[ntp:questions] ntpd not responding on localhost

Richard B. Gilbert rgilbert88 at comcast.net
Sat Feb 9 03:35:46 UTC 2008


Nick Bright wrote:
> I've installed and configured NTP on a RHEL 3 machine, and configured it 
> to query the US pool servers.
> 
> Unfortunately, because the firewall administrator this machine is behind 
> hasn't yet set up the firewall rules the time can't sync. At least I 
> assume that he hasn't done it, because the time isn't syncing.
> 
> ntpq> pe
>       remote     refid      st t when poll reach   delay   offset  jitter
> ========================================================================
>   217.160.254.116 0.0.0.0   16 u    -  128    0    0.000    0.000 4000.00
>   75.144.70.35    0.0.0.0   16 u    -  128    0    0.000    0.000 4000.00
>   72.232.254.202  0.0.0.0   16 u    -  128    0    0.000    0.000 4000.00
>   208.75.88.4     0.0.0.0   16 u    -  128    0    0.000    0.000 4000.00
> 
> However, if I execute "ntpdate -u localhost" it replies with:
> 
> ntpdate[8246]: no server suitable for synchronization found
> 
> I did verify that I can sync with an external source, though:
> 
> ntpdate -u 217.160.254.116
>   8 Feb 19:04:00 ntpdate[8247]: adjust time server 217.160.254.116 
> offset -0.302278 sec
> 
> So my questions are:
> 
> If the NTPD isn't synchronized with external servers, will it simply 
> ignore clients?
> 
> If it doesn't ignore clients, why would my ntpdate command run on the 
> local machine not be able to query the server? It can't be the firewall, 
> because iptables is completely disabled.
> 
> Thanks,

Assuming that you waited at least 30 minutes before printing that ntpq 
"banner", the servers you have configured are unreachable.

As I recall, ntpdate -u uses a "non-privileged port" whereas ntpdate and 
ntpd both normally use port 123.  This suggests that the firewall is 
passing ports 1025 and above and not port 123.  If ntpdate without the 
"-u" does not work, it would tend to confirm this hypothesis.

Get your firewall straightened out.  AFAIK there is no good reason to 
block port 123.






More information about the questions mailing list