[ntp:questions] Problem syncing NTP behind NAT

Ken Link klink at numberzero.org
Fri Apr 6 02:38:36 UTC 2012


Hello,

I'm trying to sync two NTP clients behind the same NAT to an Internet
NTP server. Both machines behind the NAT have the same NTP
configuration file and are running v4.2.6p4 on Windows XP. The NTP
server outside the NAT is running v4.2.6p3 on Ubuntu 10.04 LTS. The
problem I'm having is that one of the machines behind the NAT is able
to sync to the external server, while the other isn't.

This is what I'm seeing: I'll start NTP on one of the machines behind
the NAT (let's call it machine A). Via wireshark on machine A and
tcpdump on the external server I can see the NTP v4 client request
leave the NAT and arrive at the external server. The NTP debug log on
the external server shows it got the request ("receive: at 5 [local
IP]<-[machine A's IP] mode 3 len 48") and immediately sends a response
as expected ("transmit: at 5 [local IP]->[machine A's IP] mode 4 len
48"). Machine A sees the server response and thanks to iburst quickly
syncs to the machine, all good.

Now I stop NTP on machine A and start NTP on machine B. The client
request goes out the NAT, and I see the request coming into the
external server with tcpdump. But, NTP on the external server doesn't
respond. In fact, the debug from NTP doesn't even have a "receive"
line for the request. Machine B never sees a response and continues to
retry, but gets stuck and keeps the external server in the init state,
never syncing.

The order I start/stop NTP doesn't make a difference. With both
machines running NTP it doesn't make a difference. The external server
will always respond to machine A, and never respond to machine B.
Tcpdump captures from both scenarios reveal very few differences
between the NTP client requests. What could be the problem? It
shouldn't have anything to do with port forwarding, since these are
outgoing requests. I don't have access to the router but I can
guarantee neither machine A or machine B have any unique routing rules
in the network.

Thanks in advance!

Ken


More information about the questions mailing list