topic Re: How do I debug NTP not working? in General Topics

How do I debug NTP not working?

ddaniels — Wed, 30 Oct 2013 18:08:44 GMT

(active)> (active)> show ntp

NTP state:
NTP synched to LOCAL
NTP server secondaryNtpIp connected: False
NTP server primaryNtpIp connected: False

I tried debug software restart ntp, waited a while and got the same results. The time's off my system clock by less than a minute.

Re: How do I debug NTP not working?

Retired Member — Wed, 30 Oct 2013 18:36:47 GMT

Hi,

seems it is not connecting to your NTP Local.

if it is not mandatory for you use pool.ntp.org and try again.

Do you have service route configured ? Do you use management interface or other for Ntp ?

Also check

https://live.paloaltonetworks.com/docs/DOC-3684

Re: How do I debug NTP not working?

ddaniels — Wed, 30 Oct 2013 18:55:46 GMT

Hi,

I'm using the management interface, the routing is working and I'm specifying internal IP's that I've verified are working for other things.

Thanks.

Re: How do I debug NTP not working?

ddaniels — Wed, 30 Oct 2013 19:07:10 GMT

For the systems I'm working on right now. The active PA in the HA group is marked as synchronized, the passive PA still isn't, though the passive PA's time matches my local systems time. I can see that by issuing:

show clock

Re: How do I debug NTP not working?

ddaniels — Fri, 15 Nov 2013 05:29:33 GMT

I don't know why, but I fixed this issue by referencing a slightly more stable clock, and switching to only reference that clock.

When in HA mode and having auto-updates, it's important to have updates apply at the same time so both systems should be synchronized to a high stability, low latency, low jitter to access clock.

Re: How do I debug NTP not working?

mikand — Sun, 01 Dec 2013 17:10:44 GMT

How much did the box who didnt like to sync to NTP differ from realtime? If im not incorrect the NTP process usually refuse to sync the time if it differes more than 2 hours or something like that. To fix this you must first manually set the clock somewhat close to realtime and then start the NTP process (or make sure that ntpdate is being used during boot to set the clock "hard" before the ntpd client starts).

Re: How do I debug NTP not working?

ddaniels — Wed, 15 Jan 2014 17:53:11 GMT

I don't recall exactly now. If there was a difference it was less than a few seconds with a low jitter and a low reach (time servers were local, their were local stratum 4, low jitter, low reach, the source clocks sources during testing were low jitter, low reach, stratum 3).

http://doc.ntp.org/4.1.2/miscopt.htm says the tinker panic is 1000 s.

For authentication related issues http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Clock-Skew.html says "the default value for maximum clock skew is 300 seconds, or five minutes".

Additionally many machines won't synchronize if the stratum is higher than 9. There's also considerations like jitter and reach.

Manually adjusting time on an ntp server can cause all it's clients to see high jitter and should be avoided. There's mechanisms in place by ntp to skew time in the right direction if allowed (see things like ntp reference above).

Re: How do I debug NTP not working?

mikand — Tue, 21 Jan 2014 08:37:20 GMT

Setting the time manually was on the box running the ntp client (in case my previous post was confusing