Re: NTP synchronized: no

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/09/15 22:31, Shaheen Bakhtiar wrote:

On Sep 9, 2015, at 12:17 PM, Shaheen Bakhtiar <shashaness@xxxxxxxxxxx
<mailto:shashaness@xxxxxxxxxxx>> wrote:



On Sep 9, 2015, at 11:00 AM, Rick Stevens <ricks@xxxxxxxxxxxxxx
<mailto:ricks@xxxxxxxxxxxxxx>> wrote:

On 09/09/2015 10:37 AM, Patrick Dupre wrote:
Still the same (always as root)

 journalctl -u chrony -b
-- Logs begin at Fri 2014-05-02 02:14:24 CEST, end at Wed 2015-09-09
19:34:53 CEST. --


after  systemctl restart chronyd

systemctl list-unit-files | grep chrony
chrony-wait.service                         disabled
chronyd.service                             enabled


chronyd.service - NTP client/server
   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled)
   Active: active (running) since Wed 2015-09-09 19:31:53 CEST; 4min
23s ago
  Process: 6933 ExecStartPost=/usr/libexec/chrony-helper
add-dhclient-servers (code=exited, status=0/SUCCESS)
  Process: 6929 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited,
status=0/SUCCESS)
 Main PID: 6931 (chronyd)
   CGroup: /system.slice/chronyd.service
           └─6931 /usr/sbin/chronyd

Sep 09 19:31:53 Homere chronyd[6931]: chronyd version 1.31.1 starting
Sep 09 19:31:53 Homere chronyd[6931]: Frequency -15.841 +/- 0.025
ppm read from /var/lib/chrony/drift
Sep 09 19:31:53 Homere systemd[1]: Started NTP client/server.

Is there a reason you're starting ntp? You don't need it with chronyd.
Perhaps that's the issue--they're fighting each other. Try stopping and
disabling whatever is starting that "NTP client/server" thing, then
restart chronyd.

You either use ntpd or chronyd, not both. Since they'll both try to camp
out on port 123, there's going to be conflicts if they're both running.

On 09/09/2015 10:04 AM, Patrick Dupre wrote:
On 09/09/2015 08:17 AM, Patrick Dupre wrote:
Hello,

According to the domain administrator, the port is open.
Could it be an issue with the firewall?

iptables -L |grep udp
ACCEPT     udp  --  anywhere             224.0.0.251
         udp dpt:mdns ctstate NEW
ACCEPT     udp  --  anywhere             anywhere
            udp dpt:ipp ctstate NEW
ACCEPT     udp  --  anywhere             anywhere
            udp dpt:ipp ctstate NEW

ntp is on the port 123

In zone internal I checked ntp

It is all I need?

I don't think that's necessary. The firewall rules affect incoming
connections (it's a stateful firewall...if you initiate the
connection,
the reply is permitted). I'd suggest looking at the system logs
at this
point to see what's going on, e.g.:

journalctl -u chrony -b

Perhaps that'll give you some hints.

journalctl -u chrony -b
-- Logs begin at Fri 2014-05-02 02:14:24 CEST, end at Wed
2015-09-09 19:02:05 CEST. --

Well, that's interesting! Looks like chrony never started! Try, as
root,

systemctl start chronyd

Wait for a few minutes, then check journalctl again. If you see data in
the logs then, as root:

systemctl list-unit-files chrony*

See if you get output like this:

UNIT FILE           STATE
chrony-wait.service disabled
chronyd.service     enabled

If you see "chronyd.service disabled", then as root:

systemctl enable chronyd

to make sure it starts next time.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx
<mailto:ricks@xxxxxxxxxxxxxx> -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx <mailto:users@xxxxxxxxxxxxxxxxxxxxxxx>
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



--
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx
<mailto:ricks@xxxxxxxxxxxxxx> -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-  You know the old saying--any technology sufficiently advanced is  -
-               indistinguishable from a Perl script                 -
-                                 --Programming Perl, 2nd Edition    -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx <mailto:users@xxxxxxxxxxxxxxxxxxxxxxx>
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



Interesting….

Just tested this on a somewhat brand new install of FC22 (fully
updated) and I’m getting the same results. I do have port 123 open on
the firewall INBOUND as well as the server (that is any udp port can
connect to my machines at port 123) but based on the TCPDUMP I just
did it looks like chrony is connecting using an unprivileged port,
which most likely means (and I’ve come across a few articles that say
as much) the firewall rule needs to allow incoming UDP port 123 to ANY
port on the server.

I can see why firewall admins would be VERY apprehensive about doing
this, and I’m not in the office so I don’t want to play with my
firewall rules remotely. I’ll be in tomorrow and I’ll test my theory
by opening source port 123 to any port and see if this solves the problem.

