snowmizer
asked on
Wireless router and NTP access
Ii have a Cisco E4200 Wireless router set up on our network to temporarily allow guest access. I configured the router for NTP and specified the NTP servers that I want the router to poll. Now when I look at our firewall I see traffic from the guest network from the router to multiple NTP servers over port 123.
If I specified the NTP servers to be used why would there be additional requests from my router to additional NTP servers?
Thanks.
If I specified the NTP servers to be used why would there be additional requests from my router to additional NTP servers?
Thanks.
Soulja
What leads you to believe it's sending additional requests? It is trying to contact ips or dns names you didnt' specify?
ASKER
Yep. I see traffic in my firewall logs with my router as the source and various NTP servers as the destination. All traffic is on udp port 123.
Are the NTP servers you put in there using round-robin DNS?
ASKER
I can't tell that because the NTP servers I am using are public NTP servers. How could round-robin DNS affect which NTP servers my router is accessing? Are you thinking that DNS is returning multiple NTP servers because of round-robin DNS? I've got the actual IP address configured in my NTP settings on my router so would round-robin DNS still play a role in this case?
Thanks.
Thanks.
Round-robin DNS would definitely produce the results you see. If you have a hostname that resolves to 5 IP's, then you will hit different servers instead of just the same one over and over.
However! If you have the IP addresses in your settings, then round-robin dns becomes a non-issue.
What do the log excerpts look like? Paste if possible.
However! If you have the IP addresses in your settings, then round-robin dns becomes a non-issue.
What do the log excerpts look like? Paste if possible.
ASKER
Sample logs (changes have been made to protect sensitive data):
Sep 08 2011 12:46:17 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:46:12 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:45:36 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:45:31 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:45:26 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:44:50 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:44:45 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:44:40 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:43:20 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:43:15 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:46:17 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:46:12 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:45:36 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:45:31 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:45:26 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:44:50 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:44:45 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:44:40 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:43:20 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
Sep 08 2011 12:43:15 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x
If it's trying to hit those ip address then there still must be a setting enabled in addition to your server.
Can you post a screen shot of where you are configuring this on the router. I do know that many soho routers only allow NTP through their wan ports. The servers you configured are on the LAN or WAN?
ASKER
Hummm...I may have to pull the router and look at the config again. Is it possible for it to just use its own "default NTP" servers?
ASKER
They are public NTP servers on the Internet...so WAN. I don't have access to the router currently because it's not plugged in. We only plug it in when we need it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That's kind of where I was at....once you enable NTP it will try to go out and access the list it has no matter if you put in IP addresses or not. If I look for the addresses I put in the config I don't see any traffic from the router to my NTP IPs. So basically it's pointless to put in an IP in this case. :)
I had just set the firewall rules to allow only traffic from this router to this particular IP over ntp but may have to rethink that.
Thanks.
I had just set the firewall rules to allow only traffic from this router to this particular IP over ntp but may have to rethink that.
Thanks.
Yeah, you may just need to allow from that router to one or two of the ntps it's trying to hit.
ASKER
Thanks for all of the help. We decided how we were going to handle NTP from this router and have moved on.