Reply
New Member
Posts: 19
Registered: 2 weeks ago

Re: Need help fix ntp error


BranoB wrote:

You are using Norton ConnectSafe DNS filtering services (199.85.126.30 & 199.85.127.30)

  1. You have this incorrectly configured for LAN forwarding since your 2nd DNS server is 8.8.8.8 allowing bypass of the filter ... remove the Google server and add secondary norton server
  2. You have ConnectSafe configured for the router itself, which may be causing your NTP resolution issues ... remove both Norton servers and use google DNS.

 EDIT: None of the Norton servers is pingable which worries me, your LAN may be using the single 8.8.8.8 google server you have configured and router is timing out.

 

https://dns.norton.com/faq.html 


I updated dns forwarding to use google dns, still the same issue.

Established Member
Posts: 1,787
Registered: ‎08-06-2015
Kudos: 732
Solutions: 106

Re: Need help fix ntp error


tongyu wrote:

<WAN ip>.123 > 96.114.156.232.123: NTPv4, length 48

<WAN ip>.65267 > 17.253.14.253.123: NTPv3, length 48

17.253.14.253.123 > <WAN ip>.65267: NTPv3, length 48


The three lines above, extracted from the posted output:

  • The first two lines show outbound NTP requests while the third shows an NTP response.
  • The first line is from your router itself and second line is from an internal host on your LAN.
  • The third line is the response to your internal host.

You want to see a similar line as the third, but to your router.  If you don't see those then it is possible your provider is blocking the outbound queries based on the source port. 

 

Once you correct the DNS configuration and restart NTP you should see four servers listed.  Then when you run the tcpdump you'll want to watch for NTP packets with both source and destination ports of 123 (the fifth octet after the IP in the tcpdump output) in both directions for all four NTP servers.  If you see repeated outbound queries from your router but do not see any responses then your ISP indeed would appear to be blocking NTP based on source port.

 

 

Senior Member
Posts: 3,411
Registered: ‎05-15-2014
Kudos: 1174
Solutions: 239

Re: Need help fix ntp error

[ Edited ]

tongyu wrote:

BranoB wrote:

You are using Norton ConnectSafe DNS filtering services (199.85.126.30 & 199.85.127.30)

  1. You have this incorrectly configured for LAN forwarding since your 2nd DNS server is 8.8.8.8 allowing bypass of the filter ... remove the Google server and add secondary norton server
  2. You have ConnectSafe configured for the router itself, which may be causing your NTP resolution issues ... remove both Norton servers and use google DNS.

 EDIT: None of the Norton servers is pingable which worries me, your LAN may be using the single 8.8.8.8 google server you have configured and router is timing out.

 

https://dns.norton.com/faq.html 


I updated dns forwarding to use google dns, still the same issue.


The router is using the system DNS servers, not the forwarding servers. If you want the router to use forwarding servers then set the system DNS server to 172.0.0.1

New Member
Posts: 19
Registered: 2 weeks ago

Re: Need help fix ntp error

I changed the system dns to 127.0.0.1, still not working.  I also tried to remove the statically assigned system dns server and use the ISP dns servers from DHCP, still the same issue.  I don't think it's dns resolution related at this point.

 

Is it possible to change the default source ntp port other than 123 to test if this is causing the issue?

Established Member
Posts: 1,787
Registered: ‎08-06-2015
Kudos: 732
Solutions: 106

Re: Need help fix ntp error

[ Edited ]

After changing the DNS settings and restarting NTP, have you confirmed first that you do see four servers listed?  That needs to be addressed first, then you can move to the next step.

 

There appear to be multiple issues so you need to approach them one by one.

 

No you can't change the source port that is used - that is part of the standard for how an NTP server should behave so there is no such option.   There is a thread about attempting to use NAT to address this but it does not appear there was success - but at this point that would ony add signficant confusion and we haven't confirmed the issues yet.

 

 

New Member
Posts: 19
Registered: 2 weeks ago

Re: Need help fix ntp error

After restart of ntp service, only one ntp server listed, so that's quite strange, however I am able to ping all 4 default ntp servers by name and successfully resolved the names.
New Member
Posts: 19
Registered: 2 weeks ago

Re: Need help fix ntp error

If Win/Linux can perform NTP sync with higher udp ports, I think the issue is with EdgeOS.

