CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Page 1 of 2 12 LastLast
Results 1 to 20 of 36

Thread: NTP not syncing - Gaia

  1. #1
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Angry NTP not syncing - Gaia

    Is just me or someone else has the same problem?

    I configured a NTP on Gaia but received this message:

    "Time is set automatically via NTP
    No server has yet to be synchronized"

    I followed many SK, stopped ntp service, changed the NTP version to 1,2,3,4.

    Collected a tcpdump and I can see the communication.

    Click image for larger version. 

Name:	NTP.jpg 
Views:	909 
Size:	195.4 KB 
ID:	979

    ntpq> peers
    remote refid st t when poll reach delay offset jitter
    ================================================== ============================
    xxxxxxxxxxx 10.2.1.248 2 u 55 64 377 0.578 393598. 72.706
    ntpq>

  2. #2
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by crosspopz View Post
    Is just me or someone else has the same problem?

    I configured a NTP on Gaia but received this message:

    "Time is set automatically via NTP
    No server has yet to be synchronized"

    I followed many SK, stopped ntp service, changed the NTP version to 1,2,3,4.

    Collected a tcpdump and I can see the communication.

    Click image for larger version. 

Name:	NTP.jpg 
Views:	909 
Size:	195.4 KB 
ID:	979

    ntpq> peers
    remote refid st t when poll reach delay offset jitter
    ================================================== ============================
    xxxxxxxxxxx 10.2.1.248 2 u 55 64 377 0.578 393598. 72.706
    ntpq>

    are you sure your configuration is correct?

    sniffer> show ntp active
    Yes
    sniffer> show ntp current
    192.168.1.1
    sniffer> show ntp servers
    IP Address Type Version
    192.168.1.1 Secondary 4
    192.168.1.2 Primary 4
    sniffer> show clock
    Tue Sep 15 15:13:40 2015 GMT
    sniffer>

  3. #3
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by cciesec2006 View Post
    are you sure your configuration is correct?

    sniffer> show ntp active
    Yes
    sniffer> show ntp current
    192.168.1.1
    sniffer> show ntp servers
    IP Address Type Version
    192.168.1.1 Secondary 4
    192.168.1.2 Primary 4
    sniffer> show clock
    Tue Sep 15 15:13:40 2015 GMT
    sniffer>
    Yes, I'm sure:

    smartcenter> show ntp active
    Yes
    smartcenter> show ntp current
    No server has yet to be synchronized
    smartcenter> show ntp servers
    IP Address Type Version
    10.2.1.246 Primary 3
    smartcenter> show clock
    Tue Sep 15 12:21:08 2015 BRT
    smartcenter>

  4. #4
    Join Date
    2012-08-16
    Posts
    182
    Rep Power
    8

    Default Re: NTP not syncing - Gaia

    I know you have said you have stopped the service but have you restarted it as of yet?

    service ntpd restart

  5. #5
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,146
    Rep Power
    13

    Default Re: NTP not syncing - Gaia

    Using NTP server names by any chance? not working very well.
    During my investigation on that I also found that making sure you have multiple servers is better and the version can also make it work or fail.

    Just setting NTP off and on again from clish is enough to restart ntpd.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  6. #6
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by aweldon View Post
    I know you have said you have stopped the service but have you restarted it as of yet?

    service ntpd restart
    Yes, I already did. Didn't work.

  7. #7
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by msjouw View Post
    Using NTP server names by any chance? not working very well.
    During my investigation on that I also found that making sure you have multiple servers is better and the version can also make it work or fail.

    Just setting NTP off and on again from clish is enough to restart ntpd.
    I tried to use the IP too, but didn't try to use another server, since the customer just told me one single server for that.

    I changed the version to 3, as I checked on tcpdump that the server was sending this version.

  8. #8
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by crosspopz View Post
    I tried to use the IP too, but didn't try to use another server, since the customer just told me one single server for that.