OT: If it does, I would have to agree with the few articles I’ve read
out there regarding this. IT is a BAD implementation. It all but
forces on to simply buy a GPS unit or time server and house it on site.

http://superuser.com/questions/141772/what-are-the-iptables-rules-to-permit-ntp
http://superuser.com/questions/762579/why-does-ntp-require-bi-directional-firewall-access-to-udp-port-123

[root@smtp ~]# systemctl status chronyd.service
● chronyd.service - NTP client/server
   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled;
vendor preset: enabled)
   Active: active (running) since Wed 2015-09-09 11:35:34 PDT; 25min ago
  Process: 5722 ExecStartPost=/usr/libexec/chrony-helper update-daemon
(code=exited, status=0/SUCCESS)
  Process: 5718 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited,
status=0/SUCCESS)
 Main PID: 5720 (chronyd)
   CGroup: /system.slice/chronyd.service
           └─5720 /usr/sbin/chronyd

Sep 09 11:35:34 smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/> systemd[1]: Starting NTP client/server...
Sep 09 11:35:34 smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/> chronyd[5720]: chronyd version 2.1.1
starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +DEBUG +ASYNCD...ECHASH)
Sep 09 11:35:34 smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/> chronyd[5720]: Generated key 1
Sep 09 11:35:34 smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/> systemd[1]: Started NTP client/server.

[root@smtp ~]# timedatectl
      Local time: Wed 2015-09-09 12:02:28 PDT
  Universal time: Wed 2015-09-09 19:02:28 UTC
        RTC time: Wed 2015-09-09 19:02:34
       Time zone: America/Los_Angeles (PDT, -0700)
     NTP enabled: yes
NTP synchronized: no
 RTC in local TZ: no
      DST active: yes
 Last DST change: DST began at
                  Sun 2015-03-08 01:59:59 PST
                  Sun 2015-03-08 03:00:00 PDT
 Next DST change: DST ends (the clock jumps one hour backwards) at
                  Sun 2015-11-01 01:59:59 PDT
                  Sun 2015-11-01 01:00:00 PST

[root@smtp ~]# chronyc -n sources
210 Number of sources = 8
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^? 208.75.88.4                   0   7     0   10y     +0ns[   +0ns]
+/-    0ns
^? 50.116.38.157                 0   7     0   10y     +0ns[   +0ns]
+/-    0ns
^? 107.170.242.27                0   7     0   10y     +0ns[   +0ns]
+/-    0ns
^? 131.107.13.100                0   7     0   10y     +0ns[   +0ns]
+/-    0ns
^? 2604:8800:100:65::2           0   6     0   10y     +0ns[   +0ns]
+/-    0ns
^? 2a00:1630:66:ea::e82a         0   6     0   10y     +0ns[   +0ns]
+/-    0ns
^? 2600:3c03::f03c:91ff:feae:3952   0   6     0   10y
  +0ns[   +0ns] +/-    0ns
^? 2602:ffa1:200::3              0   6     0   10y     +0ns[   +0ns]
+/-    0ns




