer 3 connectivity issue. If ping succeeds, the problem is likely NTP-specific (e.g., wrong source interface, NTP authentication mismatch, or server not responding to NTP queries).

Check NTP source interface

show running-config | include ntp

ntp server 192.168.1.10
ntp source Loopback0

Ensure the NTP source interface is reachable from the server. If the source interface is down or has an incorrect IP, NTP packets may be sourced from the wrong interface. Also verify no 'ntp access-group' restrictions are blocking.

Root Cause

The NTP server IP address is reachable, but the router's clock is not synchronizing because the NTP server is configured with NTP authentication, and the router lacks the correct NTP authentication key and trusted key configuration.

Resolution

Configure NTP authentication on the client with the correct key: 1. Enter global configuration mode: configure terminal 2. Define the NTP authentication key: ntp authentication-key 1 md5 cisco123 3. Specify the trusted key: ntp trusted-key 1 4. Enable NTP authentication: ntp authenticate 5. Reconfigure the NTP server with authentication: ntp server 192.168.1.10 key 1 6. Exit and save: end, write memory

Verification

Run 'show ntp associations' and 'show ntp status'. Expected output: - show ntp associations: *~192.168.1.10 (asterisk indicates synchronization) - show ntp status: 'Clock is synchronized, stratum 2, reference is 192.168.1.10'

Prevention

1. Standardize NTP authentication keys across all devices and store them securely. 2. Use a consistent NTP source interface (e.g., loopback) to avoid dependency on physical interface status. 3. Implement NTP access-groups to restrict which devices can query the router's NTP service, but ensure client-server communication is allowed.

CCNA Exam Relevance

On the CCNA 200-301 exam, NTP troubleshooting appears in multiple-choice and simulation questions. The exam tests understanding of NTP stratum levels, authentication, and the show commands to verify synchronization. A key fact: NTP uses UDP port 123, and a stratum 16 clock indicates unsynchronized.

Exam Tips

Remember that 'show ntp associations' shows the synchronization status with an asterisk (*) next to the synchronized server.

NTP authentication requires both the key and the trusted-key configuration; missing either will prevent synchronization.

If the clock is not synchronizing, always check reachability first (ping), then NTP status and associations.

Commands Used in This Scenario

ping [ip]

The ping command sends ICMP echo requests to a destination IP address to test network connectivity and measure round-trip time.

show ntp associations

Displays the status of NTP associations configured on the device, used to verify NTP synchronization and identify time sources.

show ntp status

Displays the current NTP synchronization status, including clock stratum, reference clock, and synchronization state, used to verify NTP operation and clock accuracy.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions