topic Re: Unable to connect to pool.ntp.org in General Topics

Unable to connect to pool.ntp.org

clonesheep — Mon, 25 Feb 2019 13:05:56 GMT

I have a problem with the NTP sync. When i make a "show ntp"

NTP state:
NTP not synched, using local clock
NTP server: asia.pool.ntp.org
status: rejected
reachable: no
authentication-type: none
NTP server: pool.ntp.org
status: rejected
reachable: no
authentication-type: none

But my mgmt interface is alow via policy rule to use ntp. I am able to ping the ntp host and a traceroute runs good.

So I search a bit you erros.. only found in sysdagent.log TIME: Unable to connect to asia.pool.ntp.org for ntpdate

I test it with "debug software restart process ntp"

Any Ideas?

Re: Unable to connect to pool.ntp.org

Mick_Ball — Mon, 25 Feb 2019 14:02:52 GMT

@clonesheep

you may need to change the service route for NTP.

Device/Setup/Services/Service Route Configuration/NTP.

you will need to set this to the same interface that matches your policy.

Re: Unable to connect to pool.ntp.org

clonesheep — Mon, 25 Feb 2019 15:34:49 GMT

But at the moment I have "Use Management Interface for all" and this will run. So I get PA Updates and Virusupdates and so on. For my MGT there is the default GW the eth2 and this I see in the Monitor Log.

But no NTP 😞

Re: Unable to connect to pool.ntp.org

Mick_Ball — Mon, 25 Feb 2019 15:44:13 GMT

sorry i did not fully understand your setup.

Re: Unable to connect to pool.ntp.org

clonesheep — Mon, 25 Feb 2019 15:51:25 GMT

Okay look:

MGT IP 10.0.8.1

eth 1/1 public IP

eth 1/2 10.0.8.2 my trust network

defualt virtual router route 0.0.0.0 to eth 1/1.

So my Mgmt Rule Src 10.0.8.1 trust zone goes to untrust destiantion any. This is how PA Updates work fine.

Re: Unable to connect to pool.ntp.org

Mick_Ball — Mon, 25 Feb 2019 15:56:00 GMT

what appliance is this on. or is it a VM.

Re: Unable to connect to pool.ntp.org

clonesheep — Mon, 25 Feb 2019 16:00:41 GMT

Its a PA220

Re: Unable to connect to pool.ntp.org

Mick_Ball — Mon, 25 Feb 2019 17:57:47 GMT

Works for me but I do have my DNS currently set to 8.8.8.8 as palo docs state that the dns must have a reverse lookup for the ntp server.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cld0CAC

admin@PA-3020(active)> show ntp

NTP state:

NTP synched to asia.pool.ntp.org

NTP server: asia.pool.ntp.org

status: synched

reachable: yes

authentication-type: none

Re: Unable to connect to pool.ntp.org

Mick_Ball — Mon, 25 Feb 2019 19:16:30 GMT

Hmmmmmm.... not sure about previous link as set dns to internal and still works ok.

it does take about 5 mins to be succesful though.....

Re: Unable to connect to pool.ntp.org

dbilinski — Sat, 10 Oct 2020 04:58:22 GMT

I just encountered what i think is a bug and will report it through the PAN-OS folks. We were setting up connection for NGFW to the Cortex Data Lake. It wouldn't get the CDL cert. we flipped the HA pair and went through same process and it worked. after looking the through the Device/Setup configs, the ONLY difference was that the one that just worked had 0.pool.ntp.org set in its secondary NTP server setting. We added 0.pool.ntp.org as a secondary then it grabbed. So then we just took pool.ntp.org right out of both configs, moved 0.pool.ntp.org to the primary. Again no issues. I think it might be in how we are grabbing those IPs when they resolve, or its taking too long for the main pool to grab the IPs its wants to provide. Earlier above, there was a comment about using a stable time server, which by changing out pool.ntp.org for basically any legit time server, you were probably resolved. If you have any problems with NTP, first thing i would check would be that you aren't using the generic pool.ntp.org.

Re: Unable to connect to pool.ntp.org

HarshadSowani — Tue, 19 Jan 2021 20:36:40 GMT

This is correct - i couldnt get NTP to sync on my PA220 when using "pool.ntp.org" - had to change the NTP server address to 0.pool.ntp.org