 

The network packets from external NTP server are same whether they were initiated from win/linux or EdgeOS, the only difference is outbound network packets, looks like EdgeOS is using UDP port 123 from ntp client, that's causing the ISP to block it, while win/linux ntp clients are using higher udp port that's not subject to the ISP blocking.

Senior Member
Posts: 4,785
Registered: ‎03-24-2016
Kudos: 1305
Solutions: 554

Re: Need help fix ntp error

Did you already try the suggestion in post #3  link ?

New Member
Posts: 19
Registered: 2 weeks ago

Re: Need help fix ntp error


16again wrote:

Did you already try the suggestion in post #3  link ?


Yes I did, still not working with the nat rule added, here is the output:

 

admin@ubnt:~$ show nat statistics

rule  count       type  IN        OUT       description

----  ----------  ----  --------  --------  -----------

5001  1           MASQ  -         eth0      NTP_ChangeSourcePort

5010  32071       MASQ  -         eth0      masquerade for WAN

admin@ubnt:~$ ntpq -p 0.pool.ntp.org

0.pool.ntp.org: timed out, nothing received

***Request timed out

admin@ubnt:~$ show nat statistics

rule  count       type  IN        OUT       description

----  ----------  ----  --------  --------  -----------

5001  4           MASQ  -         eth0      NTP_ChangeSourcePort

5010  32099       MASQ  -         eth0      masquerade for WAN

Established Member
Posts: 1,787
Registered: ‎08-06-2015
Kudos: 732
Solutions: 106

Re: Need help fix ntp error


tongyu wrote:

If Win/Linux can perform NTP sync with higher udp ports, I think the issue is with EdgeOS.

 

The network packets from external NTP server are same whether they were initiated from win/linux or EdgeOS, the only difference is outbound network packets, looks like EdgeOS is using UDP port 123 from ntp client, that's causing the ISP to block it, while win/linux ntp clients are using higher udp port that's not subject to the ISP blocking.


No you are missing the difference.  There is no "problem" and the reference NTPd that is part of EdgeOS is behaving exactly as it should and as documented in the standards, including the various RFCs for the various versions.

 

If you have a device acting as an NTP client it will use a higher port for the source.  If you have a device acting as an NTP server it will use 123 for the source port - that is how NTP servers identify active associations.  I have many platforms and all that use an  NTP server behave the same.  Windows (clients and servers) do not act as NTP servers, regardless of whether they serve time to others.

 

Your ISP, if it is indeed blocking based on the source port, is where the problem would be.  They are breaking internet standard RFCs by doing so, which may be their intent.

 

If you simply restart NTP rather than rebooting your router, do you see all four servers listed or do you still see only one or two?  If the latter there is something else wrong with your router that needs to be corrected.  If NTPd is unable to resolve hostnames even if you can do so manually then that indicates there may be other problems.

 

Established Member
Posts: 1,787
Registered: ‎08-06-2015
Kudos: 732
Solutions: 106

Re: Need help fix ntp error


tongyu wrote:

Yes I did, still not working with the nat rule added, here is the output:

 

admin@ubnt:~$ show nat statistics

rule  count       type  IN        OUT       description

----  ----------  ----  --------  --------  -----------

5001  1           MASQ  -         eth0      NTP_ChangeSourcePort

5010  32071       MASQ  -         eth0      masquerade for WAN

admin@ubnt:~$ ntpq -p 0.pool.ntp.org

0.pool.ntp.org: timed out, nothing received

***Request timed out

admin@ubnt:~$ show nat statistics

rule  count       type  IN        OUT       description

----  ----------  ----  --------  --------  -----------

5001  4           MASQ  -         eth0      NTP_ChangeSourcePort

5010  32099       MASQ  -         eth0      masquerade for WAN


 

Note that 'ntpq' does not use the same method of communication that ntpd would use and is not a good test for NTPd connectivity.  

