PfSense NTP Server and Windows - error occurred while synchronizing

MrGlasspoole

I can't figure out why synchronizing the Windows PCs with the pfSense NTP Server does not work.
I always get: "An error occurred while Windows was synchronizing with 10.1.0.1"

Services > DHCP Server > LAN > NTP Server 1
is set to the LAN IP of the pfSense box: 10.1.0.1

The rest of the settings are in the attachments.

bingo600

If there is no "Autorule" for ntp.
You should allow UDP/123 from the desired lan(s) to "This Firewall".

Unless the windows PC's comes in on the lan interface, ntp might be blocked.

/Bingo

MrGlasspoole

The LAN NIC goes to the switch where all PCs are connected.

bingo600

Can you ssh to the firewall ?

If yes , what's the output of a : ntpq -p

[2.4.0-BETA][admin@kv-fw]/root: ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 0.pfsense.pool. .POOL.          16 p    -   64    0    0.000    0.000   0.000
-frodo.luna-lan. 194.58.204.148   2 u  382  512  377    0.144    3.725   0.589
-ns2.eushells.co 80.71.132.103    2 u  372  512  377    5.152   -3.319   0.284
+ntp10.icmp.dk   212.243.86.159   2 u  128  512  377    6.349   -1.051   0.233
-gohere.hojmark. 87.60.144.8      2 u   97  512  377    7.529   -2.303   0.103
*92.246.24.225   217.198.219.102  2 u   54  512  377    7.123   -1.123   0.477
-Time100.Stupi.S .PPS.            1 u  323  512  377   13.309    0.025   0.926
-78.156.100.202  5.186.56.205     3 u  226  512  377    6.351   -1.318   0.281
+78.156.103.10   217.198.219.102  2 u  173  512  377    5.864   -1.232   0.345
-mail.skytech.dk 89.184.128.202   2 u  117  512  377    8.639  -10.141   0.930

Do you have any entries marked with an ***** at the beginning of the line

Just noticed you can get the same via : Diagnostics->CommandPrompt

/Bingo

MrGlasspoole

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 ntps1-0.eecsit. .PPS.            1 u  172  512    1   29.456  -111151   0.087
 ntps1-1.eecsit. .STEP.          16 u  665  256    0    0.000    0.000   0.000
*ptbtime1.ptb.de .PTB.            1 u   50   64    1   26.354  -111152   0.349

bingo600

This shows that your pfSense ntp daemon is synced against a valid peer , and should be able (willing) to serve requests.

Do you have any deny's in the firewall log ?

/Bingo

johnpoz

Not sure where you see his ntp server is sync'd clearly his ntp running on pfsense is not ready to server time to anyone yet.. his highest reach is 1 vs 377, and look at his offset .. There is no way could serve time to any client as of yet..

MrGlasspoole

I changed the servers to:
192.53.103.108 192.53.103.104 192.53.103.103 130.149.17.21 130.149.17.8

And i found the NTP widget.
If i now look at the only clock from the first IP: https://uhr.ptb.de/
There is a ~2 Minute difference?

w0w

https://forum.pfsense.org/index.php?topic=131756.msg725349#msg725349
https://forum.pfsense.org/index.php?topic=122951.msg692268#msg692268
What pfSense version do you have?

bingo600

@johnpoz:

Not sure where you see his ntp server is sync'd clearly his ntp running on pfsense is not ready to server time to anyone yet.. his highest reach is 1 vs 377, and look at his offset .. There is no way could serve time to any client as of yet..

DOOH … I just focused on the selected peer & that it was stratum1 , and  not 16  :-[ :-[
Forgot to check-out the reachability.

Nice spotted jp  ;)

@OP
Why don't you add a "pool" on the Services->NTP settings ?

/Bingo

MrGlasspoole

I thought it's faster to use servers in my region the a pool.

I have now:
0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org 3.de.pool.ntp.org

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*stratum2-3.NTP. 129.70.130.70    2 u   12   64    1   42.904  -110830   2.519
+stratum2-3.NTP. 129.70.130.71    2 u    9   64    3   28.065  -110835   3.317
+213.251.52.43   195.66.241.3     2 u   12   64    1   27.423  -110836   3.624
+213.95.200.107  213.95.151.123   2 u    8   64    3   17.878  -110839   1.081

Where does the "Is a Pool" checkbox in the screenshot come from?
I'm on the latest stable version…

The widget has still 2 minutes difference.
If the widget is not correct, how do i check if the pfSense time is correct?

johnpoz

you have to give it time.. your offset is 110,000 ms or 110 seconds so yeah about two minutes.

Give ntp time to work.. your best reach is 3.. 377 is what you want to wait for.. ntp will poll every 64 seconds.. Once it has gotten 8 polls in a row your reach will be 377 unless your having issues with talking to the ntp servers.

It takes time for ntp to adjust the clock.. you could do a ntpdate command to get it close to ntp server of your choice..

Once the ntp server is in sync it will allow clients to sync to it..

MrGlasspoole

I found out what the 2 minutes problem was.
Something i did not had in my mind.

I have pfSense running on a Hyper-V Server 2016.
There is the Integration Service: Time synchronization

I did use the german NTP server on my Windows 8.1 VM and also had 2 minutes difference.
So i did wonder and that is what brought the Time synchronization service to my mind.
After i did disable it in Hyper-V the time in the widget is now correct.
So pfSense was using the Hyper-V Server time…

Will now look further into it (the reason i made this thread).

But I'm thinking about building a Arduino with DCF77 since i live just 5.5 miles away from the station.
That brings up the question if it would be better to sync the Hyper-V Server with the Arduino and use the integration service with all VMs
or to sync every single VM with the Arduino.

johnpoz

"So pfSense was using the Hyper-V Server time"

Why would your hyper-v server time be off?  Why would you not sync everything on our network support ntp with ntp?

