Unable to connect to pool.ntp.org

Reply
L3 Networker

Unable to connect to pool.ntp.org

Hi

I have a problem with the NTP sync. When i make a "show ntp"

 

NTP state:
NTP not synched, using local clock
NTP server: asia.pool.ntp.org
status: rejected
reachable: no
authentication-type: none
NTP server: pool.ntp.org
status: rejected
reachable: no
authentication-type: none

 

But my mgmt interface is alow via policy rule to use ntp. I am able to ping the ntp host and a traceroute runs good.

So I search a bit you erros.. only found in sysdagent.log TIME: Unable to connect to asia.pool.ntp.org for ntpdate

I test it with "debug software restart process ntp"

 

Any Ideas?

 

L7 Applicator

@clonesheep 

 

you may need to change the service route for NTP.

 

Device/Setup/Services/Service Route Configuration/NTP.

 

you will need to set this to the same interface that matches your policy.

L3 Networker

But at the moment I have "Use Management Interface for all" and this will run. So I get PA Updates and Virusupdates and so on. For my MGT there is the default GW the eth2 and this I see in the Monitor Log.

 

But no NTP :(

L7 Applicator

sorry i did not fully understand your setup.

 

L3 Networker

Okay look:

MGT IP 10.0.8.1

eth 1/1 public IP

eth 1/2 10.0.8.2 my trust network

 

defualt virtual router route 0.0.0.0 to eth 1/1.

So my Mgmt Rule Src 10.0.8.1 trust zone goes to untrust destiantion any. This is how PA Updates work fine.

L7 Applicator

what appliance is this on. or is it a VM.

L3 Networker

Its a PA220

L7 Applicator

Works for me but I do have my DNS currently set to 8.8.8.8 as palo docs state that the dns must have a reverse lookup for the ntp server.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cld0CAC

 

admin@PA-3020(active)> show ntp

 

NTP state:

    NTP synched to asia.pool.ntp.org

    NTP server: asia.pool.ntp.org

        status: synched

        reachable: yes

        authentication-type: none

L7 Applicator

Hmmmmmm.... not sure about previous link as set dns to internal and still works ok.

 

it does take about 5 mins to be succesful though.....

L0 Member

I just encountered what i think is a bug and will report it through the PAN-OS folks.  We were setting up connection for NGFW to the Cortex Data Lake.  It wouldn't get the CDL cert.  we flipped the HA pair and went through same process and it worked.  after looking the through the Device/Setup configs, the ONLY difference was that the one that just worked had 0.pool.ntp.org set in its secondary NTP server setting.  We added 0.pool.ntp.org as a secondary then it grabbed.  So then we just took pool.ntp.org right out of both configs, moved 0.pool.ntp.org to the primary.  Again no issues.  I think it might be in how we are grabbing those IPs when they resolve, or its taking too long for the main pool to grab the IPs its wants to provide.    Earlier above, there was a comment about using a stable time server, which by changing out pool.ntp.org for basically any legit time server, you were probably resolved.  If you have any problems with NTP, first thing i would check would be that you aren't using the generic pool.ntp.org.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!