BugZero | Cisco BugID CSCwb37650 - NTP to public servers like time.google.com will no...

Cisco - Defect ID: CSCwb37650

NTP to public servers like time.google.com will not work if domain-lookup is not enabled on ISR 4331

Cisco - Defect ID: CSCwb37650

NTP to public servers like time.google.com will not work if domain-lookup is not enabled on ISR 4331

Last updated on 4/22/2024

Overall: 5.85.8

Severity: 6.46.4

Lifecycle: 5.25.2

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 5.85.8

Severity: 6.46.4

Lifecycle: 5.25.2

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

-->Branches ntp configuration: ELGIN_SDWAN_RTR0#sh run | inc ntp ntp server vrf 1 time1.google.com ntp server vrf 1 10.17.0.1 ------->On the associations we saw that time1.google.com was being tried as ipv6 ELGIN_SDWAN_RTR0#sh ntp associations detail 2001:4860:4806:: configured, ipv6, insane, invalid, unsynced, stratum 16----> ref ID .INIT., time 00000000.00000000 (18:00:00.000 CDT Thu Dec 31 1899) our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 1024 root delay 0.00 msec, root disp 0.00, reach 0, sync dist 15937.84 delay 0.00 msec, offset 0.0000 msec, dispersion 15937.50, jitter 0.00 msec precision 2**10, version 4 assoc id 60460, assoc name time1.google.com assoc in packets 0, assoc out packets 2, assoc error packets 0 org time E5CB8B9B.63958218 (12:46:51.389 CDT Thu Mar 3 2022) rec time 00000000.00000000 (18:00:00.000 CDT Thu Dec 31 1899) xmt time 00000000.00000000 (18:00:00.000 CDT Thu Dec 31 1899) filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 minpoll = 6, maxpoll = 10 10.17.0.1 configured, ipv4, our_primary, sane, valid, stratum 2 ref ID 128.252.19.1 , time E5CB6B93.074A4FF8 (10:30:11.028 CDT Thu Mar 3 2022) our mode client, peer mode server, our poll intvl 256, peer poll intvl 256 root delay 9.64 msec, root disp 131.27, reach 377, sync dist 157.27 delay 5.98 msec, offset -1.1091 msec, dispersion 2.75, jitter 13.27 msec precision 2**18, version 4 assoc id 60455, assoc name 10.17.0.1 assoc in packets 26930, assoc out packets 26931, assoc error packets 0 org time 00000000.00000000 (18:00:00.000 CDT Thu Dec 31 1899) rec time E5CB8B23.640D5C06 (12:44:51.390 CDT Thu Mar 3 2022) xmt time E5CB8B23.640D5C06 (12:44:51.390 CDT Thu Mar 3 2022) filtdelay = 6.98 51.98 5.98 60.98 6.99 6.98 6.98 6.98 filtoffset = -1.67 21.10 -1.10 26.09 -0.78 -0.49 -1.14 -0.80 filterror = 0.98 1.01 1.04 1.07 5.06 5.09 5.12 5.15 minpoll = 6, maxpoll = 10 ------>On the logs it was seen ipv6 errors Mar 3 19:12:50.419: %DMI-5-AUTH_PASSED: R0/0: dmiauthd: User 'vmanage-admin' authenticated successfully from 1.1.1.6:36450 and was authorized for netconf over ssh. External groups: Mar 3 19:12:57.552: %DMI-5-AUTH_PASSED: R0/0: dmiauthd: User 'vmanage-admin' authenticated successfully from 1.1.1.6:36622 and was authorized for netconf over ssh. External groups: Mar 3 19:13:04.151: %SYS-5-CONFIG_P: Configured programmatically by process iosp_vty_100001_dmiauthd_fd_172 from console as NETCONF on vty4294966494 Mar 3 19:13:04.155: %DMI-5-CONFIG_I: R0/0: dmiauthd: Configured from NETCONF/RESTCONF by vmanage-admin, transaction-id 558722 Mar 3 19:13:07.153: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00003375128759883736 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr 10.17.60.6, dest_addr 10.137.1.26, SPI 0x150 Mar 3 19:13:10.389: %NTP-4-V6DISABLED: IPv6 is not running on interface GigabitEthernet0/0/0.1. Cannot send NTP message. ------>According on the following ticket 685290662 and bug CSCuy20654 we applied the WA Access