Forum Discussion

WeaverJK's avatar
Icon for Nimbostratus rankNimbostratus
Oct 11, 2016

NTP Authentication

Has anyone been successful in having NTP Authentication (as specified in SOL14120) function correctly?


If you say "yes," have you validated that the ntp synchronization breaks when you edit the /etc/ntp/keys file by providing an invalid key and then restarting the ntpd daemon?


We now have our ntp Server configured correctly such that some network devices are known to be authenticating properly with the ntp server and are therefore receiving time from the server. Those clients with invalid passwords are not receiving authentication (as expected).


Currently, the F5s are exhibiting a different behavior. The F5s are running BIG-iP v12.1.1 HF1. The F5s are configured per SOL14120, with a single NTP server and single and very simple key. The F5s are not receiving time from the server. A tcpdump shows that the F5 is in client mode and is requesting time. There's no indication of authentication in use. There is no response from the ntp server, which has been configured to ignore requests if they do not include proper authentication.


Unlike other network devices, the F5's NTP documentation (SOL14120) does not include any direction to use an "authentication" or "enable auth" statement in the configuration.


If we modify the NTP Server with an exclusion statement, telling the ntp server that the IP of the F5 is not required to use authentication, then the F5 receives time from the server and all is well.


We are looking to ensure that ntp authentication is required and functioning properly.


Can you provide any input, suggestions, help?


tmsh modify /sys ntp servers replace-all-with { } echo -e "1\tM\tPassWord\tMD5 Key" >> /etc/ntp/keys (or echo "1 M Password" >> /etc/ntp/keys) (or simply using vi) tmsh save /sys config partitions all


tmsh edit /sys ntp all-properties


Attempted various versions of the following:


include "server key 1 iburst trustedkey 1"


Of course, there are routes which enable the subnets to communicate with one another. As stated, without the requirement for authentication, the F5 receives time from the NTP server just fine.




1 Reply

  • Problem Solved. The issue was that the F5 had previously been configured with ntp servers. tmsh modify /sys ntp servers replace-all-with { }


    When the /etc/ntp.conf file was reviewed, we found the following entries: server iburst and, because of following SOL14120: server key 1 iburst


    The NTPD grabbed and used the first such entry, which was NOT using a key for authentication. As such, the F5 unit was continually attempting to communicate to the ntp server without using authentication.


    Solution: "tmsh modify /sys ntp servers none" followed by "tmsh save /sys config partitions all"