PfSense NTP Server and Windows - error occurred while synchronizing

  • I can't figure out why synchronizing the Windows PCs with the pfSense NTP Server does not work.
    I always get: "An error occurred while Windows was synchronizing with"

    Services > DHCP Server > LAN > NTP Server 1
    is set to the LAN IP of the pfSense box:

    The rest of the settings are in the attachments.

  • If there is no "Autorule" for ntp.
    You should allow UDP/123 from the desired lan(s) to "This Firewall".

    Unless the windows PC's comes in on the lan interface, ntp might be blocked.


  • The LAN NIC goes to the switch where all PCs are connected.

  • Can you ssh to the firewall ?

    If yes , what's the output of a : ntpq -p

    [2.4.0-BETA][admin@kv-fw]/root: ntpq -p
         remote           refid      st t when poll reach   delay   offset  jitter
     0.pfsense.pool. .POOL.          16 p    -   64    0    0.000    0.000   0.000
    -frodo.luna-lan.   2 u  382  512  377    0.144    3.725   0.589    2 u  372  512  377    5.152   -3.319   0.284   2 u  128  512  377    6.349   -1.051   0.233
    -gohere.hojmark.      2 u   97  512  377    7.529   -2.303   0.103
    *  2 u   54  512  377    7.123   -1.123   0.477
    -Time100.Stupi.S .PPS.            1 u  323  512  377   13.309    0.025   0.926
    -     3 u  226  512  377    6.351   -1.318   0.281
    +  2 u  173  512  377    5.864   -1.232   0.345   2 u  117  512  377    8.639  -10.141   0.930

    Do you have any entries marked with an ***** at the beginning of the line

    Just noticed you can get the same via : Diagnostics->CommandPrompt


  •      remote           refid      st t when poll reach   delay   offset  jitter
     ntps1-0.eecsit. .PPS.            1 u  172  512    1   29.456  -111151   0.087
     ntps1-1.eecsit. .STEP.          16 u  665  256    0    0.000    0.000   0.000
    * .PTB.            1 u   50   64    1   26.354  -111152   0.349

  • This shows that your pfSense ntp daemon is synced against a valid peer , and should be able (willing) to serve requests.

    Do you have any deny's in the firewall log ?


  • LAYER 8 Global Moderator

    Not sure where you see his ntp server is sync'd clearly his ntp running on pfsense is not ready to server time to anyone yet.. his highest reach is 1 vs 377, and look at his offset .. There is no way could serve time to any client as of yet..

  • I changed the servers to:

    And i found the NTP widget.
    If i now look at the only clock from the first IP:
    There is a ~2 Minute difference?

  • @johnpoz:

    Not sure where you see his ntp server is sync'd clearly his ntp running on pfsense is not ready to server time to anyone yet.. his highest reach is 1 vs 377, and look at his offset .. There is no way could serve time to any client as of yet..

    DOOH … I just focused on the selected peer & that it was stratum1 , and  not 16  :-[ :-[
    Forgot to check-out the reachability.

    Nice spotted jp  ;)

    Why don't you add a "pool" on the Services->NTP settings ?


  • I thought it's faster to use servers in my region the a pool.

    I have now:

         remote           refid      st t when poll reach   delay   offset  jitter
    *stratum2-3.NTP.    2 u   12   64    1   42.904  -110830   2.519
    +stratum2-3.NTP.    2 u    9   64    3   28.065  -110835   3.317
    +     2 u   12   64    1   27.423  -110836   3.624
    +   2 u    8   64    3   17.878  -110839   1.081

    Where does the "Is a Pool" checkbox in the screenshot come from?
    I'm on the latest stable version…

    The widget has still 2 minutes difference.
    If the widget is not correct, how do i check if the pfSense time is correct?

  • LAYER 8 Global Moderator

    you have to give it time.. your offset is 110,000 ms or 110 seconds so yeah about two minutes.

    Give ntp time to work.. your best reach is 3.. 377 is what you want to wait for.. ntp will poll every 64 seconds.. Once it has gotten 8 polls in a row your reach will be 377 unless your having issues with talking to the ntp servers.

    It takes time for ntp to adjust the clock.. you could do a ntpdate command to get it close to ntp server of your choice..

    Once the ntp server is in sync it will allow clients to sync to it..

  • I found out what the 2 minutes problem was.
    Something i did not had in my mind.

    I have pfSense running on a Hyper-V Server 2016.
    There is the Integration Service: Time synchronization

    I did use the german NTP server on my Windows 8.1 VM and also had 2 minutes difference.
    So i did wonder and that is what brought the Time synchronization service to my mind.
    After i did disable it in Hyper-V the time in the widget is now correct.
    So pfSense was using the Hyper-V Server time…

    Will now look further into it (the reason i made this thread).

    But I'm thinking about building a Arduino with DCF77 since i live just 5.5 miles away from the station.
    That brings up the question if it would be better to sync the Hyper-V Server with the Arduino and use the integration service with all VMs
    or to sync every single VM with the Arduino.

  • LAYER 8 Global Moderator

    "So pfSense was using the Hyper-V Server time"

    Why would your hyper-v server time be off?  Why would you not sync everything on our network support ntp with ntp?

  • Until today i never looked into it how to set up the NTP stuff in Hyper-V (Powershell/CMD).

    Also Hyper-V can't get the time from a server until the pfSense VM is running.
    Need to look at all that stuff.

    There are many options and i don't know whats best.
    Should the Hyper-V server get the time from a web server or from pfSense (that is getting the time from a web server)?
    Should i use the integration service or not?

