PfSense NTP Server and Windows - error occurred while synchronizing
-
I can't figure out why synchronizing the Windows PCs with the pfSense NTP Server does not work.
I always get: "An error occurred while Windows was synchronizing with 10.1.0.1"Services > DHCP Server > LAN > NTP Server 1
is set to the LAN IP of the pfSense box: 10.1.0.1The rest of the settings are in the attachments.
-
If there is no "Autorule" for ntp.
You should allow UDP/123 from the desired lan(s) to "This Firewall".Unless the windows PC's comes in on the lan interface, ntp might be blocked.
/Bingo
-
The LAN NIC goes to the switch where all PCs are connected.
-
Can you ssh to the firewall ?
If yes , what's the output of a : ntpq -p
[2.4.0-BETA][admin@kv-fw]/root: ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== 0.pfsense.pool. .POOL. 16 p - 64 0 0.000 0.000 0.000 -frodo.luna-lan. 194.58.204.148 2 u 382 512 377 0.144 3.725 0.589 -ns2.eushells.co 80.71.132.103 2 u 372 512 377 5.152 -3.319 0.284 +ntp10.icmp.dk 212.243.86.159 2 u 128 512 377 6.349 -1.051 0.233 -gohere.hojmark. 87.60.144.8 2 u 97 512 377 7.529 -2.303 0.103 *92.246.24.225 217.198.219.102 2 u 54 512 377 7.123 -1.123 0.477 -Time100.Stupi.S .PPS. 1 u 323 512 377 13.309 0.025 0.926 -78.156.100.202 5.186.56.205 3 u 226 512 377 6.351 -1.318 0.281 +78.156.103.10 217.198.219.102 2 u 173 512 377 5.864 -1.232 0.345 -mail.skytech.dk 89.184.128.202 2 u 117 512 377 8.639 -10.141 0.930
Do you have any entries marked with an ***** at the beginning of the line
Just noticed you can get the same via : Diagnostics->CommandPrompt
/Bingo
-
remote refid st t when poll reach delay offset jitter ============================================================================== ntps1-0.eecsit. .PPS. 1 u 172 512 1 29.456 -111151 0.087 ntps1-1.eecsit. .STEP. 16 u 665 256 0 0.000 0.000 0.000 *ptbtime1.ptb.de .PTB. 1 u 50 64 1 26.354 -111152 0.349
-
This shows that your pfSense ntp daemon is synced against a valid peer , and should be able (willing) to serve requests.
Do you have any deny's in the firewall log ?
/Bingo
-
Not sure where you see his ntp server is sync'd clearly his ntp running on pfsense is not ready to server time to anyone yet.. his highest reach is 1 vs 377, and look at his offset .. There is no way could serve time to any client as of yet..
-
I changed the servers to:
192.53.103.108 192.53.103.104 192.53.103.103 130.149.17.21 130.149.17.8And i found the NTP widget.
If i now look at the only clock from the first IP: https://uhr.ptb.de/
There is a ~2 Minute difference? -
https://forum.pfsense.org/index.php?topic=131756.msg725349#msg725349
https://forum.pfsense.org/index.php?topic=122951.msg692268#msg692268
What pfSense version do you have? -
Not sure where you see his ntp server is sync'd clearly his ntp running on pfsense is not ready to server time to anyone yet.. his highest reach is 1 vs 377, and look at his offset .. There is no way could serve time to any client as of yet..
DOOH … I just focused on the selected peer & that it was stratum1 , and not 16 :-[ :-[
Forgot to check-out the reachability.Nice spotted jp ;)
@OP
Why don't you add a "pool" on the Services->NTP settings ?/Bingo
-
I thought it's faster to use servers in my region the a pool.
I have now:
0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org 3.de.pool.ntp.orgremote refid st t when poll reach delay offset jitter ============================================================================== *stratum2-3.NTP. 129.70.130.70 2 u 12 64 1 42.904 -110830 2.519 +stratum2-3.NTP. 129.70.130.71 2 u 9 64 3 28.065 -110835 3.317 +213.251.52.43 195.66.241.3 2 u 12 64 1 27.423 -110836 3.624 +213.95.200.107 213.95.151.123 2 u 8 64 3 17.878 -110839 1.081
Where does the "Is a Pool" checkbox in the screenshot come from?
