Forum Discussion

swo0sh_gt_13163's avatar
swo0sh_gt_13163
Icon for Altostratus rankAltostratus
Apr 22, 2015

NTP time difference between Active / Standby appliance

Hello Folks,

It has been quite sometime when I post a question on DevCentral. So here we go, I have 2 F5 A/S appliances. Both are pointing to 2 NTP servers as 10.13.1.11 and 10.13.1.12. NTP traffic is passing through other than Management Interface so far.

What has been observed is, Active appliance is showing correct time as per the NTP server, however the standby appliance is showing 3 minutes of difference compare to the Active appliance. Even you sync the time manually, it slowly experience delay, and time difference start getting increased between both of the appliances.

Following is the result of the NTPQ -PN from Active and standby.

[root@Company_F5-3900U1:Active:In Sync] config  ntpq -np
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 10.13.1.12      10.13.1.11       2 u   19   64  377    2.077  -43725.  11.051
 10.13.1.11      .LOCL.           1 u   59   64


[root@Company_F5-3900U2:Standby:In Sync] config  ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 10.13.1.12      10.13.1.11       2 u   18   64  377    1.947  -222609  33.485
 10.13.1.11      .LOCL.           1 u   21   64  377    1.953  -222588  28.426

If you see the Offset value on Standby appliance, that justifies the fact why there is a time difference between Active and Standby unit. The NTP servers are reachable via a DMZ interface i.e. 1.1. Both of the appliances have same configured of interfaces along with the media settings.

Following is the interface property of both of the appliances, which is exactly same.

   root@(Company_F5-3900U2)(cfg-sync In Sync)(Standby)(/Common)(tmos) list net interface 1.1
net interface 1.1 {
    if-index 80
    mac-address 00:01:d7:e6:6d:44
    media-active 1000T-FD
    media-max 1000T-FD
    mtu 1800
}

Any help?

Darshan

management
ntp
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 22, 2015

    i think i do not see asterisk (*) prefix to remote field.

    e.g.

    [root@ve11c:Active:In Sync] config  ntpq -np
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*192.168.11.168  192.168.11.220   2 u  415 1024  377  185.643   -0.214   1.483

    sol10240: Verifying NTP peer server communications

    https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10240.html
  • swo0sh_gt_13163's avatar
    swo0sh_gt_13163
    Icon for Altostratus rankAltostratus
    Apr 22, 2015

    Hello Nitass,

     

    What if F5 is not taking/seeing it as a preferred NTP server? How can I have the * sign to the preferred server?

     

    Thank you, Darshan

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 22, 2015

    What if F5 is not taking/seeing it as a preferred NTP server?

     

    i think bigip has received response (because refid is not .INIT.). sol10240 states peer does not meet requirement. can you try another ntp server e.g. public ntp server?

     

  • swo0sh_gt_13163's avatar
    swo0sh_gt_13163
    Icon for Altostratus rankAltostratus
    Apr 23, 2015

    Couldn't get it. How can I check the requirement of an NTP to configure with F5? I doubt I can use a public NTP server, as F5 doesn't have internet access.

     

    Is there a way to justify the fact that defined NTP servers are not meeting the requirement?

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 23, 2015

    How can I check the requirement of an NTP to configure with F5?

     

    it is ntpd's requirement (not f5's requirement).

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Apr 23, 2015

    That's a huge offset, probably enough to 'throw' ntpd. Can I suggest:

     

    • a) Remove 10.13.1.12 as its simply a slave/client of .11.

       

    • b) Manually change the date/time so its a bit closer to that of .11 so the offset isn't so large

       

    • c) The jitter also seems very high too, is the network path to .11 stable? Is the firewall its passing through under high load?

       

  • swo0sh_gt_13163's avatar
    swo0sh_gt_13163
    Icon for Altostratus rankAltostratus
    Apr 23, 2015

    @What Lies Beneath

     

    a) I can remove, not an issue. b) I did that in past with the same customer, again the offset and jitter got increased a lot. c) The link looks stable, and Firewall isn't much occupied while transmitting DMZ to LAN traffic.

     

    The fact is, primary appliance doesn't seem to have offset value. Which is passing through the same link as Secondary.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Apr 23, 2015

    OK, you post the output of the following please:

     

    ntpq ntpq> as

     

    Record the association ID

     

    ntpq> rv ass_ID

     

    Cheers

     

  • swo0sh_gt_13163's avatar
    swo0sh_gt_13163
    Icon for Altostratus rankAltostratus
    Apr 24, 2015

    It is NTP I believe. How can I confirm if the destination is actually SNTP and not NTP? Any idea?

     

    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Apr 24, 2015
      no idea yet. i think packet cannot tell. Brief Overview of NTP and SNTP Operation https://community.extremenetworks.com/extreme/topics/brief_overview_of_ntp_and_sntp_operation