    I changed the version to 3, as I checked on tcpdump that the server was sending this version.
    Please try the followings:

    in clish mode:
    set ntp active off

    In Expert mode:
    [Expert@lab-p1-mc]# ntpdate -b 4.2.2.2 (or the IP address of the NTP server)
    15 Sep 13:31:02 ntpdate[27604]: step time server 4.2.2.2 offset -0.000007 sec
    [Expert@lab-p1-mc]# ntpdate -b 4.2.2.2
    15 Sep 13:31:03 ntpdate[27607]: step time server 4.2.2.2 offset 0.000030 sec
    [Expert@lab-p1-mc]#
    [Expert@lab-p1-mc]# fwm mds ver
    This is Check Point Multi-Domain Security Management R75.47 - Build 146
    [Expert@lab-p1-mc]#

    as you can see below it works for me.

    I am suspecting there is something blocking between your smartcenter and the NTP server.

    Either that or the time on the SmartCenter is so far off the NTP server that it will NOT sync'ed. In that case, follow my procedure and it will work.
    Last edited by cciesec2006; 2015-09-15 at 13:52.

  9. #9
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by cciesec2006 View Post
    Please try the followings:

    in clish mode:
    set ntp active off

    In Expert mode:
    [Expert@lab-p1-mc]# ntpdate -b 4.2.2.2 (or the IP address of the NTP server)
    15 Sep 13:31:02 ntpdate[27604]: step time server 4.2.2.2 offset -0.000007 sec
    [Expert@lab-p1-mc]# ntpdate -b 4.2.2.2
    15 Sep 13:31:03 ntpdate[27607]: step time server 4.2.2.2 offset 0.000030 sec
    [Expert@lab-p1-mc]#
    [Expert@lab-p1-mc]# fwm mds ver
    This is Check Point Multi-Domain Security Management R75.47 - Build 146
    [Expert@lab-p1-mc]#

    as you can see below it works for me.

    I am suspecting there is something blocking between your smartcenter and the NTP server.

    Either that or the time on the SmartCenter is so far off the NTP server that it will NOT sync'ed. In that case, follow my procedure and it will work.

    Using this command, worked. But will not be synced everytime, right?

    If I get a problem with my manager, and the time changed, will be changed and not synced.

    [Expert@smartcenter]# date
    Tue Sep 15 15:08:55 BRT 2015
    [Expert@smartcenter]# ntpdate -b 10.2.1.246
    15 Sep 15:15:05 ntpdate[10437]: step time server 10.2.1.246 offset 360.748045 sec
    [Expert@smartcenter]# date
    Tue Sep 15 15:15:07 BRT 2015
    [Expert@smartcenter]#

  10. #10
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by crosspopz View Post
    Using this command, worked. But will not be synced everytime, right?

    If I get a problem with my manager, and the time changed, will be changed and not synced.

    [Expert@smartcenter]# date
    Tue Sep 15 15:08:55 BRT 2015
    [Expert@smartcenter]# ntpdate -b 10.2.1.246
    15 Sep 15:15:05 ntpdate[10437]: step time server 10.2.1.246 offset 360.748045 sec
    [Expert@smartcenter]# date
    Tue Sep 15 15:15:07 BRT 2015
    [Expert@smartcenter]#
    The work-around is to run a script every 5 minutes and put it in a cron job.

  11. #11
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by cciesec2006 View Post
    The work-around is to run a script every 5 minutes and put it in a cron job.
    Hmmmm, understood, we can do that.

    But even with this, I wanted to understand why this is not working.

    Cannot being blocked because is on the same network, there is no Firewall.

  12. #12
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by crosspopz View Post
    Hmmmm, understood, we can do that.

    But even with this, I wanted to understand why this is not working.

    Cannot being blocked because is on the same network, there is no Firewall.
    run tcpdump on the NTP server and see if the traffics from the SmartCenter get to the NTP server and whether NTP response back to the SmartCenter.

    When in doubt, tcpdump is your friend.

  13. #13
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by cciesec2006 View Post
    run tcpdump on the NTP server and see if the traffics from the SmartCenter get to the NTP server and whether NTP response back to the SmartCenter.

    When in doubt, tcpdump is your friend.
    Yes I know, I already did and is attached to this post.

    The problem is that CP send the traffic and the server responds.

