NTP sync to server 0.pool.ntp.org failed

Reply
Highlighted
L1 Bithead

NTP sync to server 0.pool.ntp.org failed

Hello all,

 

we run an upgrade on our Panorama to 9.0.7.

Since a few days, I'm receiving this warning:

 

NTP sync to server SERVER failed, authentication type none

 

Same message for primary and secondary NTP server.

I switched from internal to external NTP server.  Same error.

 

I already checked:

 

CLI NTP status command

 

user@PAN> show ntp

NTP state:
    NTP not synched, using local clock
    NTP server: 0.pool.ntp.org
        status: rejected
        reachable: no
        authentication-type: none
    NTP server: 1.pool.ntp.org
        status: rejected
        reachable: no
        authentication-type: none

 

 

Firewall rules

Panorama is allowed to access external NTP servers. 

 

VMware tools options

Time synchronization with host is disabled.

 

Reboot

I did a reboot, same error.

 

Known Issues

Checked the know issues https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/kno...I haven't found anything that matches.

 

 

Is somebody able to help?

Highlighted
Community Team Member

Re: NTP sync to server 0.pool.ntp.org failed

Hi @philipp.scherer ,

 

Sounds familiar.  If possible, can you test with NTP server time.google.com and check if that works ?

 

Cheers,

-Kiwi.

 

 

 
Highlighted
L1 Bithead

Re: NTP sync to server 0.pool.ntp.org failed

Hello @kiwi,

thanks for your fast reply.

 

I tried, same result.

admin@PAN> debug software restart process ntp

Process ntp was restarted by user admin
admin@PAN> show ntp

NTP state:
    NTP not synched, using local clock
    NTP server: time.google.com
        status: rejected
        reachable: no
        authentication-type: none
    NTP server: 1.pool.ntp.org
        status: rejected
        reachable: no
        authentication-type: none

 

I also verified in the firewall logs. Panorama was allowed to connect to time.google.com. 

 

 

Highlighted
Community Team Member

Re: NTP sync to server 0.pool.ntp.org failed

Hi @philipp.scherer ,

 

Sorry if I didn't mention that in my previous comment.  But could you remove the backup NTP.  Just try the one 'time.google.com' without the backup.

 

Eitherway I'd reach out to support.

If time.google.com works when you remove the backup NTP then you're likely hitting an existing bug.

If it still doesn't work then further debugging will be required.

 

Cheers,

-Kiwi.

Highlighted
L1 Bithead

Re: NTP sync to server 0.pool.ntp.org failed

Hello @kiwi 

 

thanks for your hint!

I forgot to mention I already tried this with internal and external NTP servers.

 

Regards,

Philipp

 

 

Highlighted
L1 Bithead

Re: NTP sync to server 0.pool.ntp.org failed

I think it is a bug since i have the exact issue, i was using software version 8.1.8 and it was working fine, but i have upgraded to version 9.0.7 then i start receiving the following error "SYSTEM ALERT : medium : NTP sync to server 192.168.103.22 failed, authenticati...", case already opened but still not been fixed

Highlighted
L5 Sessionator

Re: NTP sync to server 0.pool.ntp.org failed

@philipp.scherer,

 

I have also recently upgraded my Panorama Server and a pair of HA clusters to 9.0.7 version. I have also faced same issue on each instance.

I was also using public ntp server "time.google.com".

 

I tried by configuring internal NTP as well but still no luck. Then i just configured NTP IP address instead of it's FQDN. Post commit, NTP status is showing as "synched".  I am also suspecting this as a kind of bug. You can give a try by configuring NTP IP address and check if it  works for you.

 

Meanwhile i am also raising support case for this issue.

 

Mayur



Mayur Sutare
Highlighted
L5 Sessionator

Re: NTP sync to server 0.pool.ntp.org failed

Hello,

 

I got reply from TAC on this issue. Engineer is saying this is known issue (PAN-133179) and it is addressed in PAN-OS 9.1.2.

He also confirmed that workaround for this issue is the same that i mentioned in my earlier post. Use IP address of NTP instead of FQDN.

 

Not sure why this was not mentioned in known issue list/release notes for 9.0.7.

 

Mayur



Mayur Sutare
Highlighted
L1 Bithead

Re: NTP sync to server 0.pool.ntp.org failed

But in my case i'm already using IP address not FQDN

Highlighted
L5 Sessionator

Re: NTP sync to server 0.pool.ntp.org failed

@Zakareya,

 

Are you using Private internal NTP or public NTP server? I would suggest to try using internal NTP server IP address.

Today also i have upgraded one more HA cluster to 9.0.7 version and i replaced public NTP FQDN with IP address of internal NTP server, and it is showing synced status.

 

Mayur



Mayur Sutare
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!