02-25-2019 05:05 AM
Hi
I have a problem with the NTP sync. When i make a "show ntp"
NTP state:
NTP not synched, using local clock
NTP server: asia.pool.ntp.org
status: rejected
reachable: no
authentication-type: none
NTP server: pool.ntp.org
status: rejected
reachable: no
authentication-type: none
But my mgmt interface is alow via policy rule to use ntp. I am able to ping the ntp host and a traceroute runs good.
So I search a bit you erros.. only found in sysdagent.log TIME: Unable to connect to asia.pool.ntp.org for ntpdate
I test it with "debug software restart process ntp"
Any Ideas?
02-25-2019 06:02 AM
you may need to change the service route for NTP.
Device/Setup/Services/Service Route Configuration/NTP.
you will need to set this to the same interface that matches your policy.
02-25-2019 07:34 AM
But at the moment I have "Use Management Interface for all" and this will run. So I get PA Updates and Virusupdates and so on. For my MGT there is the default GW the eth2 and this I see in the Monitor Log.
But no NTP 😞
02-25-2019 07:44 AM
sorry i did not fully understand your setup.
02-25-2019 07:51 AM
Okay look:
MGT IP 10.0.8.1
eth 1/1 public IP
eth 1/2 10.0.8.2 my trust network
defualt virtual router route 0.0.0.0 to eth 1/1.
So my Mgmt Rule Src 10.0.8.1 trust zone goes to untrust destiantion any. This is how PA Updates work fine.
02-25-2019 07:56 AM
what appliance is this on. or is it a VM.
02-25-2019 09:57 AM
Works for me but I do have my DNS currently set to 8.8.8.8 as palo docs state that the dns must have a reverse lookup for the ntp server.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cld0CAC
admin@PA-3020(active)> show ntp
NTP state:
NTP synched to asia.pool.ntp.org
NTP server: asia.pool.ntp.org
status: synched
reachable: yes
authentication-type: none
02-25-2019 11:16 AM
Hmmmmmm.... not sure about previous link as set dns to internal and still works ok.
it does take about 5 mins to be succesful though.....
10-09-2020 09:58 PM
I just encountered what i think is a bug and will report it through the PAN-OS folks. We were setting up connection for NGFW to the Cortex Data Lake. It wouldn't get the CDL cert. we flipped the HA pair and went through same process and it worked. after looking the through the Device/Setup configs, the ONLY difference was that the one that just worked had 0.pool.ntp.org set in its secondary NTP server setting. We added 0.pool.ntp.org as a secondary then it grabbed. So then we just took pool.ntp.org right out of both configs, moved 0.pool.ntp.org to the primary. Again no issues. I think it might be in how we are grabbing those IPs when they resolve, or its taking too long for the main pool to grab the IPs its wants to provide. Earlier above, there was a comment about using a stable time server, which by changing out pool.ntp.org for basically any legit time server, you were probably resolved. If you have any problems with NTP, first thing i would check would be that you aren't using the generic pool.ntp.org.
01-19-2021 12:36 PM
This is correct - i couldnt get NTP to sync on my PA220 when using "pool.ntp.org" - had to change the NTP server address to 0.pool.ntp.org
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