list to prevent ipv6 broadcast to be forwarded Example: IPv6 access list DENY-NTP-IPV6-BROADCAST deny ipv6 any any sequence 10 ! interface Loopback0 description Description ip address x.x.x.x y.y.y.y ipv6 traffic-filter DENY-NTP-IPV6-BROADCAST in end ----->found that even with this, the ntp associations didn't work MEMPHIS-SDWAN-RTR0#sh run | inc ntp ntp server vrf 1 10.17.0.1 ntp server vrf 1 time1.google.com MEMPHIS-SDWAN-RTR0#sh ntp associations address ref clock st when poll reach delay offset disp *~10.17.0.1 128.252.19.1 2 339 1024 377 26.990 -2.411 1.101 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured ----->customer added the following line and NTP associations to time1.google.com # ip domain lookup vrf 1 source-interface Loopback0 ############################################################# -->Datacenter ntp configuration: LISLE-SDWAN-RTR1#show run | inc ntp ntp server vrf 1 time1.google.com ntp server vrf 1 10.17.0.1 ------->with the same configuration ntp associations working fine LISLE-SDWAN-RTR1#show ntp associations detail 216.239.35.0 configured, ipv4, our_primary, sane, valid, stratum 1 ref ID .GOOG., time E5CB8A3A.21793A9B (12:40:58.130 CDT Thu Mar 3 2022) our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024 root delay 0.00 msec, root disp 0.07, reach 17, sync dist 23.02 delay 25.00 msec, offset -0.9855 msec, dispersion 1.03, jitter 0.97 msec precision 2**20, version 4 assoc id 30167, assoc name time1.google.com assoc in packets 30, assoc out packets 30, assoc error packets 0 org time 00000000.00000000 (18:00:00.000 CDT Thu Dec 31 1899) rec time E5CB8A3A.21793A9E (12:40:58.130 CDT Thu Mar 3 2022) xmt time E5CB8A3A.21793A9E (12:40:58.130 CDT Thu Mar 3 2022) filtdelay = 26.00 25.00 25.00 25.00 25.00 25.00 25.00 26.00 filtoffset = -1.24 -0.98 -1.49 -0.97 -1.30 -0.84 -1.50 -0.82 filterror = 0.97 1.00 1.03 1.06 1.09 1.12 1.15 1.18 minpoll = 6, maxpoll = 10 10.17.0.1 configured, ipv4, sane, valid, stratum 2 ref ID 128.252.19.1 , time E5CB6B93.074A4FF8 (10:30:11.028 CDT Thu Mar 3 2022) our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024 root delay 9.64 msec, root disp 133.95, reach 377, sync dist 143.79 delay 0.99 msec, offset 2.6926 msec, dispersion 1.09, jitter 1.16 msec precision 2**18, version 4 assoc id 30166, assoc name 10.17.0.1 assoc in packets 77600, assoc out packets 81282, assoc error packets 329 org time 00000000.00000000 (18:00:00.000 CDT Thu Dec 31 1899) rec time E5CB8BD6.1F4BE785 (12:47:50.122 CDT Thu Mar 3 2022) xmt time E5CB8BD6.1F4BE785 (12:47:50.122 CDT Thu Mar 3 2022) filtdelay = 1.98 1.98

Conditions

NTP configuration associated to public servers like time.google.com

Workaround

Configure ACL to prevent ipv6 broadcast and configure "ip domain-lookup on vrf"

Further Problem Description

NTP will not form associations, will depend on the case if ACL to prevent IPV6 broadcast will be enough or if ip domain lookup will be needed too MEMPHIS-SDWAN-RTR0#sh run | inc ntp ntp server vrf 1 10.17.0.1 ntp server vrf 1 time1.google.com MEMPHIS-SDWAN-RTR0#sh ntp associations address ref clock st when poll reach delay offset disp *~10.17.0.1 128.252.19.1 2 339 1024 377 26.990 -2.411 1.101 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwb37650

NTP to public servers like time.google.com will not work if domain-lookup is not enabled on ISR 4331

Cisco - Defect ID: CSCwb37650

NTP to public servers like time.google.com will not work if domain-lookup is not enabled on ISR 4331

Last updated on 4/22/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?