Troubleshooting NTP

This topic is to discuss the following lesson:

Due to high root dispersion , NTP clock and local clock have a time difference . Please suggest how to troubleshoot root dispersion .

Hello Sumit

Root dispersion is a rough estimate of of how much the local time has drifted away from some reference time. This reference time is often referred to as the root source. Root dispersion occurs when there is some malfunction in the time source. A disruption in service or a bad network connection can cause a steady increase in root dispersion. For Cisco IOS devices, any root dispersion in excess of one second will cause an NTP association to fail.

Root dispersion is also included in NTP updates so that NTP clients receiving them can choose to use them, or ignore them in favour of another NTP server.

In any case, root dispersion is not something that you can deal with directly from the local device. If you are experiencing problems with root dispersion, the best thing to do is to choose another time source. If the time source you are using is administrated by you, then you should troubleshoot that time source and verify that it is functioning correctly.

Root dispersion will also be seen in special cases where Cisco IOS devices are attempting to gain NTP information from Windows Active Directory. This is further detailed in the following Cisco documentation:

I hope this has been helpful!



I’m a bit confused about some NTP issues on my GNS3 lab.

on R1 ( NTP MASTER ):

ntp authentication-key 1 md5 <xxxxx> 7
ntp authenticate
ntp trsusted-key 1
ntp master 1

on R2:

clock set 00:00:00 01 jun 1996
ntp server X.X.X.X

I’m expecting on R2 nothing happen but it syncronize the clock with the master…
I saw with “debug ntp packets” comand.

How can It be possible?

Thank you

Hello Giovanni

One of the most common misconceptions of NTP authentication is the direction of authentication. By configuring authentication on the NTP master, what you have done is to configure R1 to synchronize only to systems providing the authentication key 1 in their NTP packets. In other words, R1 will synchronize (as a client) to any NTP server that has the configured authentication key. This configuration does not affect R2 synchronizing with R1, but affects R1 synchronizing with some other source.

If you configure authentication on R2 and not on R1, then you will see that synchronization will not occur, which is the scenario you are trying to reproduce here. To get authentication to function between these two devices, you will have to configure authentication on both devices.

I hope this has been helpful!


1 Like