NTP synchronized: no

Thu Sep 10 10:27:06 UTC 2015

On 10/09/15 00:01, Shaheen Bakhtiar wrote:
>
>> On Sep 9, 2015, at 3:47 PM, John Pilkington <J.Pilk at tesco.net> wrote:
>>
>> On 09/09/15 23:43, Ed Greshko wrote:
>>> On 09/10/15 06:18, John Pilkington wrote:
>>>> ... and (on my SL7 box) # tcpdump port 123
>>>> shows the outgoing probe and the response, for calculation of the transit time:
>>>>
>>>> 23:01:55.706587 IP HP_Box.home.ntp > vpn.webersheim.de.ntp: NTPv3, Client, length 48
>>>> 23:01:55.741872 IP vpn.webersheim.de.ntp > HP_Box.home.ntp: NTPv3, Server, length 48
>>>> 23:09:18.187249 IP HP_Box.home.ntp > 213.145.129.29.ntp: NTPv3, Client, length 48
>>>> 23:09:18.323093 IP 213.145.129.29.ntp > HP_Box.home.ntp: NTPv3, Server, length 48
>>>> 23:12:00.892883 IP HP_Box.home.ntp > srv02.privatcloud.dk.ntp: NTPv3, Client, length 48
>>>> 23:12:00.912962 IP srv02.privatcloud.dk.ntp > HP_Box.home.ntp: NTPv3, Server, length 48
>>>
>>> Nice to know....  Yet you really should consider trimming.  Otherwise you'll start to prove top-posters right.  :-) :-)
>>>
>> Yes: I wanted to show the contrast with the non-working log above, but should have trimmed the rest.
>>
>
> Top posting is the only way to go :P But that’s for a late night drunken argument on IRC :P
>
> For now I can validate that yes, indeed simply opening port 123 on the firewall was not enough (in fact, it’s not needed at all, i’ve subsequently removed it from iptables, and will do so from the ACL when I get back to the office). It looks like there has to be a stateful inspection of the packet going out, so that the NTP pool can respond to the client back on the same port, through the firewall. This most likely works for home and small business users as their routers are stateful. But it has to be setup for corporate routers, in my case with the commands I mentioned (and re-attached to the bottom of this email :)
>
> You can clearly see that the NTP pool is sending back a packet from port 123 (ntp) back to the same un-privileged port it received the packet from.
>
> The only reason to open port 123 inbound would be to act as a ntp server to other clients.
>
> [root at www tripwire]# systemctl restart chronyd
> [root at www tripwire]# tcpdump port 123
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on enp14s0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 15:49:11.146312 IP 66-96-98-9.ccup.irmt.uplogon.net.ntp > www.inksystemsinc.com.50032: NTPv4, Server, length 48
> 15:49:11.282909 IP www.inksystemsinc.com.33805 > palpatine.steven-mcdonald.id.au.ntp: NTPv4, Client, length 48
> 15:49:11.295301 IP palpatine.steven-mcdonald.id.au.ntp > www.inksystemsinc.com.33805: NTPv4, Server, length 48
> 15:49:12.154596 IP www.inksystemsinc.com.37921 > cheri.shyou.org.ntp: NTPv4, Client, length 48
> 15:49:12.199266 IP cheri.shyou.org.ntp > www.inksystemsinc.com.37921: NTPv4, Server, length 48
> 15:49:12.355839 IP www.inksystemsinc.com.36254 > 23.99.222.162.ntp: NTPv4, Client, length 48
> 15:49:12.405257 IP 23.99.222.162.ntp > www.inksystemsinc.com.36254: NTPv3, Server, length 48
> 15:49:13.165008 IP www.inksystemsinc.com.45016 > 66-96-98-9.ccup.irmt.uplogon.net.ntp: NTPv4, Client, length 48
> 15:49:13.233225 IP 66-96-98-9.ccup.irmt.uplogon.net.ntp > www.inksystemsinc.com.45016: NTPv4, Server, length 48
> 15:49:13.366453 IP www.inksystemsinc.com.37220 > palpatine.steven-mcdonald.id.au.ntp: NTPv4, Client, length 48
> 15:49:13.378228 IP palpatine.steven-mcdonald.id.au.ntp > www.inksystemsinc.com.37220: NTPv4, Server, length 48
> 15:49:14.204110 IP www.inksystemsinc.com.44675 > cheri.shyou.org.ntp: NTPv4, Client, length 48
> 15:49:14.249188 IP cheri.shyou.org.ntp > www.inksystemsinc.com.44675: NTPv4, Server, length 48
> 15:49:14.432249 IP www.inksystemsinc.com.54356 > 23.99.222.162.ntp: NTPv4, Client, length 48
> 15:49:14.481175 IP 23.99.222.162.ntp > www.inksystemsinc.com.54356: NTPv3, Server, length 48
> 15:49:15.241817 IP www.inksystemsinc.com.50570 > 66-96-98-9.ccup.irmt.uplogon.net.ntp: NTPv4, Client, length 48
> 15:49:15.310147 IP 66-96-98-9.ccup.irmt.uplogon.net.ntp > www.inksystemsinc.com.50570: NTPv4, Server, length 48
> 15:49:15.445005 IP www.inksystemsinc.com.50433 > palpatine.steven-mcdonald.id.au.ntp: NTPv4, Client, length 48
> 15:49:15.457139 IP palpatine.steven-mcdonald.id.au.ntp > www.inksystemsinc.com.50433: NTPv4, Server, length 48
> 15:49:16.285339 IP www.inksystemsinc.com.60738 > cheri.shyou.org.ntp: NTPv4, Client, length 48
> 15:49:16.330519 IP cheri.shyou.org.ntp > www.inksystemsinc.com.60738: NTPv4, Server, length 48
> 15:49:16.489066 IP www.inksystemsinc.com.38469 > 23.99.222.162.ntp: NTPv4, Client, length 48
> 15:49:16.537935 IP 23.99.222.162.ntp > www.inksystemsinc.com.38469: NTPv3, Server, length 48
> 15:49:17.348502 IP www.inksystemsinc.com.51116 > 66-96-98-9.ccup.irmt.uplogon.net.ntp: NTPv4, Client, length 48
> 15:49:17.418904 IP 66-96-98-9.ccup.irmt.uplogon.net.ntp > www.inksystemsinc.com.51116: NTPv4, Server, length 48
> 15:49:17.549840 IP www.inksystemsinc.com.59677 > palpatine.steven-mcdonald.id.au.ntp: NTPv4, Client, length 48
> 15:49:17.561896 IP palpatine.steven-mcdonald.id.au.ntp > www.inksystemsinc.com.59677: NTPv4, Server, length 48
>
> ROUTER CONFIG:
>
> ISIR02#configure terminal
> Enter configuration commands, one per line.  End with CNTL/Z.
> ISIR02(config)#ip inspect name ge01_out_fw udp
> ISIR02(config)#interface gigabitEthernet 0/1.50
> ISIR02(config-subif)#ip inspect ge01_out_fw out
> ISIR02(config-subif)#exit
> ISIR02(config)#exit
> ISIR02#write mem
>

I would comment here that calling the ntp pool once a second looks like 
overkill.  If it doesn't settle down soon maybe it should be investigated.