Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: 2910al-48G can not get time from W2K3 NTP server

 
SOLVED
Go to solution
Occasional Advisor

2910al-48G can not get time from W2K3 NTP server

I have 2910al-48G with W.14.38 fw installed. switch has an 192.168.201.1 IP address.
In accordance to release notes of W.14.15
I configured sntp client in 2910al:

timesync sntp
sntp unicast
sntp 60
sntp authentication
sntp server priority 2 192.168.111.251 3 key-id 55

sw1-2910-48(config)# sh sntp

SNTP Configuration

SNTP Authentication : Enabled
Time Sync Mode: Sntp
SNTP Mode : Unicast
Poll Interval (sec) [720] : 60


Priority SNTP Server Address Version Key-id
-------- --------------------------------------- ------- ----------
2 192.168.111.251 3 55

sw1-2910-48(config)# sh sntp auth

SNTP Authentication Information

SNTP Authentication : Enabled

Key-ID Auth Mode Trusted
---------- ---------- --------
55 MD5 Yes


but in log of Windows 2003 I got an error:

149611 10:58:08.6360942s - Logging warning: NtpServer encountered an error while validating the computer account for client 192.168.201.1:38375. NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: User with specified name does not exist. (0x80070525)

I tried to remove authentification at all:


sw1-2910-48(config)# no sntp auth
sw1-2910-48(config)# no sntp server priority 2 192.168.111.251 3 key-id 55

sw1-2910-48(config)# sh sntp auth

SNTP Authentication Information

SNTP Authentication : Disabled

Key-ID Auth Mode Trusted
---------- ---------- --------
55 MD5 Yes

sw1-2910-48(config)# sh sntp

SNTP Configuration

SNTP Authentication : Disabled
Time Sync Mode: Sntp
SNTP Mode : Unicast
Poll Interval (sec) [720] : 60


Priority SNTP Server Address Version Key-id
-------- --------------------------------------- ------- ----------
2 192.168.111.251 3 0

But in logs of W2K3 ntp server I see:

149611 11:09:08.4877664s - ListeningThread -- response heard from 192.168.201.1:45538
149611 11:09:08.4877664s - Warning: this request expects an authenticated response, but did not provide the client ID. Sounds like we're responding to a server response, which is
incorrect behavior. However, this can also be caused by other applications broadcasting NTP packets, using an unrecognized authentication mechanism.
========================================

At first glance, looks like 2910al authentication is still ON, since W2K3 acquires its request as authenticated,

but Internet seeking for 0x80070525 gives a little information. Windows 2003 server is a valid NTP server. Domain workstations are syncing successfully, and it gets time from reliable Internet source.

Does anyone has successful experience in coupling 2910al sntp-client and W2K3 ntp server ?

Thanks in advance, Alexey.


P.S. This thread has been moved from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based . -HP Forum Moderator

7 REPLIES 7
Trusted Contributor

Re: 2910al-48G can not get time from W2K3 NTP server

Hi Alexey

You might want to try W.14.49

The following was fixed in W.14.39, and it looks like this is what you are experiencing:

SNTP Authentication (PR_0000048588)â With SNTP authentication disabled, the
switch sends extra, unnecessary authentication information in the SNTP request packet.

Download from
http://h10144.www1.hp.com/customercare/support/software/summarypages/w-j9145-c.htm

I suspect with W.14.49 it will work.

Tore
Occasional Advisor

Re: 2910al-48G can not get time from W2K3 NTP server

W.14.49 does the deal in non-authorized mode.
It gets the absolute time from NTP server, so user should count on and set appropriate timezone manually.

In 2910al MCG Procurve Switches (W.14.03) at page 7-16 were specified different timezones with no description when its starts and ends ("south-hemisphere", for example - ???, afaik, there are many timezones to south of equator :) ). In next releases it should be clarified.

Also, in MCG there is no description for "user-defined" timezone. What are the rules?

My tftp server on network was temporarily disabled from outside access. It was really tough work to upgrade the fw on switches.

1.Upgrade over Hyperterm in TCP/IP Winsock mode is NOT working. After
issuing
sw1-2910-48# copy xmodem flash primary
The Primary OS Image will be deleted, continue [y/n]?

pressing 'y' and 'Enter' and uploading fw by Xmodem, I always got 'Remote transfer abort'
and AFTER that I got the messages on terminal:

Press 'Enter' and start XMODEM on your host...
User timeout, must hit enter before starting XMODEM transfer.

2.Upgrade from USB is not working. I said 'OK, let's try some other way'. I downloaded and browsed '2910al USB Flash Drives.pdf' note. It seemed it would be no problem. But..

I got Transcend JF V60 1Gb flash drive (it was a real problem to find flash lower than 1G size), format it into FAT under WinXP cmd prompt (format e:) under guidance of 2910al MCG page A-20. I place firmware W_14_90.swi in the flash drive, and put it in USB connector of 2910al. Aux port LED blinks orange one time, and Flash drive LED lit.

'dir usb' command gives 'Error accessing USB device' message

I also tried 2Gb noname flash, which perfectly works under Windows XP, and got error message also.

And even tried Apacer 8Gb flash (by irony,with engraved HP logo) it also wont work. In last case aux port blinks orange 1 time, then blinks green for four times and gone dark, Flash drive LED became RED, but 'dir usb' followed 'Error accessing USB drive' message.

'copy usb flash .swi' also gave no result.


For one 2910al-48G I did upgrade by Xmodem on direct connection in Hyperterm on COM1. 8Mb image in 115200 baud requires 40 minutes to transfer. Time consuming, yeah. For second 2910al-48G I used switch-to-switch tftp upgrade, that works.

The question on switch-to-switch upgrade:
Does upgrade procedure checks matching of firmware and switch hardware? It is quite easy to mistype an address of remote switch and upgrade current switch with wrong firmware.

