HPE Community
Operating System - HP-UX
1823250 Members
3299 Online
109648 Solutions
New Discussion

Ntp client not getting updated with server

 
SOLVED
Go to solution
chindi
Respected Contributor

‎08-27-2013 04:27 AM - last edited on ‎08-27-2013 07:26 PM by

‎08-27-2013 04:27 AM - last edited on ‎08-27-2013 07:26 PM by

Ntp client not getting updated with server

Hi ,

 Am using linux centos server as  NTP Server.

On ntp server  ( 10.1.5.40 ) i have ;

 

[root@centsvr sysconfig]# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*54.251.84.105 223.255.185.2 2 u 1 64 1 66.978 -0.344 24.639
27.114.150.12 81.94.123.16 2 u 1 64 1 71.545 2.147 27.853
27.114.150.10 193.79.237.14 2 u 3 64 1 77.487 25.470 14.456
59.124.196.85 220.130.158.70 2 u - 64 1 133.528 3.622 35.381
127.127.1.0 .LOCL. 10 l 12 64 1 0.000 0.000 0.002

 

[root@centsvr sysconfig]# cat /etc/ntp.conf
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
#restrict default kod nomodify notrap nopeer noquery
#restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
#restrict default ignore

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool 
#server 0.centos.pool.ntp.org
#server 1.centos.pool.ntp.org
#server 2.centos.pool.ntp.org

#server 0.in.pool.ntp.org
#server 1.asia.pool.ntp.org
#server 0.asia.pool.ntp.org
#server 0.in.pool.ntp.org burst iburst
#server 1.asia.pool.ntp.org burst iburst
#server 0.asia.pool.ntp.org burst iburst
server 0.asia.pool.ntp.org iburst
server 1.asia.pool.ntp.org iburst
server 2.asia.pool.ntp.org iburst
server 3.asia.pool.ntp.org iburst
#restrict 1.asia.pool.ntp.org notrap noquery
logfile /var/log/ntpd.log
restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap
#broadcast 192.168.1.255 key 42 # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 key 42 # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 key 42 # manycast client

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10

# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

 

=====================================================================

My iptables file on ntp server is as folows :

 

[root@centsvr sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 177 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6000:6010 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

 

=======================================================================

 

 

Whereas on my ntp client machine hpux 11iv2 ;

am not able to sync it with server ;

 

root #/etc >xntpdc -l
client LOCAL(1)
client 10.1.5.40

 

root #/etc >/sbin/init.d/xntpd start
27 Aug 16:51:14 ntpdate[7735]: no server suitable for synchronization found

 

time difference is of only 30 seconds .

root #/etc >ntpdate -d 10.1.5.40
transmit(10.1.5.40)
transmit(10.1.5.40)
transmit(10.1.5.40)
transmit(10.1.5.40)
transmit(10.1.5.40)
server 10.1.5.40, port 123
stratum 0, precision 0, leap 00, trust 000
refid [0.0.0.0], delay 0.00000, dispersion 64.00000
transmitted 4, in filter 4
reference time: 00000000.00000000 Thu, Feb 7 2036 11:58:16.000
originate timestamp: 00000000.00000000 Thu, Feb 7 2036 11:58:16.000
transmit timestamp: d5c70b7f.f0561000 Tue, Aug 27 2013 16:56:55.938
filter delay: 0.00000 0.00000 0.00000 0.00000
0.00000 0.00000 0.00000 0.00000
filter offset: 0.000000 0.000000 0.000000 0.000000
0.000000 0.000000 0.000000 0.000000
delay 0.00000, dispersion 64.00000
offset 0.000000

27 Aug 16:56:56 ntpdate[9564]: no server suitable for synchronization found

 

ntpdate 10.1.5.40 is not working here 

 

 

P.S. This thread has been moved fromHP-UX > System Administration to HP-UX > networking.
-HP Forum Moderator

0 Kudos
Reply
2 REPLIES 2
Matti_Kurkela
Honored Contributor

‎08-27-2013 11:49 AM

‎08-27-2013 11:49 AM

Solution

Re: Ntp client not getting updated with server 

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT

 Your iptables ruleset on the Linux system accepts only TCP traffic on port 123, but NTP is an UDP-based protocol.

 

In /etc/services, both TCP and UDP are listed for NTP, because IANA used to always register both versions when a request for a new standard port number was submitted to it. However, most modern protocols usually use only one or the other.

 

(With TCP, the network drivers can detect transmission errors and wait for the data to be re-sent, even before the receiving application becomes "aware" that some data has arrived. For many network protocols, this is a good thing. But this can cause unpredictable, variable delays, which is obviously unacceptable when you're transmitting a time signal. That's why NTP uses UDP instead: it allows the NTP endpoints total control of the error correction methods used, so the standard error correction of TCP can be replaced with something that is more appropriate for time signals.)

 

Your NTP server works because of this rule:

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 Since the NTP server sends outgoing traffic to the remote time sources, the incoming traffic from those time sources can easily be identified as "responses" by the iptables state match module, so your NTP server can communicate with the time sources. But when a NTP client queries your server, the query is not part of any established NTP traffic flow nor in any way related to those flows, so this rule won't help the clients.

 

You should fix your iptables rule for port 123 to accept UDP instead:

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT

 

MK
Reply
chindi
Respected Contributor

‎08-27-2013 10:30 PM

‎08-27-2013 10:30 PM

Re: Ntp client not getting updated with server

Hi Matti ,

 

You were spot on again :)

 

Thanks

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.