I'm on the latest stable version…The widget has still 2 minutes difference.
If the widget is not correct, how do i check if the pfSense time is correct? -
you have to give it time.. your offset is 110,000 ms or 110 seconds so yeah about two minutes.
Give ntp time to work.. your best reach is 3.. 377 is what you want to wait for.. ntp will poll every 64 seconds.. Once it has gotten 8 polls in a row your reach will be 377 unless your having issues with talking to the ntp servers.
It takes time for ntp to adjust the clock.. you could do a ntpdate command to get it close to ntp server of your choice..
Once the ntp server is in sync it will allow clients to sync to it..
-
I found out what the 2 minutes problem was.
Something i did not had in my mind.I have pfSense running on a Hyper-V Server 2016.
There is the Integration Service: Time synchronizationI did use the german NTP server on my Windows 8.1 VM and also had 2 minutes difference.
So i did wonder and that is what brought the Time synchronization service to my mind.
After i did disable it in Hyper-V the time in the widget is now correct.
So pfSense was using the Hyper-V Server time…Will now look further into it (the reason i made this thread).
But I'm thinking about building a Arduino with DCF77 since i live just 5.5 miles away from the station.
That brings up the question if it would be better to sync the Hyper-V Server with the Arduino and use the integration service with all VMs
or to sync every single VM with the Arduino. -
"So pfSense was using the Hyper-V Server time"
Why would your hyper-v server time be off? Why would you not sync everything on our network support ntp with ntp?
-
Until today i never looked into it how to set up the NTP stuff in Hyper-V (Powershell/CMD).
Also Hyper-V can't get the time from a server until the pfSense VM is running.
Need to look at all that stuff.There are many options and i don't know whats best.
Should the Hyper-V server get the time from a web server or from pfSense (that is getting the time from a web server)?
Should i use the integration service or not?By the way - the PCs in my LAN now have no problems anymore getting the time from pfSense after i did disable the integration service.
After one hour it looks like this:
remote refid st t when poll reach delay offset jitter ============================================================================== public.streikt. .STEP. 16 u 81m 512 0 0.000 0.000 0.000 gromit.nocabal. .STEP. 16 u 72m 512 0 0.000 0.000 0.000 tic.rueckblen.d .STEP. 16 u - 512 0 0.000 0.000 0.000 maggo.info .STEP. 16 u 90m 512 0 0.000 0.000 0.000
-
and your reach is 0.. means your not talking to any of those!
There is no way ntp on pfsense would serve time to any client with those readings. All your servers are in step and the reach is zero.
That last server is serving time..
$ ntpdate -d maggo.info 2 Jul 11:54:38 ntpdate[7232]: ntpdate 4.2.8p10@1.3728-o Mar 23 13:48:34 (UTC+01:00) 2017 (1) host found : maggo.info Looking for host maggo.info and service ntp 78.46.253.198 reversed to maggo.info 2 Jul 11:54:38 ntpdate[7232]: Raised to realtime priority class transmit(78.46.253.198) receive(78.46.253.198) transmit(78.46.253.198) receive(78.46.253.198) transmit(78.46.253.198) receive(78.46.253.198) transmit(78.46.253.198) receive(78.46.253.198) server 78.46.253.198, port 123 stratum 2, precision -22, leap 00, trust 000 refid [78.46.253.198], delay 0.15166, dispersion 0.00063 transmitted 4, in filter 4 reference time: dd03a2be.bb61c891 Sun, Jul 2 2017 11:50:06.731 originate timestamp: dd03a3d5.138163e5 Sun, Jul 2 2017 11:54:45.076 transmit timestamp: dd03a3d5.02d7873b Sun, Jul 2 2017 11:54:45.011 filter delay: 0.15239 0.15166 0.15329 0.15511 0.00000 0.00000 0.00000 0.00000 filter offset: 0.001107 0.000330 0.001335 0.000314 0.000000 0.000000 0.000000 0.000000 delay 0.15166, dispersion 0.00063 offset 0.000330
Why can you not reach it is the question.