  14. #14
    Join Date
    2014-09-23
    Location
    Austin, TX
    Posts
    136
    Rep Power
    5

    Default Re: NTP not syncing - Gaia

    Could be that the NTP responses is being rejected because the rootdelay and rootdispersion of the peer is too high. In general this means that the NTP client is rejecting the NTP time response from because the time being presented it is too far off and/or inaccurate. Is the NTP server replying with stratum 5 time? Stratum 5 is known to be inaccurate so this could be why the mgt is not responding to the NTP time

  15. #15
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by Cory Webb View Post
    Could be that the NTP responses is being rejected because the rootdelay and rootdispersion of the peer is too high. In general this means that the NTP client is rejecting the NTP time response from because the time being presented it is too far off and/or inaccurate. Is the NTP server replying with stratum 5 time? Stratum 5 is known to be inaccurate so this could be why the mgt is not responding to the NTP time

    Look at this right now:

    ntpq> peers
    remote refid st t when poll reach delay offset jitter
    ================================================== ============================
    xxxxxxxxxxx 10.2.1.248 2 u 61 64 377 0.602 -18356. 63.443

  16. #16
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,650
    Rep Power
    10

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by crosspopz View Post
    Look at this right now:

    ntpq> peers
    remote refid st t when poll reach delay offset jitter
    ================================================== ============================
    xxxxxxxxxxx 10.2.1.248 2 u 61 64 377 0.602 -18356. 63.443
    NTP is a magical beast. I'm trying to remember the commands, but i think its like ntpq. then show associations. Then you use rv (still inside ntpq shell) and the association id. If you see reject it means your talking ntp but something is unhappy about the remote clock or possibly a local config issue (not your case since ntpdate moved the clock and it started working). I would look up the output from that first command. I think somehow it shows the source clock is very unreliable but i don't know how to read the output to confirm.

    Last time i saw this moving the clock source from a MS AD server to a real NTP server fixed the issue.

    ntpdate every 5 mins is a hack. It will work but ntpdate doesn't keep track of clock drift so you can end up with big clock jumps which are generally bad.

  17. #17
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by jflemingeds View Post
    NTP is a magical beast. I'm trying to remember the commands, but i think its like ntpq. then show associations. Then you use rv (still inside ntpq shell) and the association id. If you see reject it means your talking ntp but something is unhappy about the remote clock or possibly a local config issue (not your case since ntpdate moved the clock and it started working). I would look up the output from that first command. I think somehow it shows the source clock is very unreliable but i don't know how to read the output to confirm.

    Last time i saw this moving the clock source from a MS AD server to a real NTP server fixed the issue.

    ntpdate every 5 mins is a hack. It will work but ntpdate doesn't keep track of clock drift so you can end up with big clock jumps which are generally bad.
    Thanks for your help.

    And yes, ntpdate is a hack that I not sure that I want to use.

    Here is the commands that you sent:

    ntpq> associations

    ind assID status conf reach auth condition last_event cnt
    ================================================== =========
    1 14540 9014 yes yes none reject reachable 1
    ntpq> rv 14540
    assID=14540 status=9014 reach, conf, 1 event, event_reach,
    srcadr=xxxxxxxxxxxx, srcport=123, dstadr=10.2.0.225, dstport=123,
    leap=00, stratum=2, precision=-6, rootdelay=31.250,
    rootdispersion=10548.981, refid=10.2.1.248, reach=377, unreach=0,
    hmode=3, pmode=4, hpoll=6, ppoll=6, flash=400 peer_dist, keyid=0, ttl=0,
    offset=-19455.231, delay=0.721, dispersion=18.177, jitter=44.107,
    reftime=d9a4033f.ecfab38f Wed, Sep 16 2015 12:03:27.925,
    org=d9a406b9.c8e2201b Wed, Sep 16 2015 12:18:17.784,
    rec=d9a406cd.4f577a42 Wed, Sep 16 2015 12:18:37.309,
    xmt=d9a406cd.4f281965 Wed, Sep 16 2015 12:18:37.309,
    filtdelay= 0.72 0.82 1.03 0.78 0.72 0.84 1.35 1.33,
    filtoffset= -19524. -19507. -19490. -19471. -19455. -19436. -19419. -19401.,
    filtdisp= 15.63 16.59 17.56 18.51 19.50 20.47 21.42 22.39
    ntpq>

    The strange thing is, why the refid is 10.2.1.248 if the real IP configured is 10.2.1.246
    Last edited by crosspopz; 2015-09-16 at 11:21.

  18. #18
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by crosspopz View Post
    The strange thing is, why the refid is 10.2.1.248 if the real IP configured is 10.2.1.246
    refid is the source used by the upstream server. So 10.2.1.246 is getting its time from 10.2.1.248.

  19. #19
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,650
    Rep Power
    10

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by crosspopz View Post
    Thanks for your help.

    And yes, ntpdate is a hack that I not sure that I want to use.

    Here is the commands that you sent:

    ntpq> associations

    ind assID status conf reach auth condition last_event cnt
    ================================================== =========
    1 14540 9014 yes yes none reject reachable 1
    ntpq> rv 14540
    assID=14540 status=9014 reach, conf, 1 event, event_reach,
    srcadr=xxxxxxxxxxxx, srcport=123, dstadr=10.2.0.225, dstport=123,
    leap=00, stratum=2, precision=-6, rootdelay=31.250,
    rootdispersion=10548.981, refid=10.2.1.248, reach=377, unreach=0,
    hmode=3, pmode=4, hpoll=6, ppoll=6, flash=400 peer_dist, keyid=0, ttl=0,
    offset=-19455.231, delay=0.721, dispersion=18.177, jitter=44.107,
    reftime=d9a4033f.ecfab38f Wed, Sep 16 2015 12:03:27.925,
    org=d9a406b9.c8e2201b Wed, Sep 16 2015 12:18:17.784,
    rec=d9a406cd.4f577a42 Wed, Sep 16 2015 12:18:37.309,
    xmt=d9a406cd.4f281965 Wed, Sep 16 2015 12:18:37.309,
    filtdelay= 0.72 0.82 1.03 0.78 0.72 0.84 1.35 1.33,
    filtoffset= -19524. -19507. -19490. -19471. -19455. -19436. -19419. -19401.,
    filtdisp= 15.63 16.59 17.56 18.51 19.50 20.47 21.42 22.39
    ntpq>

    The strange thing is, why the refid is 10.2.1.248 if the real IP configured is 10.2.1.246
    Yeah so the refid question has been answered, but i think you should take the greater wtf question to a ntpd mailing list or back to checkpoint. I kind of think you'll get a better answer from a ntpd mailing list which you can then address or take back to checkpoint for more info.

    Just wondering.. are those IPs MS AD servers? I read somewhere that MS's W32time service is not very good, but this could also be a problem with the kernel needing to be adjusted to move the clock faster.

    NTPD mailing list.

  20. #20
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: NTP not syncing - Gaia

    Quote Originally Posted by jflemingeds View Post
    ntpdate every 5 mins is a hack. It will work but ntpdate doesn't keep track of clock drift so you can end up with big clock jumps which are generally bad.
    That said if you're doing ntpdate every 5 minutes, you should not see huge clock drifts/jumps.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Page 1 of 2 12 LastLast

Similar Threads

  1. The Secondary Management server is not syncing with Firewall
    By dsouza4567@gmail.com in forum R77.10
    Replies: 2
    Last Post: 2015-03-30, 09:29
  2. WIL not syncing passwords???
    By BigMcLargehuge in forum Full Disk Encryption (FDE) (Formerly Pointsec)
    Replies: 0
    Last Post: 2010-07-29, 14:08
  3. VPN credential syncing-secureclient
    By topher in forum SecureClient/SecuRemote
    Replies: 5
    Last Post: 2007-08-01, 19:49
  4. 2 MLMs defined - how can I confirm syncing ?
    By WinchesterVA in forum Provider-1 (Multi-Domain Management)
    Replies: 3
    Last Post: 2007-04-23, 08:25
  5. Configuring or setting up time syncing in Cluster
    By dkostuik in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2006-07-31, 09:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •