NTP sync to server 0.pool.ntp.org failed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NTP sync to server 0.pool.ntp.org failed

L1 Bithead

Hello all,

 

we run an upgrade on our Panorama to 9.0.7.

Since a few days, I'm receiving this warning:

 

NTP sync to server SERVER failed, authentication type none

 

Same message for primary and secondary NTP server.

I switched from internal to external NTP server.  Same error.

 

I already checked:

 

CLI NTP status command

 

user@PAN> show ntp

NTP state:
    NTP not synched, using local clock
    NTP server: 0.pool.ntp.org
        status: rejected
        reachable: no
        authentication-type: none
    NTP server: 1.pool.ntp.org
        status: rejected
        reachable: no
        authentication-type: none

 

 

Firewall rules

Panorama is allowed to access external NTP servers. 

 

VMware tools options

Time synchronization with host is disabled.

 

Reboot

I did a reboot, same error.

 

Known Issues

Checked the know issues https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/kno...I haven't found anything that matches.

 

 

Is somebody able to help?

15 REPLIES 15

Community Team Member

Hi @philipp_scherer ,

 

Sounds familiar.  If possible, can you test with NTP server time.google.com and check if that works ?

 

Cheers,

-Kiwi.

 

 

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hello @kiwi,

thanks for your fast reply.

 

I tried, same result.

admin@PAN> debug software restart process ntp

Process ntp was restarted by user admin
admin@PAN> show ntp

NTP state:
    NTP not synched, using local clock
    NTP server: time.google.com
        status: rejected
        reachable: no
        authentication-type: none
    NTP server: 1.pool.ntp.org
        status: rejected
        reachable: no
        authentication-type: none

 

I also verified in the firewall logs. Panorama was allowed to connect to time.google.com. 

 

 

Community Team Member

Hi @philipp_scherer ,

 

Sorry if I didn't mention that in my previous comment.  But could you remove the backup NTP.  Just try the one 'time.google.com' without the backup.

 

Eitherway I'd reach out to support.

If time.google.com works when you remove the backup NTP then you're likely hitting an existing bug.

If it still doesn't work then further debugging will be required.

 

Cheers,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hello @kiwi 

 

thanks for your hint!

I forgot to mention I already tried this with internal and external NTP servers. 😞

 

Regards,

Philipp

 

 

I think it is a bug since i have the exact issue, i was using software version 8.1.8 and it was working fine, but i have upgraded to version 9.0.7 then i start receiving the following error "SYSTEM ALERT : medium : NTP sync to server 192.168.103.22 failed, authenticati...", case already opened but still not been fixed 😞

L6 Presenter

@philipp_scherer,

 

I have also recently upgraded my Panorama Server and a pair of HA clusters to 9.0.7 version. I have also faced same issue on each instance.

I was also using public ntp server "time.google.com".

 

I tried by configuring internal NTP as well but still no luck. Then i just configured NTP IP address instead of it's FQDN. Post commit, NTP status is showing as "synched".  I am also suspecting this as a kind of bug. You can give a try by configuring NTP IP address and check if it  works for you.

 

Meanwhile i am also raising support case for this issue.

 

Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

Hello,

 

I got reply from TAC on this issue. Engineer is saying this is known issue (PAN-133179) and it is addressed in PAN-OS 9.1.2.

He also confirmed that workaround for this issue is the same that i mentioned in my earlier post. Use IP address of NTP instead of FQDN.

 

Not sure why this was not mentioned in known issue list/release notes for 9.0.7.

 

Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

But in my case i'm already using IP address not FQDN

@Zakareya,

 

Are you using Private internal NTP or public NTP server? I would suggest to try using internal NTP server IP address.

Today also i have upgraded one more HA cluster to 9.0.7 version and i replaced public NTP FQDN with IP address of internal NTP server, and it is showing synced status.

 

Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

@SutareMayur 

 

Yeah i'm using Internal NTP server which it was on the previous software version 8.1.8 before the upgrade and it is IP not FQDN,

 

@PA-5220-Primary(active)> show ntp

NTP state:
NTP not synched, using local clock
NTP server: 10.1.130.12
status: rejected
reachable: yes
authentication-type: none

@Zakareya,

 

Have you configured any service route for NTP service? 

 

Mayur

 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

Hi,

Yeah i tried with the default and with it vlan but at the end i'm using the MNGT Interface

Is this workaround working for all? We are also planning to upgrade to 9.0.7 and we have public NTP FQDN configured. I want to take all precautions before upgrade.

 

 

@SutareMayur 

Hi,

My issue fixed by using the below command to restart the NTP service/process

debug software restart process ntp

Thanks Hamid Safarzadeh & Michel from Westcon and sure @SutareMayur 

  • 22382 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!