04-08-2020 05:21 AM - edited 04-08-2020 05:22 AM
Hello all,
we run an upgrade on our Panorama to 9.0.7.
Since a few days, I'm receiving this warning:
NTP sync to server SERVER failed, authentication type none
Same message for primary and secondary NTP server.
I switched from internal to external NTP server. Same error.
I already checked:
CLI NTP status command
user@PAN> show ntp
NTP state:
NTP not synched, using local clock
NTP server: 0.pool.ntp.org
status: rejected
reachable: no
authentication-type: none
NTP server: 1.pool.ntp.org
status: rejected
reachable: no
authentication-type: none
Firewall rules
Panorama is allowed to access external NTP servers.
VMware tools options
Time synchronization with host is disabled.
Reboot
I did a reboot, same error.
Known Issues
Checked the know issues https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/kno...I haven't found anything that matches.
Is somebody able to help?
04-08-2020 06:09 AM
Hi @philipp_scherer ,
Sounds familiar. If possible, can you test with NTP server time.google.com and check if that works ?
Cheers,
-Kiwi.
04-08-2020 06:17 AM
Hello @kiwi,
thanks for your fast reply.
I tried, same result.
admin@PAN> debug software restart process ntp
Process ntp was restarted by user admin
admin@PAN> show ntp
NTP state:
NTP not synched, using local clock
NTP server: time.google.com
status: rejected
reachable: no
authentication-type: none
NTP server: 1.pool.ntp.org
status: rejected
reachable: no
authentication-type: none
I also verified in the firewall logs. Panorama was allowed to connect to time.google.com.
04-08-2020 06:30 AM
Hi @philipp_scherer ,
Sorry if I didn't mention that in my previous comment. But could you remove the backup NTP. Just try the one 'time.google.com' without the backup.
Eitherway I'd reach out to support.
If time.google.com works when you remove the backup NTP then you're likely hitting an existing bug.
If it still doesn't work then further debugging will be required.
Cheers,
-Kiwi.
04-08-2020 06:45 AM - edited 04-08-2020 11:06 AM
Hello @kiwi
thanks for your hint!
I forgot to mention I already tried this with internal and external NTP servers. 😞
Regards,
Philipp
05-17-2020 06:12 AM
I think it is a bug since i have the exact issue, i was using software version 8.1.8 and it was working fine, but i have upgraded to version 9.0.7 then i start receiving the following error "SYSTEM ALERT : medium : NTP sync to server 192.168.103.22 failed, authenticati...", case already opened but still not been fixed 😞
05-17-2020 09:54 AM
I have also recently upgraded my Panorama Server and a pair of HA clusters to 9.0.7 version. I have also faced same issue on each instance.
I was also using public ntp server "time.google.com".
I tried by configuring internal NTP as well but still no luck. Then i just configured NTP IP address instead of it's FQDN. Post commit, NTP status is showing as "synched". I am also suspecting this as a kind of bug. You can give a try by configuring NTP IP address and check if it works for you.
Meanwhile i am also raising support case for this issue.
Mayur
05-18-2020 12:40 AM
Hello,
I got reply from TAC on this issue. Engineer is saying this is known issue (PAN-133179) and it is addressed in PAN-OS 9.1.2.
He also confirmed that workaround for this issue is the same that i mentioned in my earlier post. Use IP address of NTP instead of FQDN.
Not sure why this was not mentioned in known issue list/release notes for 9.0.7.
Mayur
05-18-2020 12:58 AM
But in my case i'm already using IP address not FQDN
05-18-2020 01:12 AM
Are you using Private internal NTP or public NTP server? I would suggest to try using internal NTP server IP address.
Today also i have upgraded one more HA cluster to 9.0.7 version and i replaced public NTP FQDN with IP address of internal NTP server, and it is showing synced status.
Mayur
05-18-2020 01:56 AM
Yeah i'm using Internal NTP server which it was on the previous software version 8.1.8 before the upgrade and it is IP not FQDN,
@PA-5220-Primary(active)> show ntp
NTP state:
NTP not synched, using local clock
NTP server: 10.1.130.12
status: rejected
reachable: yes
authentication-type: none
05-18-2020 05:04 AM
Have you configured any service route for NTP service?
Mayur
05-18-2020 08:00 AM
Hi,
Yeah i tried with the default and with it vlan but at the end i'm using the MNGT Interface
05-19-2020 09:12 PM
Is this workaround working for all? We are also planning to upgrade to 9.0.7 and we have public NTP FQDN configured. I want to take all precautions before upgrade.
05-20-2020 12:08 AM
Hi,
My issue fixed by using the below command to restart the NTP service/process
debug software restart process ntp
Thanks Hamid Safarzadeh & Michel from Westcon and sure @SutareMayur
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
