Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SOLVED: all NTP servers are unreachable after upgrade from 2.1.5 to 2.2.2

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    4 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yarick123
      last edited by

      Hello,

      after upgrading our pfSense firewalls from version 2.1.5 to version 2.2.2 the NTP server on the
      firewall started not to answer ntpdate requests. The reason was, that all the ntp servers, configured
      on the firewall were always unreachable after the upgrade.

      The firewalls have CARP addresses for LAN and WAN. Only these two CARP addresses were listened to
      by the firewalls' ntp server.

      Solution:

      the ntp server was configured to listen also to the WAN interface.
      Servers behind the firewall could not access the ntp server on the firewalls. The second
      change was to listen to the LAN interface.

      It seems, that now NTP does not work with CARP interfaces or something must be additionally
      configured comparing to the version 2.1.5.

      After that, not all the local servers requests were answered:

      
testserver1:~ # ntpdate -d 10.20.20.101
22 Apr 12:14:04 ntpdate[22131]: ntpdate 4.2.0a@1.1190-r Wed Jan 26 17:34:57 UTC 2005 (1)
Looking for host 10.20.20.101 and service ntp
host found : pf1.netmedia.de
transmit(10.20.20.101)
transmit(10.20.20.101)
transmit(10.20.20.101)
receive(10.20.20.101)
transmit(10.20.20.101)
transmit(10.20.20.101)
10.20.20.101: Server dropped: strata too high
server 10.20.20.101, port 123
stratum 16, precision -6, leap 11, trust 000
refid [10.20.20.101], delay 0.04271, dispersion 56.00000
transmitted 4, in filter 4
reference time:    00000000.00000000  Thu, Feb  7 2036  7:28:16.000
originate timestamp: d8e1f2ee.c48f7553  Wed, Apr 22 2015 12:14:06.767
transmit timestamp:  d8e1f2ee.c4f3dc05  Wed, Apr 22 2015 12:14:06.769
filter delay:  0.00000  0.00000  0.04271  0.00000
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.000000 0.000000 -0.00073 0.000000
         0.000000 0.000000 0.000000 0.000000
delay 0.04271, dispersion 56.00000
offset -0.000739

22 Apr 12:14:07 ntpdate[22131]: no server suitable for synchronization found

      This problem was solved by unchecking the check box "Access restrictions: Enable Kiss-o'-death packets"

      Thank you, the pfSense Team for the great job!

      Best regards
      yarick123

      1 Reply Last reply Reply Quote 0
      • Y
        yarick123
        last edited by

        At the end I have excluded all CARP interfaces from the NTP-configuration. It seems to be the best solution. Otherwise the ntpd on the Standup firewall was not started while it was inactive.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          Hmmm… IMHO the CARP interfaces/IPs should be used for what they've been designed. Not for random other services.

          1 Reply Last reply Reply Quote 0
          • Y
            yarick123
            last edited by

            IMHO the CARP interfaces/IPs should be used for what they've been designed.

            Agree. It was just an upgrade issue - in 2.1.5 worked, in 2.2.2 without tuning - not. In any case I would not qualify this as an error in pfSense :)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.