Understand NTP Association Codes in SD-WAN Controllers
Available Languages
Introduction
This document describes how to understand NTP association status codes on SD-WAN controllers.
Prerequisites
- NTP service must be allowed allow-service ntp inside of VPN 0 tunnel interfaces of all controllers. If the service is not allowed, use this procedure to enable it.
config t
vpn 0
!
interface eth1
tunnel-interface
allow-service ntp
!
commit
- All controllers must also have NTP configured. Consult the official documentation to configure NTP via CLI or vManage Template.
- All controllers and all nodes in the overlay must be configured with the same NTP server to have the same date/hour. Different date/hour set can cause issues in control connection establishment.
Note: For NTP configuration see Configure NTP servers Using Cisco Vmanage and Configure NTP using CLI.
Note: For additional reference about control connection establishment issues refer to Troubleshoot SD-WAN Control Connections.
Components Used
This document is based on these software and hardware versions:
- SD-WAN controllers version 20.9.3
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
SD-WAN Controllers can be associated to a Network Time Protocol (NTP) server for network clock synchronization. NTP is built on the User Datagram Protocol (UDP) port 13 which provides a connectionless transport method.
In Viptela OS, show ntp associations command displays different codes during the connection process that provides information about the stage the synchronization is on. That can be used to know the status or troubleshoot potential issues.
Problem
NTP association status can show different values that help to find the root cause out of NTP issues, but still need a human readable interpretation.
Scenario 1: NTP connectivity is successfully established, code is 961a.
vBond1# show ntp associations
LAST
IDX ASSOCID STATUS CONF REACHABILITY AUTH CONDITION EVENT COUNT
-----------------------------------------------------------------------------
1 42171 961a yes yes none sys.peer reachable 1
Scenario 2: NTP connectivity is not established, code is 8023.
vManage# show ntp associations
LAST
IDX ASSOCID STATUS CONF REACHABILITY AUTH CONDITION EVENT COUNT
----------------------------------------------------------------------------
1 14598 8023 yes no none reject mobilize 1
Solution
Code Interpretation
With these codes obtained from scenarios 1 and 2, information can be translated into human readable information.
- Decode first byte:
- Scenario 1: From the obtained code 961a, the first byte 9 means 10+80 (reachable and configured in ntp.conf).
- Scenario 2: From the obtained code 8023, the first byte 8 means that NTP server is configured but not reachable.
| Code | Message | Description |
| 08 | bcst | broadcast association |
| 10 | reach | host reachable |
| 20 | authenb | authentication enabled |
| 40 | authentication | ok |
| 80 | config | persistent association |
- Decode second byte:
- Scenario 1: From the obtained code 961a, the second byte 6 means that it is the system peer.
- Scenario 2: From the obtained code 8023, the second byte 0 means that is discarded as not valid.
| Code | Message | T | Description |
| 0 | sel_reject | discarded as not valid (TEST10-TEST13) | |
| 1 | sel_falsetick | X | discarded by intersection algorithm |
| 2 | sel_excess | . | discarded by table overflow (not used) |
| 3 | sel_outlyer | - | discarded by the cluster algorithm |
| 4 | sel_candidate | + | included by the combine algorithm |
| 5 | sel_backup | # | backup (more than tos maxclock sources) |
| 6 | sel_sys.peer | * | system peer |
| 7 | sel_pps.peer | o | PPS peer (when the prefer peer is valid) |
- Decode third and fourth byte: Third byte is the count of times that fourth byte has ocurred.
- Scenario 1: From the obtained code 961a, third and fourth bytes 1a mean that device has become system peer once.
- Scenario 2: From the obtained code 8023 , third and fourth bytes 23 mean that NTP is configured, not reachable, discarded as not valid and there have been two attempts to reach it with no success.
| Code | Message | Description |
| 01 | mobilize | association mobilized |
| 02 | demobilize | association demobilized |
| 03 | unreachable | server unreachable |
| 04 | reachable | server reachable |
| 05 | restart | association restart |
| 06 | no_reply | no server found (ntpdate mode) |
| 07 | rate_exceeded | rate exceeded (kiss code RATE) |
| 08 | access_denied | access denied (kiss code DENY) |
| 09 | leap_armed | leap armed from server LI code |
| 0a | sys_peer | become system peer |
| 0b | clock_event | see clock status word |
| 0c | bad_auth | authentication failure |
| 0d | popcorn | popcorn spike suppressor |
| 0e | interleave_mode | entering interleave mode |
| 0f | interleave_error | interleave error (recovered) |
Note: For further reference about NTP association codes, refer to RFC5905.
Conclusions
- Code 961a from scenario 1 means that:
- NTP server is reachable and configured in ntp.conf (byte 9).
- It is a system peer (byte 6).
- Has became system peer once (byte 1 and byte a).
- Code 8023 from scenario 2 means that:
- NTP server is configured but it is not reachable (byte 8).
- This means that is discarded as not valid (byte 0).
- This means that NTP is configured, not reachable, discarded as not valid, and there have been two attempts to reach it with no success. (byte 2 and byte 3).
Useful Commands
These commands can be used for NTP troubleshoot purposes in addition to show ntp associations.
- show ntp peer: Display information about the NTP peers with which the Cisco SD-WAN software is synchronizing its clocks.
- tcpdump test: Tcpdump test is useful to confirm that there are packets being sent and received between the controllers and the NTP server.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
03-Oct-2023 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)