 

Many NTP servers in fact will themselves not respond to mode 6 queries (those used by ntpq) intentionally.  For instance the default configuration on EdgeOS includes the 'noquery' option for any hosts other than localhost.  This is a standard best practice as mode 6 queries can be used in DoS amplification attacks.

 

ntpq would not use 123 as the source port and so would not be affected by any SNAT rules.

 

 

New Member
Posts: 19
Registered: 2 weeks ago

Re: Need help fix ntp error

After restart ntp, only 2 of the 4 ntp servers are listed:

 

admin@ubnt:~$ show ntp

     remote           local      st poll reach  delay   offset    disp

=======================================================================

=68.87.34.71     73.199.76.194   16   64    0 0.00000  0.000000 3.99217

=96.114.156.232  73.199.76.194   16   64    0 0.00000  0.000000 3.99217

admin@tong-ubnt:~$

Highlighted
New Member
Posts: 19
Registered: 2 weeks ago

Re: Need help fix ntp error


waterside wrote:

tongyu wrote:

If Win/Linux can perform NTP sync with higher udp ports, I think the issue is with EdgeOS.

 

The network packets from external NTP server are same whether they were initiated from win/linux or EdgeOS, the only difference is outbound network packets, looks like EdgeOS is using UDP port 123 from ntp client, that's causing the ISP to block it, while win/linux ntp clients are using higher udp port that's not subject to the ISP blocking.


No you are missing the difference.  There is no "problem" and the reference NTPd that is part of EdgeOS is behaving exactly as it should and as documented in the standards, including the various RFCs for the various versions.

 

If you have a device acting as an NTP client it will use a higher port for the source.  If you have a device acting as an NTP server it will use 123 for the source port - that is how NTP servers identify active associations.  I have many platforms and all that use an  NTP server behave the same.  Windows (clients and servers) do not act as NTP servers, regardless of whether they serve time to others.

 

Your ISP, if it is indeed blocking based on the source port, is where the problem would be.  They are breaking internet standard RFCs by doing so, which may be their intent.

 

If you simply restart NTP rather than rebooting your router, do you see all four servers listed or do you still see only one or two?  If the latter there is something else wrong with your router that needs to be corrected.  If NTPd is unable to resolve hostnames even if you can do so manually then that indicates there may be other problems.

 


ntp never worked on this router before, but my previous asus router, as well as the cisco switch never had any problem with external ntp sync.  I can hardly believe this is caused by ISP blocking.

Established Member
Posts: 1,787
Registered: ‎08-06-2015
Kudos: 732
Solutions: 106

Re: Need help fix ntp error

I would wonder if it is an ISP issue (hence the reason I repeatedly noted this needs to be confirmed).

 

If your NTP is still having trouble resolving hostnames after you've corrected the 'system name-server' entries (and committed) and confirmed you're able to resolve those names on the router manually there is something else wrong.

 

What version of EdgeOS are you running?

 

What does your /etc/ntp.conf look like (it should be short so you can cut-n-paste)?

 

Similar for your /etc/hosts?

 

New Member
Posts: 19
Registered: 2 weeks ago

Re: Need help fix ntp error

EdgeOS version: 1.9.7+hotfix4

 

ntp.conf

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

 

# This configuration file is automatically generated by the Vyatta

# configuration subsystem.  Please do not manually edit it.

#

# The first section of this file consists of static parameters

# that can not be changed via the Vyatta configuration subsystem.

#

 

driftfile /var/lib/ntp/ntp.drift

 

# By default, exchange time with everybody, but don't allow configuration.

restrict -4 default kod notrap nomodify nopeer noquery

restrict -6 default kod notrap nomodify nopeer noquery

 

# Local users may interrogate the ntp server more closely.

restrict 127.0.0.1

restrict ::1

 

#

# The remainder of this file is for parameters that are set up via

# the Vyatta configuration subsystem.

#

 

server 0.ubnt.pool.ntp.org iburst

server 1.ubnt.pool.ntp.org iburst

server 2.ubnt.pool.ntp.org iburst

server 3.ubnt.pool.ntp.org iburst

 

/etc/hosts

127.0.0.1 localhost

 

# The following lines are desirable for IPv6 capable hosts

::1     ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

 

127.0.1.1        ubnt       #vyatta entry

 

Reply