Troubleshoot NTP synchronization & update configuration on Cyber Vision Center

Available Languages

Download Options

  • PDF     (80.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (127.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (124.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 11, 2023
Document ID:220588

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to validate NTP configuration, change & troubleshoot the NTP service. Its applicable for Cyber Vision Center 2.x, 3.x, 4.x software trains.

    Steps to Validate NTP server peering

    ntpq -c peer <peer device IP>

    With peering, the center gets its time off a peer device like a router or a Gateway in the network.

    NTP client association

    The NTP association shows the status of the client associations to each NTP server.

    ntpq -c associations <device where the time is synchronized>

    Sample output:

    ramkris2_0-1689099712749

    Example: Issue showing failure with name resolution

    ***Can't find host peer

server (local      remote           refid      st t when poll reach   delay   offset  jitter

===========================================================================================
localhost.lo *LOCAL(0)        .LOCL.          10 l    -   64  377    0.000    0.000   0.000

    Check the current date

    cv-admin@Center:~$ date

Tue Jul 11 18:01:05 UTC 2023

    Check NTP daemon status

    systemctl status ntp

    ramkris2_1-1689099712752

    Change NTP configuration

    sbs-timeconf -h to learn about the commands to tune NTP on the center.
sbs-timeconf -s with IP or hostname.

    After the changes, restart the ntp service with the following command:

    ramkris2_2-1689099712752

    Validate NTP configuration

    cat /data/etc/ntp.conf

    NTP mode 6 Vulnerability

    There are two options to resolve this.

    Option #1: Use of Access Lists

    1. Create rc.local file under /data/etc with this rule (only on eth0 if the deployment has a single interface implementation or in eth1 for dual interface). Sample rules below:

    iptables -I FORWARD -i eth0 -o brntpd -p udp -m udp --dport 123 -j DROP

iptables -I FORWARD -i eth0 -o brntpd -p udp -m udp -s X.X.X.X -d 169.254.0.10 --dport 123 -j ACCEPT

    On the command above, X.X.X.X is the IP address of your authorized NTP server. If you have multiple NTP servers, you can add Accept rules for each authorized NTP server used in the solution.

    1.  Reboot your center

    Option #2: From the ntp.conf file

       1. On the /data/etc/ntp.conf file add these two lines to the existing config

    
restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery

    2- Restart the ntp service using the command “systemctl restart ntp”

    Both options can be combined for better NTP security as well.

    Revision History

    Revision Publish Date Comments
    1.0
    19-Jul-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Ram Krishnamoorthy
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products