    By the way - the PCs in my LAN now have no problems anymore getting the time from pfSense after i did disable the integration service.

    After one hour it looks like this:

         remote           refid      st t when poll reach   delay   offset  jitter
     public.streikt. .STEP.          16 u  81m  512    0    0.000    0.000   0.000
     gromit.nocabal. .STEP.          16 u  72m  512    0    0.000    0.000   0.000
     tic.rueckblen.d .STEP.          16 u    -  512    0    0.000    0.000   0.000      .STEP.          16 u  90m  512    0    0.000    0.000   0.000
  • LAYER 8 Global Moderator

    and your reach is 0.. means your not talking to any of those!

    There is no way ntp on pfsense would serve time to any client with those readings.  All your servers are in step and the reach is zero.

    That last server is serving time..

    $ ntpdate -d
     2 Jul 11:54:38 ntpdate[7232]: ntpdate 4.2.8p10@1.3728-o Mar 23 13:48:34 (UTC+01:00) 2017  (1)
    host found :
    Looking for host and service ntp reversed to
     2 Jul 11:54:38 ntpdate[7232]: Raised to realtime priority class
    server, port 123
    stratum 2, precision -22, leap 00, trust 000
    refid [], delay 0.15166, dispersion 0.00063
    transmitted 4, in filter 4
    reference time:    dd03a2be.bb61c891  Sun, Jul  2 2017 11:50:06.731
    originate timestamp: dd03a3d5.138163e5  Sun, Jul  2 2017 11:54:45.076
    transmit timestamp:  dd03a3d5.02d7873b  Sun, Jul  2 2017 11:54:45.011
    filter delay:  0.15239  0.15166  0.15329  0.15511
             0.00000  0.00000  0.00000  0.00000
    filter offset: 0.001107 0.000330 0.001335 0.000314
             0.000000 0.000000 0.000000 0.000000
    delay 0.15166, dispersion 0.00063
    offset 0.000330

    Why can you not reach it is the question.

  • I attache the firewall log. = Cable Modem = pfSense WAN
    fe80::e4d9:8b94:b93b:1994 = Workstation PC

  • Suggestion :  (Don't kill me now JP)  ;)

    I wonder if it has something to do with the .STEP. shown

    .STEP. – step time change, the offset is less than the panic threshold (1000ms) but greater than the step threshold (125ms).

    But i agree that it's funny if that should have influence on the reachability , but seems like it's the same in the Cisco url above.

    Could you try to set the time as root ?

    Please be as accurate as possible on the second when hitting enter.
    Then maybe then restart the ntpd service to see if it will sync up.  Status->Services  –> ntpd restart (The circle arrow)

    Or even better, but requires you ssh into the pfSense as admin , and select a Shell  - 8

    1: Stop ntpd , as it blocks for ntpdate by using the same socket/port
    Status->Services  –> ntpd stop (The circle w. square in it)

    2: ssh admin@ <pfsense-addr>, the select 8 , to get a root console.

    3: Update the clock (via ntpdate) from a valid ntp server : ntpdate
    Mine showed (rember i was already in sync):

    2 Jul 19:50:41 ntpdate[1781]: adjust time server offset 0.000006 sec

    Now your pfSense clock should be set to a valid time

    4: Start the ntp service
    Status->Services  –> ntpd start

    Check the peers , to see if they act normal  (not stratum 16 , and not 0 in reachability , and some delays/offset displayed)


    PS: Re: The - Is a Pool selection  - I run 2.4.0-Beta</pfsense-addr>

  • Ok, i did it and the output was:

    adjust time server offset 0.198890 sec

    Now i have:

         remote           refid      st t when poll reach   delay   offset  jitter
    *public.streikt.    2 u  131   64  336   15.988    0.523   1.434
    +gromit.nocabal.    2 u   53   64  377   15.015   -0.507   1.673
    +kronos.mailus.d    2 u   55   64  377   17.553   -2.039   1.018   2 u   16   64  377   15.972   -0.889   2.194
  • LAYER 8 Global Moderator

    This is much better, and now pfsense should be able to sync clients.  But you are having issue with your current selected server, the * is the server you are using the + are ones that would be used if it went down, your reach is not 377 so you are having issues talking to it.

    The reach value is a odd octal based counter that reflects how many answers if you have gotten out of the last 8, with 377 meaning your last 8 queries have all been answered.  Off the top can't tell what 336 means would have to look it up - but for sure atleast 1 of the last 8 has not been answered.. You can look up how the reach counter works..

    Buffer     Octal    Decimal
    --------    -----    -------
    11111110     376       254
    11111101     375       253
    11111011     373       251
    11110111     367       247
    11101111     357       239
    11011111     337       223
    10111111     277       191
    01111111     177       127
    11111111     377       255

    Ok looks like you have missed these packets with 336 value

  • Not the main topic but i don't want to open a new thread.

    I did build a DCF77 radio receiver for a view bucks with a Arduino.
    It is now connected to the motherboards serial port of my Hyper-V 2016 server.

    I did install the Meinberg Driver and there NTP package on the Hyper-V 2016 server.
    On the other windows PCs I use the NTP package.

    I have in pfSense now + Prefer.

    Is there something in Services > NTP > ACLs i need to set if i don't want do use pfSense as timeserver?
    Does "Service - Disable all except ntpq and ntpdc queries (noserve)" disable the timeserver?

    Some images in the attachment if somebody want to see it.