ntp reachable but rejected

molybtek · 12-14-2009, 05:47 PM

I have a NTP server running in my local network with access to the internet. the local network is divided into two subnet, the main subnet where the NTP server is running, and a second subnet. Computers on both subnets sync with the same NTP server. Computers on the second subnet are able to sync without any problem, however, computers in the first subnet aren't/

Results from a computer on the second subnet:
ntpq> as

ind assID status conf reach auth condition last_event cnt
===========================================================
1 21580 96f4 yes yes none sys.peer reachable 15
ntpq> rv 21580
assID=21580 status=96f4 reach, conf, sel_sys.peer, 15 events, event_reach,
srcadr=172.23.68.1, srcport=123, dstadr=172.23.24.4, dstport=123,
leap=00, stratum=2, precision=-20, rootdelay=744.110,
rootdispersion=45.410, refid=150.101.254.110, reach=377, unreach=0,
hmode=3, pmode=4, hpoll=10, ppoll=10, flash=00 ok, keyid=0, ttl=0,
offset=-11.957, delay=3.699, dispersion=0.121, jitter=0.266,
reftime=ced14637.b8280503 Tue, Dec 15 2009 9:18:15.719,
org=ced146de.d2201214 Tue, Dec 15 2009 9:21:02.820,
rec=ced146de.d5bed30f Tue, Dec 15 2009 9:21:02.834,
xmt=ced146de.d4c0ce91 Tue, Dec 15 2009 9:21:02.831,
filtdelay= 3.85 4.17 4.49 4.02 6.84 3.88 3.70 4.37,
filtoffset= -12.22 -12.24 -11.77 -11.95 -11.48 -11.93 -11.96 -11.66,
filtdisp= 0.00 0.03 0.06 0.09 0.12 0.15 0.18 0.21

Results from a compuer on the first subnet:
ntpq> as

ind assID status conf reach auth condition last_event cnt
===========================================================
1 24754 9014 yes yes none reject reachable 1
ntpq> rv 24754
assID=24754 status=9014 reach, conf, 1 event, event_reach,
srcadr=172.23.68.1, srcport=123, dstadr=172.23.68.121, dstport=123,
leap=00, stratum=2, precision=-20, rootdelay=713.562,
rootdispersion=74.646, refid=128.250.33.242, reach=001, unreach=1,
hmode=3, pmode=4, hpoll=6, ppoll=6, flash=400 peer_dist, keyid=0, ttl=0,
offset=47.597, delay=0.199, dispersion=937.522, jitter=0.401,
reftime=ced148b7.91cc707e Tue, Dec 15 2009 9:28:55.569,
org=ced1493c.eeca2f8b Tue, Dec 15 2009 9:31:08.932,
rec=ced1493c.e2a15d5d Tue, Dec 15 2009 9:31:08.885,
xmt=ced1493c.e292c36b Tue, Dec 15 2009 9:31:08.885,
filtdelay= 0.20 0.16 0.17 0.21 0.00 0.00 0.00 0.00,
filtoffset= 47.60 47.40 47.22 47.05 0.00 0.00 0.00 0.00,
filtdisp= 0.00 0.03 0.06 0.09 16000.0 16000.0 16000.0 16000.0

The main difference I can see is for the one rejected, it has a flash=400 peer_dist instead of flash=00 ok

Are there anything I could do to fix that? Thanks.

kbp · 12-14-2009, 06:47 PM

You'll need to check the ntp server config - /etc/ntp.conf, you're probably missing a line for one of the subnets

eg.

Code:

restrict 10.0.0.0 mask 255.255.255.0 nomodify notrap

cheers

molybtek · 12-14-2009, 11:45 PM

I even allowed full access from one of the client to test and make sure the server is not rejected due to restriction.

Code:

restrict 172.23.68.121

The full ntp.conf on the server is

Code:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1

restrict 172.23.68.0 mask 255.255.255.0 nomodify notrap 
restrict 172.23.68.121

server ntp.tbpl.com.au iburst
server ntp1.cs.mu.OZ.AU iburst
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst

driftfile /var/lib/ntp/drift

keys /etc/ntp/keys

On the client:

Code:

driftfile /var/lib/ntp/ntp.drift

statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

logconfig =syncstatus +allevents +allinfo +allstatus
logfile /var/log/ntpd

server 172.23.68.1 iburst
restrict 172.23.68.1

restrict 127.0.0.1

From the client within the same subnet, I can use ntpdate to sync the clock, but ntpd doesn't - it rejects the reply...

catkin · 12-15-2009, 02:16 AM

Unless there is a danger of NTP requests causing an excessive load on -- or interfering with -- your NTP server you could simply remove the restrict lines from the ntp.conf file.

I tried a variety of simple restricts and could not get any of them to work

so commented them out. This ntp.conf works for me. KISS!

Code:

# Configuration file for ntpd.

# Time sources
server in.pool.ntp.org
server asia.pool.ntp.org
server 127.127.1.0
fudge 127.127.1.0 stratum 10

# Drift file
driftfile /etc/ntp/drift

# Access control
# First deny access to all
#restrict default ignore
# Then open up to LAN without allowing them to change time or be used as time sources
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

kbp · 12-15-2009, 02:50 PM

You only have one subnet listed in your servers config -

Quote:

restrict 172.23.68.0 mask 255.255.255.0 nomodify notrap

.. but you said you had 2 subnets, if you duplicate the line above but change it to the subnet the ntp server is on all should be ok

.. and don't forget to restart ntp

cheers

molybtek · 12-15-2009, 04:19 PM

The subnet listed is actually the one where the server is on, and it is clients within this subnet that is rejecting the ntp.

I've tried adding the other subnet as well, and also removing all the restrict lines, but again, the clients on the same subnet as the server is rejecting, whereas the other subnet syncs without a problem.

The weird thing is ntpdate works but not ntpd.

molybtek · 12-15-2009, 06:04 PM

From the NTP documentation, the flash code of 400 indicates that "The autokey protocol has not verified the server or peer is proventic and has valid public key credentials. See the Authentication Options page."

However, I'm not sure what to do about it... are there a way to turn off authentication off?

molybtek · 12-15-2009, 07:48 PM

OK - I think I've found the problem - the server is running ntpd 4.2.2p1@1.1570-o Sat Nov 10 12:33:50 UTC 2007 (1) (CentOS5)

All the clients in the other subnet are running ntpd: ntpd 4.2.0a@1.1190-r Sun Aug 13 01:49:12 CDT 2006 (1) (CentOS4)

I've found we have a client on the first subnet which I thought aren't syncing is actually able to sync, it is also a CentOS4 machine, whereas all the other machines are also CentOS5, and one Ubuntu 9.10, which is running Ver. 4.2.4p6

So it seems like ntp v4.2.0 are able to sync with 4.2.2, however 4.2.2 or 4.2.4 can't. Now to find out what's changed between these versions...