OPERATIONAL DEFECT DATABASE
...
...
When an NTP ACL is configured for "peer", "serve", "serve-only", or "query-only" and a deny ACE is matched, the other NTP options are not checked. For example: ntp server 10.45.9.7 use-vrf management ntp server 10.45.11.252 use-vrf management ntp source-interface mgmt0 ntp authenticate ntp authentication-key 1 md5 qegjcetygxcj 7 ntp trusted-key 1 ntp logging ntp access-group peer TelstraNTPServers ntp access-group serve-only MTENTPClients <==============* ntp master 3 The problem in on the marked line above, no matter how, the access list never matches: IP access list 1400 10 remark CACTI-snmp 20 permit udp 10.45.12.16/32 any IP access list MTENTPClients 10 permit ip 10.1.120.2/32 10.38.129.9/32 <=================* IP access list TelstraNTPServers 10 permit ip 10.45.11.252/32 10.45.7.133/32 log 20 permit ip 127.127.1.0/32 any The 10.1.120.2 is the client in the network which is allowed to sync its time with this N9K: AC2016-GDH3-NP-CORE01-ISD-MTE(config-acl)# sh ip inter b vrf ISD_NP IP Interface Status for VRF "ISD_NP"(3) Interface IP Address Interface Status Vlan1000 10.38.128.1 protocol-up/link-up/admin-up Vlan1010 10.38.129.1 protocol-up/link-up/admin-up Vlan1012 10.38.129.9 protocol-up/link-up/admin-up Vlan1020 10.38.130.1 protocol-up/link-up/admin-up Vlan1022 10.38.130.9 protocol-up/link-up/admin-up Vlan1030 10.38.131.1 protocol-down/link-down/admin-up Vlan1032 10.38.131.9 protocol-down/link-down/admin-up Vlan1081 10.38.128.65 protocol-up/link-up/admin-up Vlan1082 10.38.128.69 protocol-up/link-up/admin-up Vlan1111 1.1.1.1 protocol-down/link-down/admin-up Performed packet capture and found that the above configurations not working. However, once they put an extra line to the access list TelstraNTPServers, then the time can be synced: IP access list 1400 10 remark CACTI-snmp 20 permit udp 10.45.12.16/32 any IP access list MTENTPClients 10 permit ip 10.1.120.2/32 10.38.129.9/32 <=================* IP access list TelstraNTPServers 10 permit ip 10.45.11.252/32 10.45.7.133/32 log 20 permit ip 127.127.1.0/32 any 30 permit ip 10.1.120.2/32 10.38.129.9/32 <=================*
Multiple NTP ACLs configured.
The issue is fixed with introduction of the keyword 'match-all' in 7.0(3)I6 9396-D# sh ver | I bin NXOS image file is: bootflash:///nxos.7.0.3.I7.2.bin 9396-D(config)# ntp access-group ? match-all Scan ACLs present in all ntp access groups peer Access-group peer query-only Access-group query-only serve Access-group serve serve-only Access-group serve-only
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
