SOLVED: all NTP servers are unreachable after upgrade from 2.1.5 to 2.2.2
-
Hello,
after upgrading our pfSense firewalls from version 2.1.5 to version 2.2.2 the NTP server on the
firewall started not to answer ntpdate requests. The reason was, that all the ntp servers, configured
on the firewall were always unreachable after the upgrade.The firewalls have CARP addresses for LAN and WAN. Only these two CARP addresses were listened to
by the firewalls' ntp server.Solution:
the ntp server was configured to listen also to the WAN interface.
Servers behind the firewall could not access the ntp server on the firewalls. The second
change was to listen to the LAN interface.It seems, that now NTP does not work with CARP interfaces or something must be additionally
configured comparing to the version 2.1.5.After that, not all the local servers requests were answered:
testserver1:~ # ntpdate -d 10.20.20.101 22 Apr 12:14:04 ntpdate[22131]: ntpdate 4.2.0a@1.1190-r Wed Jan 26 17:34:57 UTC 2005 (1) Looking for host 10.20.20.101 and service ntp host found : pf1.netmedia.de transmit(10.20.20.101) transmit(10.20.20.101) transmit(10.20.20.101) receive(10.20.20.101) transmit(10.20.20.101) transmit(10.20.20.101) 10.20.20.101: Server dropped: strata too high server 10.20.20.101, port 123 stratum 16, precision -6, leap 11, trust 000 refid [10.20.20.101], delay 0.04271, dispersion 56.00000 transmitted 4, in filter 4 reference time: 00000000.00000000 Thu, Feb 7 2036 7:28:16.000 originate timestamp: d8e1f2ee.c48f7553 Wed, Apr 22 2015 12:14:06.767 transmit timestamp: d8e1f2ee.c4f3dc05 Wed, Apr 22 2015 12:14:06.769 filter delay: 0.00000 0.00000 0.04271 0.00000 0.00000 0.00000 0.00000 0.00000 filter offset: 0.000000 0.000000 -0.00073 0.000000 0.000000 0.000000 0.000000 0.000000 delay 0.04271, dispersion 56.00000 offset -0.000739 22 Apr 12:14:07 ntpdate[22131]: no server suitable for synchronization found
This problem was solved by unchecking the check box "Access restrictions: Enable Kiss-o'-death packets"
Thank you, the pfSense Team for the great job!
Best regards
yarick123 -
At the end I have excluded all CARP interfaces from the NTP-configuration. It seems to be the best solution. Otherwise the ntpd on the Standup firewall was not started while it was inactive.
-
Hmmm… IMHO the CARP interfaces/IPs should be used for what they've been designed. Not for random other services.
-
IMHO the CARP interfaces/IPs should be used for what they've been designed.
Agree. It was just an upgrade issue - in 2.1.5 worked, in 2.2.2 without tuning - not. In any case I would not qualify this as an error in pfSense :)