[ntp:questions] ISP blocked port 123

Brian Inglis Brian.Inglis at SystematicSw.ab.ca
Tue Sep 17 02:48:32 UTC 2013


On 2013-09-16 15:35, Charles Swiger wrote:
> Hi--
>
> On Sep 16, 2013, at 2:28 PM, Bert Gøtterup Petersen <BUP at bang-olufsen.dk> wrote:
>> Well we see different issues in different countries.
>>
>> The problem that I am in the development department, but the individual customer issue happens
>> in the field somewhere fare away and handled by people how understand little about IT...
>>
>> I am looking for a generic 'plan B' which will solve these different issues all at once, not one by one.
>
> Configure a VPN or IPsec tunnelling to someplace without broken network connectivity?
> The NTP port is a well-known standard....

Before installing the full service, you could do some basic checks like nslookup 
pool.ntp.org, then trace{route,rt} pool.ntp.org, then ntpq -p pool.ntp.org, then 
ntpdate -q pool.ntp.org, then ntpd -q with a minimal test ntp.conf (perhaps 
containing only a pool pool.ntp.org statement), finally ntpd -q with your full 
ntp.conf, check you get reasonable exit codes and output, you and should be able 
to get a good idea if there are any issues.

Do not try *ping* as it is normally blocked to dedicated NTP servers and NTP 
packets are about the same size anyway.

Normally arranging port 123 access to the Internet is a customer responsibility 
which they have to resolve with their ISP if there is a problem.
To contact the ISP on the customer's behalf, you need a 24x7 multilingual 
support group, who can get the customer ISP/Telco account and contact info from 
the customer, and follow up with the ISP on their behalf.

Alternatively, you could try to automate this process with whois lookups of the 
traceroute addresses until you find the ISP and contact info, and email them a 
request in their local language, ccing the customer and your company support 
addresses.


More information about the questions mailing list