Sincerely, Alexey




Occasional Advisor

Re: 2910al-48G can not get time from W2K3 NTP server

p.s. Even after upgrading to W.14.49 2910al cannot synchronize in secured mode. Windows 2003 NTP server still returns 0x80070525 error - No such user (in domain?).

Trusted Contributor

Re: 2910al-48G can not get time from W2K3 NTP server

Hi

Im glad it works without authentication now.

The reason why the authentication fails on the W2k3 server, is that the server is expecting a Computer ID that is a member of the domain/workstation.

I do not believe w2k3 have the option for MD5 key authentication for SNTP/NTP.

I would look for a Linux based server. (or a cisco router with ntp server)

Have a look here:
http://www.streetdirectory.com/travel_guide/125535/computers/securing_a_ntp_time_server_installation.html

It seems like most NTP server software use MD5 keys for authentication, except for windows server.

Probably as windows server is more meant to "serve" windows clients. And thus its easier for them to simply use the existing authentication mechanisms.

Timezones:
They refer to standard time zone parameters. For example GMT+1 would translate into +60(time timezone 60) Basically it sets the timezone in minutes.
For overview look at:
http://www.all-acronyms.com/special/time_zone_acronyms_and_abbreviations

Also i believe the manual states:
"For example, the time zone setting for Berlin, Germany is +60 (zone +1, or 60
minutes), and the time zone setting for Vancouver, Canada is -480 (zone -8, or
-480 minutes)."

In my view it is well explained.

Quote:
"Also, in MCG there is no description for "user-defined" timezone. What are the rules?"

Here i think you are confusing with the daylight savings command:
time daylight-time-rule < none | alaska | continental-us-and-canada |
middle-europe-and-portugal | southern-hemisphere | western-europe |
user-defined>

This is explained more in detail frpm page 600:
A sixth option named â User definedâ allows you to customize the DST config­
uration by entering the beginning month and date plus the ending month and
date for the time change. The menu interface screen looks like this (all month/
date entries are at their default values):

Hope this helps
Trusted Contributor
Solution

Re: 2910al-48G can not get time from W2K3 NTP server

Forgot your USB issue

Indeed the switches are "picky" on USB drives that it can read.

Usually small 256 and 512 drives work. Ive also seen some 1Gb drives work as well.

If your tftp is temporary down, i would recommend just using tftd32.

http://jounin.net/

Quote:
"The question on switch-to-switch upgrade:
Does upgrade procedure checks matching of firmware and switch hardware? It is quite easy to mistype an address of remote switch and upgrade current switch with wrong firmware."


Yes it does, from the switch perspective its no different if the image is on a switch tftp server or on another tftp server.

It will always check the image and refuse if its the wrong one.

Tore
Occasional Advisor

Re: 2910al-48G can not get time from W2K3 NTP server

Hello Tore,

Thank you very much for detailed answer.

For W2K3 NTP server. I tried to find additional sources of information, and it seems that authenticating algorithms may be changed over applied policies (SHA1 and MD5 available), but production domain is not a good place for such experiments.

Windows NTP server may work with pool of Internet time servers, while my Cisco PIX515E may access only single time server referenced by outside IP address, not a DNS name. But in this case it may be installed as independent NTP server, with W2K3 as source and MD5 secured time on the output. A bit weird configuration, but useful under some circumstances.

Anyway, 2910al and 2610 now works with unsigned time, so I consider this problem solved.

USB flash drive access. I concerned about this issue, since I supposed to use flash drives for remote updates of 2910al in locations with non-IT personnel, some of these locations accessible only by low-speed dial-up connections, not suitable for uploading big files due to frequent link interruptions. Well, I will try to find small volume flash drives and check it compatibility to 2910al.

Daylight savings. I missed Appendix F: "Daylight savings time on Procurve Switches" :) in 2910al manual. "daylight" is not present in index, and there is no references to Appendix F in "time zone" pages. Thank you for a hint, it clarifies almost everything.

I reinstalled tftp server. Now it is tftpd32. Works perfect, thanks
Occasional Visitor

Re: 2910al-48G can not get time from W2K3 NTP server

We also having the same problem where 2910 switch not able to synz with NTP server . As per HP TAC team adive I have upgrade the switch IOS from W.14.38 to W.15.08.0012 and its started to working fine. 

 

 

Switch2910# sh flash
Image Size(Bytes) Date Version
----- ---------- -------- -------
Primary Image : 8482560 11/05/09 W.14.38
Secondary Image : 8482560 11/05/09 W.14.38
Boot Rom Version: W.14.04
Default Boot : Primary

 

Switch2910# sh time
Thu Jan 10 11:04:06 1990


Switch2910# sh sntp statistics
SNTP Statistics

Received Packets : 0
Sent Packets : 0
Dropped Packets : 0

SNTP Server Address Auth Failed Pkts
--------------------------------------- ----------------
10.10.10.1 0
10.10.10.2  0

====================================

 

Upgraded the IOS via USB

 

Switch2910# copy usb flash W_15_08_0012.swi secondary
The Secondary OS Image will be deleted, continue [y/n]?  y

 

 

Switch2910# sh flash
Image Size (bytes) Date Version
----------------- ------------ -------- --------------
Primary Image : 8482560 11/05/09 W.14.38
Secondary Image : 9395197 07/20/12 W.15.08.0012

 

Switch2910# sh time
Thu Jun 19 13:04:06 2014


Switch2910# sh sntp statistics 
SNTP Statistics

Received Packets : 1
Sent Packets : 1
Dropped Packets : 0

SNTP Server Address Auth Failed Pkts
--------------------------------------- ---------------- 
10.10.10.1 0 
10.10.10.2  0