Forum Discussion
NimbostratusNTP not sync'ing - what interface is used?
Hi all,
I'm currently going through a complete reconfigure of our internal loadbalancers and at the moment wI'm stuck on getting NTP working.
Configuring of the internal/external/HA VLANs and assigning all self/float IP's etc is complete, Config sync and failover all work fine.
I've got a list of public NTP servers configured but they all sit at the state of INIT.
This is what I'm getting on all of the servers:
ind assID status conf reach auth condition last_event cnt
===========================================================
1 12174 8000 yes yes none reject
Runnging ntpq -c "rv 12172" give:
[root@LB1:Active:In Sync] config ntpq -c "rv 12174"
assID=12174 status=8000 unreach, conf, no events,
srcadr=ntppub.le.ac.uk, srcport=123, dstadr=192.168.74.1, dstport=123,
leap=11, stratum=16, precision=-20, rootdelay=0.000,
rootdispersion=0.000, refid=INIT, reach=000, unreach=37, hmode=3,
pmode=0, hpoll=10, ppoll=10, flash=00 ok, keyid=0, ttl=0, offset=0.000,
delay=0.000, dispersion=15937.500, jitter=0.000,
reftime=00000000.00000000 Thu, Feb 7 2036 6:28:16.000,
org=00000000.00000000 Thu, Feb 7 2036 6:28:16.000,
rec=00000000.00000000 Thu, Feb 7 2036 6:28:16.000,
xmt=d6af521e.ab559847 Wed, Feb 19 2014 15:54:06.669,
filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
The firewall all seems to be clear of any blocks on the IP adresses that have been configured, so what else could be the likely cause of something like this?
Thanks in advance for any advice.
Anthony
14 Replies
Mui_64918Cirrus
NTP is thru mgmt port, do you have route to the destination NTP server? you can check with ntpdate serverip to vlidate if you are able to get to it.
AnthonyI've just run that after stopping ntpd and got the following:
[root@LB1:Active:In Sync] config ntpdate ntppub.le.ac.uk 19 Feb 16:52:54 ntpdate[19738]: no server suitable for synchronization foundApart from it not working - does this give you any ideas?
Thanks Ant
- Mui_64918
do you have DNS setup? try with IP address to check. If that doesnt work then probably UDP 123 is not allowed on your firewall. try a dump to capture the communication in the backgroud.
tcpdump -s0 -i 0.0 host x.x.x.x &
ntpdate x.x.x.x
Hi Anthony,
It depends on how the system has a route to the NTP servers. Most people would configure that via their management network, so then the NTP would be reachable via eth0 on the F5. The first step would be for you to ping one of those servers and see if you've got L3 connectivity to them. If that's ok, then the next step would be for you to take a tcpdump on port 123 and see if the F5 is egressing any traffic to those addresses. Again, if you've got routing via management, then the syntax is: tcpdump -nni eth0 port 123 -w /var/tmp/ntp.pcap If you have your routing through the selfIPs, then the syntax is: tcpdump -nni 0.0 port 123 -w /var/tmp/ntp.pcap
I hope this proves somewhat useful.
- Anthony
Using the IP address it returns the exact same output as using the DNS entry.
I think I got the entry right:
[root@LB1:Active:In Sync] config tcpdump -s0 -i 0.0 host ntppub.le.ac.uk & [1] 19900 [root@LB1:Active:In Sync] config tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes [root@LB1:Active:In Sync] config ntpdate ntppub.le.ac.uk 17:12:15.127766 IP 192.168.74.1.ntp > ntppub.le.ac.uk.ntp: NTPv4, Client, length 48 out slot1/tmm0 lis= 17:12:16.127683 IP 192.168.74.1.ntp > ntppub.le.ac.uk.ntp: NTPv4, Client, length 48 out slot1/tmm0 lis= 17:12:17.127722 IP 192.168.74.1.ntp > ntppub.le.ac.uk.ntp: NTPv4, Client, length 48 out slot1/tmm0 lis= 17:12:18.127730 IP 192.168.74.1.ntp > ntppub.le.ac.uk.ntp: NTPv4, Client, length 48 out slot1/tmm0 lis= 19 Feb 17:12:19 ntpdate[19913]: no server suitable for synchronization foundUsing the IP address of the NTP server again yields the same results.
- Anthony
Night - I'm not able to ping this address that I've been using so far.
- Mui_64918
I missed the interface tcpdump -s0 -i eth0 port 123 would show the traffic from mgmt interface. you can also use ntpq
peers that will tell you if it was able to resolve the name and if it was able to reach.
- Mui_64918
Looks like the traffic is leaving lTM but no response from the server. Check if the response is hitting your firewall if its dropping.
- Anthony
Interesting. I think all the firewall rules have been configured going out, so it might be that work is required on the inbound traffic instead.
Our network guys have confirmed that traffic is going out ok, but I don't think in all of our conversations we've even considered traffic coming in. I think because this is working on another set of F5s (on a different network) it was assumed to be allowed.
I will take this up with them in the morning and report back my findings!
Thanks all for the assistance so far.
- Anthony
Bit of an update. With some playing around with various rules we have been able to get the management IP to ping an external NTP server.
So next thing I'd like to do is configure the traffic to go from the External VLAN. I can find a few articles suggesting that this is possible, but I can't find an example of how to do it and what needs configuring. If someone has knowledge they could share on this it would extremely helpful!
Thanks Ant
