[ntp:questions] My ntpd stopped working

Steve Kostecke kostecke at ntp.org
Mon Sep 17 20:41:47 UTC 2007


On 2007-09-17, rasmus <rasmusaa at gmail.com> wrote:
> On 17 Sep., 16:43, Steve Kostecke <koste... at ntp.org> wrote:
>
>> As a test I added your server to one of my ntpds. Your server has
>> remained in .INIT. for an extended period of time and shows no signs of
>> being reachable.

It turns out that I do see occasional NTP packets ... here's an example:

     remote           refid     st t when poll reach   delay ...
=============================================================...
 3404ds2-brh.0.f 87.106.95.189   3 u 105m 1024  100  127.535 ...

The 'reach' and the 'when' (time since last poll) columns are the
important ones.

The reach column displays the polls from right to left like this:

1
3
7
17
37
77
177
377

A reach of 100 indicates that the last 6 polls were missed.
6 polls @ 1024 sec = 6144 sec = 102.4 min
This corresponds to the time in the when column.

>> | 123/udp open|filtered ntp
>
> I got this as well when running my own tests. Running them from the
> inside, though, made me wonder about their strict validity. I have
> applied for a free ssh account on the net to be able to test from the
> outside but no response so far. I'll try another one.

>> Are you sure that your firewall is not blocking port 123/UDP?

It appears to me that you do have a firewall problem. It may be yours
our it may be your ISP's. 

If your ntpd is to be able to receive polls from others (e.g. pool
clients, the ) you must have port 123/UDP _totally_ open (both incoming
and outgoing).

>> If you need to port forward 123/UDP to a machine behind your firewall,
>> are you sure that this is actually happening?
>
> If I enable debug out on my ntpd I get a lot of connections from all
> over the net. So I think that part is OK.
>
>> Is it possible that connections to your port 123/UDP are going to a
>> locked down ntpd on your firewall?
>
> If by 'locked down' you mean some 'restrict' line in the conf file,

No. Let me rephrase that. "Is it possible that connections on port
123/UDP are not being forwarded to the ntpd you intend to use a a public
time server?"

> then I have removed all of those. My ntp.conf is as originally posted
> with all restrict lines commented out.

I saw that file and can tell you that those restrictions could not have
blocked time service.

>> Does 'ntdpc -c monlist 90.184.3.208' show anything? You ought to see my
>> IP address in there...
>
> I get no response:
>
> 90.184.3.208: timed out, nothing received
> ***Request timed out
>
> If I use my internal interface address I get a bunch (snipped list):
>
> firewall ~ # ntpdc -c monlist 192.168.1.2
> remote address          port local address      count m ver code
> avgint  lstint
>===============================================================================
> 192.168.1.2            44069 192.168.1.2           21 7 2      0

This is looking more and more like a misconfigured firewall.

> This mirrors my own testing, where I get responses if I use my
> internal (192.168.1.2/127.0.0.1) interfaces but not the external one
> (the one on the outside of the DSL modem). I have not been able to
> determine where the responses get lost, though :(

firewall

>> Are you sure that ntpd is not using another configuration file?
>
> There is no -c on the command line so I gather that /etc/ntp.conf
> should be used by default.

Depending on your OS the default location for ntp.conf may, or may not,
be /etc/ntp.conf

> Also, the reason I wrote in with the 'puzzled' comment is that the
> pool seem, from time to time and seldomly, to have connection to my
> server. And that is at times I am definitely not touching the firewall/
> network. Indeed, not touching the box at all. mmm, I am wondering
> whether this phenomenon could be due to a lot of dropped packets? I'll
> go reduce my pool bandwidth and see what happens.

This sounds as though your firewall is opening port 123/UDP in response
to polls sent to remote time servers from your ntpd.

-- 
Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project - http://support.ntp.org/




More information about the questions mailing list