[root@smtp ~]# tcpdump port 123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp2s2f0, link-type EN10MB (Ethernet), capture size
262144 bytes
12:20:35.435351 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.59841 > repos.lax-noc.com.ntp: NTPv4,
Client, length 48
12:20:36.780107 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.58673 > name1.glorb.com.ntp: NTPv4,
Client, length 48
12:20:39.177934 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.48109 > time-b.nist.gov.ntp: NTPv4,
Client, length 48
12:20:42.249166 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.46548 > time-c.nist.gov.ntp: NTPv4,
Client, length 48
12:24:21.798506 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.38782 > clock.trit.net.ntp: NTPv4,
Client, length 48
12:24:21.999909 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.39560 > 131.107.13.100.ntp: NTPv4,
Client, length 48
12:24:23.009871 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.47688 > origin.towfowi.net.ntp:
NTPv4, Client, length 48
12:24:23.211233 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.46101 > deekayen.net.ntp: NTPv4,
Client, length 48
12:24:23.813548 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.43697 > clock.trit.net.ntp: NTPv4,
Client, length 48
12:24:24.019143 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.35847 > 131.107.13.100.ntp: NTPv4,
Client, length 48
12:24:25.044904 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.33086 > origin.towfowi.net.ntp:
NTPv4, Client, length 48
12:24:25.248017 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.52609 > deekayen.net.ntp: NTPv4,
Client, length 48
12:24:25.842556 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.59576 > clock.trit.net.ntp: NTPv4,
Client, length 48
12:24:26.049297 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.43897 > 131.107.13.100.ntp: NTPv4,
Client, length 48
12:24:27.074666 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.45592 > origin.towfowi.net.ntp:
NTPv4, Client, length 48
12:24:27.287149 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.55627 > deekayen.net.ntp: NTPv4,
Client, length 48
12:24:27.863836 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.54775 > clock.trit.net.ntp: NTPv4,
Client, length 48
12:24:28.064734 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.42372 > 131.107.13.100.ntp: NTPv4,
Client, length 48
12:24:29.107981 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.38735 > origin.towfowi.net.ntp:
NTPv4, Client, length 48
12:24:29.309311 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.41803 > deekayen.net.ntp: NTPv4,
Client, length 48
12:24:29.885521 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.46028 > clock.trit.net.ntp: NTPv4,
Client, length 48
12:24:30.086696 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.52997 > 131.107.13.100.ntp: NTPv4,
Client, length 48
12:24:31.134974 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.60018 > origin.towfowi.net.ntp:
NTPv4, Client, length 48
12:24:31.336257 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.58666 > deekayen.net.ntp: NTPv4,
Client, length 48
12:24:31.889111 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.34483 > clock.trit.net.ntp: NTPv4,
Client, length 48
12:24:32.125685 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.50513 > 131.107.13.100.ntp: NTPv4,
Client, length 48
12:24:33.160631 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.59358 > origin.towfowi.net.ntp:
NTPv4, Client, length 48
12:24:33.362719 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.33979 > deekayen.net.ntp: NTPv4,
Client, length 48
12:24:33.889878 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.57796 > clock.trit.net.ntp: NTPv4,
Client, length 48
12:24:34.127055 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.58885 > 131.107.13.100.ntp: NTPv4,
Client, length 48
12:24:35.189193 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.50615 > origin.towfowi.net.ntp:
NTPv4, Client, length 48
12:24:35.391723 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.58513 > deekayen.net.ntp: NTPv4,
Client, length 48
12:24:35.916880 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.52794 > clock.trit.net.ntp: NTPv4,
Client, length 48
12:24:36.151963 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.41172 > 131.107.13.100.ntp: NTPv4,
Client, length 48
12:24:37.219853 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.50053 > origin.towfowi.net.ntp:
NTPv4, Client, length 48
12:24:37.421983 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.54911 > deekayen.net.ntp: NTPv4,
Client, length 48
12:26:44.993577 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.33387 > clock.trit.net.ntp: NTPv4,
Client, length 48
12:26:45.894067 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.37791 > 131.107.13.100.ntp: NTPv4,
Client, length 48
12:26:47.006712 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.43237 > origin.towfowi.net.ntp:
NTPv4, Client, length 48
12:26:47.459310 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.51999 > deekayen.net.ntp: NTPv4,
Client, length 48
12:31:04.623651 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.60481 > clock.trit.net.ntp: NTPv4,
Client, length 48
12:31:05.273877 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.47396 > origin.towfowi.net.ntp:
NTPv4, Client, length 48
12:31:05.474975 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.43965 > deekayen.net.ntp: NTPv4,
Client, length 48
12:31:06.622505 IP smtp.inksystemsinc.com
<http://smtp.inksystemsinc.com/>.60713 > 131.107.13.100.ntp: NTPv4,
Client, length 48



In my case I figured out that this was indeed a firewall issue. In order
to make this work I had add the following configurations to our cisco
router to allow it to keep track of outbound UDP connections, and in
turn allow the outside host to come back in on the same port. basically
what the below configuration does is establish a “stateful firewall-esc"
feature to the Cisco’s (stateless) access lists.

ISIR02#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ISIR02(config)#ip inspect name ge01_out_fw udp
ISIR02(config)#interface gigabitEthernet 0/1.50
ISIR02(config-subif)#ip inspect ge01_out_fw out
ISIR02(config-subif)#exit
ISIR02(config)#exit
ISIR02#write mem

Here are a couple of links that should help:
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#cbac
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i2.html#wp2665953023
https://learningnetwork.cisco.com/thread/13408


Once this was done:

[root@smtp ~]# chronyc -n sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^+ 66.228.59.187                 2   6    17     6  -1931us[-2492us]
+/-   64ms
^+ 67.18.187.111                 2   6    17     7    +53us[ -511us]
+/-   50ms
^* 129.6.15.29                   1   6    17     6   +642us[  +84us]
+/-   34ms
^- 199.223.248.100               2   6    17     7  +7859us[+7287us]
+/-  156ms
[root@smtp ~]# date
Wed Sep  9 14:30:02 PDT 2015

which was the exact time on my iPhone :)


... and (on my SL7 box) # tcpdump port 123
shows the outgoing probe and the response, for calculation of the transit time:

23:01:55.706587 IP HP_Box.home.ntp > vpn.webersheim.de.ntp: NTPv3, Client, length 48 23:01:55.741872 IP vpn.webersheim.de.ntp > HP_Box.home.ntp: NTPv3, Server, length 48 23:09:18.187249 IP HP_Box.home.ntp > 213.145.129.29.ntp: NTPv3, Client, length 48 23:09:18.323093 IP 213.145.129.29.ntp > HP_Box.home.ntp: NTPv3, Server, length 48 23:12:00.892883 IP HP_Box.home.ntp > srv02.privatcloud.dk.ntp: NTPv3, Client, length 48 23:12:00.912962 IP srv02.privatcloud.dk.ntp > HP_Box.home.ntp: NTPv3, Server, length 48






--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux