9

I tried all and googled a lot! But I can't make work NTP on my server. This post is last hope! I have installed ntp on debian server with this configuration (/etc/ntp.conf):

driftfile /var/lib/ntp/ntp.drift

statdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

server 0.it.pool.ntp.org iburst
server 1.it.pool.ntp.org iburst
server 2.it.pool.ntp.org iburst
server 3.it.pool.ntp.org iburst

restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap

# Restrict eth0 ip
restrict 192.168.1.1
restrict 127.0.0.1 noserve nomodify
restrict ::1

Now when I try:

ntpq -pn
127.0.0.1: timed out, nothing received
***Request timed out

When I try:

ntpdate -q
9 Mar 18:08:01 ntpdate[27896]: no servers can be used, exiting

But with:

ntpdate -d 0.it.pool.ntp.org

I recieve incoming packets and set time offset. This lead me to wrong ntp.conf configuration.

Any clues why this is happening.

Test
  • 213
  • 2
  • 3
  • 8
  • What file are you showing? Is that `/etc/ntp.conf`? Are you sure about those NTP servers? Try Debian's, my (working) ntp.conf [is here](http://pastebin.com/k08Ww9x8). – terdon Mar 09 '14 at 17:17
  • Yes, it's ntp.conf. I'll try with debian's servers. Thanks – Test Mar 09 '14 at 17:27
  • Nope, always same errors. – Test Mar 09 '14 at 17:30
  • Assuming you restarted ntpd after making these changes, is that correct? `service ntpd restart`. – slm Mar 09 '14 at 19:30
  • What is your firewall configuration? Are you sure that there isn't a firewall in between that's blocking NTP? – Gilles 'SO- stop being evil' Mar 09 '14 at 20:17
  • @slm Ofcourse, but the error persists. – Test Mar 09 '14 at 21:12
  • @Gilles I'm not sure how can check if something is blocking NTP, or is already user port 123. – Test Mar 09 '14 at 21:13
  • Ok, i checked firewall, and added: iptables -A OUTPUT -p udp --dport 123 -j ACCEPT iptables -A INPUT -p udp --sport 123 -j ACCEPT – Test Mar 09 '14 at 21:53
  • @BojanVidanovic `sudo lsof -i:123` and `sudo iptables -L` – Braiam Mar 09 '14 at 22:25
  • @BojanVidanovic check syslog & daemon log, see if you're getting any errors from ntpd. – derobert Mar 10 '14 at 21:55
  • 1
    Also, your restrict lines are weird... Look at http://support.ntp.org/bin/view/Support/AccessRestrictions – derobert Mar 10 '14 at 21:58
  • @derobert No errors in log files, that's the beauty. – Test Mar 10 '14 at 22:15
  • @derobert Actually in daemon.log there is line: peers refreshed. No errors, seems like it's working but i get error with ntpq -pn. – Test Mar 10 '14 at 22:18
  • I'm in the same boat. One server will only return the timeout error with ntpq -p; manually running ntpdate -s succeeds though. Other servers (all running Ubuntu Server 13.10) have no issue--and all debugging steps I've found on this thread and others leave me without an explanation or obvious problem – STW Jul 31 '14 at 04:15

5 Answers5

3

If none of the NTP servers you're trying seem to be responding, it's likely that a firewall is blocking either outgoing requests or incoming responses.

NTP uses UDP port 123. You can check whether outgoing requests are being blocked by running traceroute on that port. Depending on your implementation of traceroute, this may be something like traceroute -p 123 0.it.pool.ntp.org (Debian includes several implementations of traceroute, check traceroute --help or man traceroute on your system). If incoming requests are blocked but outgoing requests get through, I don't think you can diagnose where they are blocked without access to a machine outside your network (if you have access to such a machine, run traceroute -p 123 your.ip.address). Note that if you have a private IP address, being able to use NTP requires the cooperation of your network administrator (specifically, NTP support in the NAT appliance).

If you've set up a firewall on your machine, make sure it's letting NTP through. The simple way is to allow all traffic on UDP port 123:

iptables -A INPUT -p udp --sport 123 --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 --dport 123 -j ACCEPT

(You may want to add -d/-s directives to restrict to a particular IP address or set of IP addresses. Note that if you do that, you'll need to update these rules if the NTP servers in the pool you're using change IP addresses.)

If NTP traffic is blocked somewhere between your machine and the Internet, contact your network administrator. It's likely that there is a relay machine that you can use as your NTP server.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • External NTP traffic is likely being blocked by your hosting provider /ISP. This is a heavy handed approach to prevent DDOS. Ask your ISP what internal ntp servers you can connect to. – dfc Mar 10 '14 at 19:04
  • 1
    @dfc In my experience, corporate firewalls block NTP as part of blocking all UDP or as a natural consequence of NAT, but ISPs don't (except the ones who NAT). But indeed, if your ISP blocks incoming NTP, they *should* provide an NTP server on their network. – Gilles 'SO- stop being evil' Mar 10 '14 at 19:09
  • I had already added these rules to iptables, but still same error. Strangly with: ntpdate -d 0.it.pool.ntp.org, it works. So i belive it's ntp.conf. – Test Mar 10 '14 at 21:53
  • @Gilles is "your experience" taking into consideration the recent wave of DDoS attacks that use ntp? A year ago I would agree with your comment. However after the recent waves of attacks egress ntp filtering is a lot more common than you think. – dfc Mar 10 '14 at 23:28
  • @BojanVidanovic It does not make any sense that it works with ntpdate and not with ntp. When it works with ntpdate you should make note of the IP address that returned ann answer and try putting that into ntp.conf. The DNS response for pool.ntp.org address will vary depending on how many servers the pool monitor thingks are currently healthy in addition to some pseudo randomization in the dns daemon. – dfc Mar 10 '14 at 23:31
  • @Gilles add this to the experience pile: https://askubuntu.com/questions/429306/ntpdate-no-server-suitable-for-synchronization-found – dfc Mar 10 '14 at 23:34
2

As far as I can tell your question is "Why does ntpq -pn not function as I expect it to?"

Change this line:

restrict 127.0.0.1 noserve nomodify

back to what it was originally: 

restrict 127.0.0.1

now ntpq -pn will work.

FYI: ::1 is the IPv6 version of 127.0.0.1

Updated config:

driftfile /var/lib/ntp/ntp.drift

statdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

server 0.it.pool.ntp.org iburst
server 1.it.pool.ntp.org iburst
server 2.it.pool.ntp.org iburst
server 3.it.pool.ntp.org iburst

restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap

# Restrict eth0 ip
restrict 192.168.1.1
restrict 127.0.0.1
restrict ::1
dfc
  • 996
  • 8
  • 16
1

Your issue appears to be in the selection of those 2 servers in these 2 lines of your config file:

server ntp1.inrim.it iburst
server ntp2.inrim.it iburst

When I try to query either of them I get your error as well:

$ sudo ntpq -p ntp1.inrim.it
ntp1.inrim.it: timed out, nothing received
***Request timed out

$ sudo ntpq -p ntp2.inrim.it
ntp2.inrim.it: timed out, nothing received
***Request timed out

I'd try selecting some different servers for starters.

Those servers?

When I google for their names I came across this page titled: Come configurare il vostro NTP. There was another server that didn't work mentioned there either:

$ sudo ntpq -p host2.miaditta.it 
host2.miaditta.it: timed out, nothing received
***Request timed out

These servers would seem to be the issue.

Encryption?

If you look further down that URL above that I mentioned, they discuss using encryption, you might need to enable this to access those NTP servers.

Debugging tips

I was able to successfully connect to both of your iburst servers using this command:

$ ntpdate -d <server>
Example 
$ ntpdate -d ntp1.inrim.it
 9 Mar 21:01:37 ntpdate[20739]: ntpdate [email protected] Tue Apr  2 17:47:01 UTC 2013 (1)
Looking for host ntp1.inrim.it and service ntp
host found : ntp1.inrim.it
transmit(193.204.114.232)
receive(193.204.114.232)
...
server 193.204.114.232, port 123
stratum 1, precision -22, leap 00, trust 000
refid [CTD], delay 0.19319, dispersion 0.00084
transmitted 4, in filter 4
reference time:    d6c78d79.f0206119  Sun, Mar  9 2014 21:01:45.937
originate timestamp: d6c78d7e.55ab5b4b  Sun, Mar  9 2014 21:01:50.334
transmit timestamp:  d6c78d77.7e9b8296  Sun, Mar  9 2014 21:01:43.494
filter delay:  0.19460  0.19710  0.19453  0.19319 
         0.00000  0.00000  0.00000  0.00000 
filter offset: 6.755368 6.757349 6.755239 6.756265
         0.000000 0.000000 0.000000 0.000000
delay 0.19319, dispersion 0.00084
offset 6.756265

 9 Mar 21:01:43 ntpdate[20739]: step time server 193.204.114.232 offset 6.756265 sec

So it would seem your issue is actually something wrong with your ntp.conf file. Please confirm this is the case and we can continue debugging further.

slm
  • 363,520
  • 117
  • 767
  • 871
  • Yes i won't use those servers, but i added debian.pool.ntp.org, and i still get: timed out. Or it.pool.ntp.org, which works give me the same error. At this point i think something is blocking NTP. – Test Mar 09 '14 at 21:17
  • if i try: ntpdate 0.debian.pool.ntp.org, it works. – Test Mar 09 '14 at 21:55
  • Yes, with: ntpdate -d ntp1.inrim.it i see same results as yours. Then probably it's ntp.conf. – Test Mar 10 '14 at 21:42
  • 1
    @BojanVidanovic - yes yes, the issue is likely your `ntp.conf` then. So this is good progress. I'd take out the most of the lines except for the server ones to debug this further. – slm Mar 10 '14 at 21:47
  • I updated my question with current configuration. – Test Mar 10 '14 at 21:48
  • @BojanVidanovic - I just dropped the above file you posted into my Fedora 19 system and it worked fine. Did you start the service? `service ntpd restart`? – slm Mar 10 '14 at 21:53
  • Yep, i do that all the time. Just for me it's: service ntp restart (not ntpd). That's really strange, i even added rules to iptables.. – Test Mar 10 '14 at 21:58
  • @BojanVidanovic - does the `/var/log/syslog` show anything about it? You might want to enable verbose messaging in /etc/ntp.conf` for more info. – slm Mar 10 '14 at 22:09
  • Just checked, no ntp errors related. No i'll try enabling verbose messaging. – Test Mar 10 '14 at 22:11
  • 1
    The switches to `ntpd`, adding `-d` options will add more, and `-D level` will enable INFO, TRACE, DEBUG, etc. – slm Mar 10 '14 at 22:12
  • When i run ntpq -pn In daemon.log file i get: peers refreshed. – Test Mar 10 '14 at 22:22
  • Might be helpful to go through this checklist: http://www.eecis.udel.edu/~mills/ntp/html/debug.html – slm Mar 10 '14 at 23:16
  • @slm The command `ntpq -p ntp1.inrim.it` does not do what you think it does. that command asks the server for a list of its configured peers/timesources. It does not ask the remote server for the time. You can have a "perfectly functioning" public time server that serves time to clients but does not respond to remote peer requests. It is also known as noquery in the restric line. – dfc Mar 10 '14 at 23:38
0

In my case, the loopback adapter was disabled in system. After enabling it, problem was solved. See /etc/network/interfaces file.

lehab
  • 1
  • 1
0

From what I see, you have configured an NTP SERVER but you are pointing that to a POOL

server 0.pool.ntp.org

Try:

pool 0.pool.ntp.org

instead or use "server" with a dedicated server, not a pool.

Stephen Rauch
  • 4,209
  • 14
  • 22
  • 32
ronator
  • 1