Unable to connect to pool.ntp.org

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Unable to connect to pool.ntp.org

L3 Networker


I have a problem with the NTP sync. When i make a "show ntp"


NTP state:
NTP not synched, using local clock
NTP server: asia.pool.ntp.org
status: rejected
reachable: no
authentication-type: none
NTP server: pool.ntp.org
status: rejected
reachable: no
authentication-type: none


But my mgmt interface is alow via policy rule to use ntp. I am able to ping the ntp host and a traceroute runs good.

So I search a bit you erros.. only found in sysdagent.log TIME: Unable to connect to asia.pool.ntp.org for ntpdate

I test it with "debug software restart process ntp"


Any Ideas?



L7 Applicator



you may need to change the service route for NTP.


Device/Setup/Services/Service Route Configuration/NTP.


you will need to set this to the same interface that matches your policy.

But at the moment I have "Use Management Interface for all" and this will run. So I get PA Updates and Virusupdates and so on. For my MGT there is the default GW the eth2 and this I see in the Monitor Log.


But no NTP 😞

sorry i did not fully understand your setup.


Okay look:


eth 1/1 public IP

eth 1/2 my trust network


defualt virtual router route to eth 1/1.

So my Mgmt Rule Src trust zone goes to untrust destiantion any. This is how PA Updates work fine.

what appliance is this on. or is it a VM.

Its a PA220

Works for me but I do have my DNS currently set to as palo docs state that the dns must have a reverse lookup for the ntp server.




admin@PA-3020(active)> show ntp


NTP state:

    NTP synched to asia.pool.ntp.org

    NTP server: asia.pool.ntp.org

        status: synched

        reachable: yes

        authentication-type: none

Hmmmmmm.... not sure about previous link as set dns to internal and still works ok.


it does take about 5 mins to be succesful though.....

L0 Member

I just encountered what i think is a bug and will report it through the PAN-OS folks.  We were setting up connection for NGFW to the Cortex Data Lake.  It wouldn't get the CDL cert.  we flipped the HA pair and went through same process and it worked.  after looking the through the Device/Setup configs, the ONLY difference was that the one that just worked had 0.pool.ntp.org set in its secondary NTP server setting.  We added 0.pool.ntp.org as a secondary then it grabbed.  So then we just took pool.ntp.org right out of both configs, moved 0.pool.ntp.org to the primary.  Again no issues.  I think it might be in how we are grabbing those IPs when they resolve, or its taking too long for the main pool to grab the IPs its wants to provide.    Earlier above, there was a comment about using a stable time server, which by changing out pool.ntp.org for basically any legit time server, you were probably resolved.  If you have any problems with NTP, first thing i would check would be that you aren't using the generic pool.ntp.org.

This is correct - i couldnt get NTP to sync on my PA220 when using "pool.ntp.org" - had to change the NTP server address to 0.pool.ntp.org

  • 10 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!