-
I attache the firewall log.
192.168.0.1 = Cable Modem
192.168.0.2 = pfSense WAN
fe80::e4d9:8b94:b93b:1994 = Workstation PC
-
Suggestion : (Don't kill me now JP) ;)
I wonder if it has something to do with the .STEP. shown
.STEP. – step time change, the offset is less than the panic threshold (1000ms) but greater than the step threshold (125ms).
https://rednectar.net/2014/06/17/why-configuring-ntp-demands-patience/
https://learningnetwork.cisco.com/message/406862#406862But i agree that it's funny if that should have influence on the reachability , but seems like it's the same in the Cisco url above.
Could you try to set the time as root ?
https://www.cyberciti.biz/faq/howto-set-date-and-time-timezone-in-freebsd/Please be as accurate as possible on the second when hitting enter.
Then maybe then restart the ntpd service to see if it will sync up. Status->Services –> ntpd restart (The circle arrow)Or even better, but requires you ssh into the pfSense as admin , and select a Shell - 8
1: Stop ntpd , as it blocks for ntpdate by using the same socket/port
Status->Services –> ntpd stop (The circle w. square in it)2: ssh admin@ <pfsense-addr>, the select 8 , to get a root console.
3: Update the clock (via ntpdate) from a valid ntp server : ntpdate maggo.info
Mine showed (rember i was already in sync):2 Jul 19:50:41 ntpdate[1781]: adjust time server 78.46.253.198 offset 0.000006 sec
Now your pfSense clock should be set to a valid time
4: Start the ntp service
Status->Services –> ntpd startCheck the peers , to see if they act normal (not stratum 16 , and not 0 in reachability , and some delays/offset displayed)
/Bingo
PS: Re: The - Is a Pool selection - I run 2.4.0-Beta</pfsense-addr>
-
Ok, i did it and the output was:
adjust time server 78.46.253.198 offset 0.198890 sec
Now i have:
remote refid st t when poll reach delay offset jitter ============================================================================== *public.streikt. 131.188.3.221 2 u 131 64 336 15.988 0.523 1.434 +gromit.nocabal. 131.188.3.220 2 u 53 64 377 15.015 -0.507 1.673 +kronos.mailus.d 131.188.3.223 2 u 55 64 377 17.553 -2.039 1.018 -maggo.info 192.53.103.103 2 u 16 64 377 15.972 -0.889 2.194
-
This is much better, and now pfsense should be able to sync clients. But you are having issue with your current selected server, the * is the server you are using the + are ones that would be used if it went down, your reach is not 377 so you are having issues talking to it.
The reach value is a odd octal based counter that reflects how many answers if you have gotten out of the last 8, with 377 meaning your last 8 queries have all been answered. Off the top can't tell what 336 means would have to look it up - but for sure atleast 1 of the last 8 has not been answered.. You can look up how the reach counter works..
Buffer Octal Decimal -------- ----- ------- 11111110 376 254 11111101 375 253 11111011 373 251 11110111 367 247 11101111 357 239 11011111 337 223 10111111 277 191 01111111 177 127 11111111 377 255
Ok looks like you have missed these packets with 336 value
11011110 -
Not the main topic but i don't want to open a new thread.
I did build a DCF77 radio receiver for a view bucks with a Arduino.
It is now connected to the motherboards serial port of my Hyper-V 2016 server.I did install the Meinberg Driver and there NTP package on the Hyper-V 2016 server.
On the other windows PCs I use the NTP package.I have in pfSense now 10.1.0.2 + Prefer.
Is there something in Services > NTP > ACLs i need to set if i don't want do use pfSense as timeserver?
Does "Service - Disable all except ntpq and ntpdc queries (noserve)" disable the timeserver?Some images in the attachment if somebody want to see it.