MrGlasspoole

Until today i never looked into it how to set up the NTP stuff in Hyper-V (Powershell/CMD).

Also Hyper-V can't get the time from a server until the pfSense VM is running.
Need to look at all that stuff.

There are many options and i don't know whats best.
Should the Hyper-V server get the time from a web server or from pfSense (that is getting the time from a web server)?
Should i use the integration service or not?

By the way - the PCs in my LAN now have no problems anymore getting the time from pfSense after i did disable the integration service.

After one hour it looks like this:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 public.streikt. .STEP.          16 u  81m  512    0    0.000    0.000   0.000
 gromit.nocabal. .STEP.          16 u  72m  512    0    0.000    0.000   0.000
 tic.rueckblen.d .STEP.          16 u    -  512    0    0.000    0.000   0.000
 maggo.info      .STEP.          16 u  90m  512    0    0.000    0.000   0.000

johnpoz

and your reach is 0.. means your not talking to any of those!

There is no way ntp on pfsense would serve time to any client with those readings.  All your servers are in step and the reach is zero.

That last server is serving time..

$ ntpdate -d maggo.info
 2 Jul 11:54:38 ntpdate[7232]: ntpdate 4.2.8p10@1.3728-o Mar 23 13:48:34 (UTC+01:00) 2017  (1)
host found : maggo.info
Looking for host maggo.info and service ntp
78.46.253.198 reversed to maggo.info
 2 Jul 11:54:38 ntpdate[7232]: Raised to realtime priority class
transmit(78.46.253.198)
receive(78.46.253.198)
transmit(78.46.253.198)
receive(78.46.253.198)
transmit(78.46.253.198)
receive(78.46.253.198)
transmit(78.46.253.198)
receive(78.46.253.198)
server 78.46.253.198, port 123
stratum 2, precision -22, leap 00, trust 000
refid [78.46.253.198], delay 0.15166, dispersion 0.00063
transmitted 4, in filter 4
reference time:    dd03a2be.bb61c891  Sun, Jul  2 2017 11:50:06.731
originate timestamp: dd03a3d5.138163e5  Sun, Jul  2 2017 11:54:45.076
transmit timestamp:  dd03a3d5.02d7873b  Sun, Jul  2 2017 11:54:45.011
filter delay:  0.15239  0.15166  0.15329  0.15511
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.001107 0.000330 0.001335 0.000314
         0.000000 0.000000 0.000000 0.000000
delay 0.15166, dispersion 0.00063
offset 0.000330

Why can you not reach it is the question.

MrGlasspoole

I attache the firewall log.

192.168.0.1 = Cable Modem
192.168.0.2 = pfSense WAN
fe80::e4d9:8b94:b93b:1994 = Workstation PC

bingo600

Suggestion :  (Don't kill me now JP)  ;)

I wonder if it has something to do with the .STEP. shown

.STEP. – step time change, the offset is less than the panic threshold (1000ms) but greater than the step threshold (125ms).

https://rednectar.net/2014/06/17/why-configuring-ntp-demands-patience/
https://learningnetwork.cisco.com/message/406862#406862

But i agree that it's funny if that should have influence on the reachability , but seems like it's the same in the Cisco url above.

Could you try to set the time as root ?
https://www.cyberciti.biz/faq/howto-set-date-and-time-timezone-in-freebsd/

Please be as accurate as possible on the second when hitting enter.
Then maybe then restart the ntpd service to see if it will sync up.  Status->Services  –> ntpd restart (The circle arrow)

Or even better, but requires you ssh into the pfSense as admin , and select a Shell  - 8

1: Stop ntpd , as it blocks for ntpdate by using the same socket/port
Status->Services  –> ntpd stop (The circle w. square in it)

2: ssh admin@ <pfsense-addr>, the select 8 , to get a root console.

3: Update the clock (via ntpdate) from a valid ntp server : ntpdate maggo.info
Mine showed (rember i was already in sync):

2 Jul 19:50:41 ntpdate[1781]: adjust time server 78.46.253.198 offset 0.000006 sec

Now your pfSense clock should be set to a valid time

4: Start the ntp service
Status->Services  –> ntpd start

Check the peers , to see if they act normal  (not stratum 16 , and not 0 in reachability , and some delays/offset displayed)

/Bingo

PS: Re: The - Is a Pool selection  - I run 2.4.0-Beta</pfsense-addr>

MrGlasspoole

Ok, i did it and the output was:

adjust time server 78.46.253.198 offset 0.198890 sec

Now i have:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*public.streikt. 131.188.3.221    2 u  131   64  336   15.988    0.523   1.434
+gromit.nocabal. 131.188.3.220    2 u   53   64  377   15.015   -0.507   1.673
+kronos.mailus.d 131.188.3.223    2 u   55   64  377   17.553   -2.039   1.018
-maggo.info      192.53.103.103   2 u   16   64  377   15.972   -0.889   2.194

johnpoz

This is much better, and now pfsense should be able to sync clients.  But you are having issue with your current selected server, the * is the server you are using the + are ones that would be used if it went down, your reach is not 377 so you are having issues talking to it.

The reach value is a odd octal based counter that reflects how many answers if you have gotten out of the last 8, with 377 meaning your last 8 queries have all been answered.  Off the top can't tell what 336 means would have to look it up - but for sure atleast 1 of the last 8 has not been answered.. You can look up how the reach counter works..

Buffer     Octal    Decimal
--------    -----    -------
11111110     376       254
11111101     375       253
11111011     373       251
11110111     367       247
11101111     357       239
11011111     337       223
10111111     277       191
01111111     177       127
11111111     377       255

Ok looks like you have missed these packets with 336 value
11011110