Involved Products and Versions
All models and versions
Networking
An AR router is directly connected to an S series switch. The S series switch functions as the NTP server, and the AR router functions as the NTP client.
Fault Symptom
The AR router cannot perform clock synchronization, but other devices that function as NTP clients can synchronize the clock of the S series switch that functions as the NTP server.
Cause Analysis
After the configurations are checked, it is found that the configuration information is correct. The packet information shows that the length of the Authentication Code in the authentication packet sent from the AR router is different from that received by the S series switch. As a result, the AR router fails to be authenticated.
Troubleshooting Procedure
1. Log in to the S series switch, and run the display current-configuration command in any view to check NTP configurations.
<Switch> display
current-configuration | include ntp
ntp-service ipv6 server disable
ntp-service authentication enable
ntp-service authentication-keyid 10 authentication-mode hmac-sha256 cipher
%^%#H)^t@$UR`'1@W&)ENpU4x!\RJ'SDT:}ajfBbE(\K%^%#
ntp-service reliable authentication-keyid 10
ntp-service refclock-master 12
2. Log in to the AR router, and run the display current-configuration command in any view to check NTP configurations.
<AR> display current-configuration
| include ntp
ntp-service authentication enable
ntp-service authentication-keyid 10 authentication-mode hmac-sha256 cipher
%^%#ChUBUgXk=H^q[BBNtt\7.94AO]UUM51ar!/!PWE=%^%#
ntp-service reliable authentication-keyid 10
ntp-service unicast-server 172.22.24.33 authentication-keyid 10
3. The result shows that configurations are correct. To ensure that the passwords are the same, run the command on the S series switch and AR router to reconfigure the passwords so that the passwords of the NTP server and the NTP client are the same. For example, run the following command on the S series switch (and the same command is run on the AR router):
<Switch> system-view
[Switch] ntp-service authentication-keyid 10 authentication-mode hmac-sha256
cipher Hello123
4. Set up the same environment as that on the live network in the lab and reproduce the problem. After the packet information on the switch is obtained and analyzed, it is found that when the server authenticates the synchronization packet of the client, the length of the Authentication Code in the packet is incorrect. That is, the length of the Authentication Code in the packet calculated using the hmac-sha256 algorithm is 36, but the number of bytes carried in the packet sent from the AR router is 20. The authentication fails because lengths are different.
5. Install a patch on the AR router to keep the same length with the S series switch, and the problem is resolved.
Conclusions and Suggestions
When the S series switches are connected to other devices and configurations are correct, you can reproduce the problem in the lab and obtain interaction packet information for further analysis.
