Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NTP, leap 11 (Leap not in sync)

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jason00
      last edited by

      I am having trouble getting ntp clients to sync to the time provided by pfSense.

      My pfSense version:
      2.4.2-RELEASE-p1 (amd64)
      built on Tue Dec 12 13:45:26 CST 2017
      FreeBSD 11.1-RELEASE-p6

      When another client executes:

      
ntpdate -d 192.168.1.1

      I get the response:

      
 1 Mar 20:26:22 ntpdate[12568]: ntpdate 4.2.8p10@1.3728-o Sat Sep 23 19:02:40 UTC 2017 (1)
transmit(192.168.1.1)
receive(192.168.1.1)
transmit(192.168.1.1)
receive(192.168.1.1)
transmit(192.168.1.1)
receive(192.168.1.1)
transmit(192.168.1.1)
receive(192.168.1.1)
192.168.1.1: Server dropped: Leap not in sync
server 192.168.1.1, port 123
stratum 2, precision -18, leap 11, trust 000
refid [192.168.1.1], delay 0.02580, dispersion 0.00005
transmitted 4, in filter 4
reference time:    de4334bb.d0191bc6  Thu, Mar  1 2018 20:26:03.812
originate timestamp: de4334d3.29bef709  Thu, Mar  1 2018 20:26:27.163
transmit timestamp:  de4334d4.277ce4ed  Thu, Mar  1 2018 20:26:28.154
filter delay:  0.02586  0.02585  0.02580  0.02592 
         0.00000  0.00000  0.00000  0.00000 
filter offset: -0.99131 -0.99141 -0.99145 -0.99145
         0.000000 0.000000 0.000000 0.000000
delay 0.02580, dispersion 0.00005
offset -0.991454

 1 Mar 20:26:28 ntpdate[12568]: no server suitable for synchronization found

      If I go to pfSense dashboard > services > ntp > and just press 'save'… the client will successfully sync to the timeserver, but if I try again in a few minutes I will get the same error message.

      I have 4 time services configured in pfSense:
      0.us.pool.ntp.org
      1.us.pool.ntp.org
      2.us.pool.ntp.org
      3.us.pool.ntp.org

      Going to Status > NTP

      I sometimes get good results, and sometimes bad...

      This...

      
Pool Placeholder	0.us.pool.ntp.o	.POOL.	16	p	-	64	0	0.000	0.000	0.004
Pool Placeholder	1.us.pool.ntp.o	.POOL.	16	p	-	64	0	0.000	0.000	0.004
Pool Placeholder	2.us.pool.ntp.o	.POOL.	16	p	-	64	0	0.000	0.000	0.004
Pool Placeholder	3.us.pool.ntp.o	.POOL.	16	p	-	64	0	0.000	0.000	0.004
Active Peer	204.9.54.119	.CDMA.	1	u	34	64	1	36.595	-162.21	60.446
Candidate	96.244.96.19	192.168.10.254	2	u	32	64	1	59.501	-190.55	80.729
Candidate	74.82.59.149	64.6.144.6	3	u	34	64	1	63.739	-149.25	49.326
Selected	192.92.6.30	.PPS.	1	u	33	64	1	121.787	-218.72	66.634
Selected	129.6.15.29	.NIST.	1	u	31	64	1	63.248	-189.67	77.537
Selected	45.127.112.2	18.26.4.105	2	u	31	64	1	34.611	-184.91	77.094
Outlier	45.56.118.161	152.2.133.53	2	u	28	64	1	45.636	-115.41	49.026
Selected	45.76.244.202	64.250.105.228	2	u	32	64	1	61.349	-118.53	50.625
Selected	128.138.141.172	.NIST.	1	u	30	64	1	51.397	-149.43	47.355
Selected	12.167.151.1	129.6.15.29	2	u	31	64	1	58.865	-71.613	77.698
Selected	104.131.53.252	18.26.4.105	2	u	28	64	1	51.769	-70.326	80.624
Outlier	129.6.15.30	.NIST.	1	u	28	64	1	61.494	-191.75	82.000
Candidate	171.66.97.126	.GPSs.	1	u	29	64	1	66.428	-150.35	52.220
Candidate	72.29.161.5	.GPS.	1	u	24	64	1	66.810	-153.49	50.186
Candidate	198.137.202.56	66.220.9.122	2	u	29	64	1	62.499	-171.84	65.983
Outlier	198.60.22.240	150.143.81.69	2	u	27	64	1	65.793	-103.08	63.338
Outlier	52.6.160.3	130.207.244.240	2	u	33	64	1	46.387	-70.316	82.424

      And then sometimes it looks like this….

      
Pool Placeholder	0.us.pool.ntp.o	.POOL.	16	p	-	64	0	0.000	0.000	0.004
Pool Placeholder	1.us.pool.ntp.o	.POOL.	16	p	-	64	0	0.000	0.000	0.004
Pool Placeholder	2.us.pool.ntp.o	.POOL.	16	p	-	64	0	0.000	0.000	0.004
Pool Placeholder	3.us.pool.ntp.o	.POOL.	16	p	-	64	0	0.000	0.000	0.004
Unreach/Pending	204.9.54.119	.CDMA.	1	u	74	64	1	46.983	-106.63	0.004
Unreach/Pending	96.244.96.19	192.168.10.254	2	u	78	64	1	85.603	-115.70	0.004
Unreach/Pending	74.82.59.149	64.6.144.6	3	u	75	64	1	74.621	-115.02	0.004
Unreach/Pending	192.92.6.30	.PPS.	1	u	74	64	1	87.845	-124.99	0.004
Unreach/Pending	129.6.15.29	.NIST.	1	u	78	64	1	75.204	-108.38	0.004
Unreach/Pending	45.127.112.2	35.73.197.144	2	u	74	64	1	37.517	-108.14	0.004
Unreach/Pending	45.56.118.161	128.227.205.3	2	u	41	64	1	46.148	-111.77	13.790
Unreach/Pending	45.76.244.202	128.138.141.172	2	u	76	64	1	71.580	-112.84	0.004
Unreach/Pending	128.138.141.172	.NIST.	1	u	77	64	1	49.563	-116.63	0.004
Unreach/Pending	12.167.151.1	129.6.15.29	2	u	75	64	1	72.482	-109.31	0.004
Unreach/Pending	104.131.53.252	173.162.192.156	2	u	41	64	1	54.919	-131.42	16.409
Unreach/Pending	129.6.15.30	.NIST.	1	u	78	64	1	74.280	-108.21	0.004
Unreach/Pending	171.66.97.126	.GPSs.	1	u	74	64	1	65.748	-121.27	0.004
Unreach/Pending	72.29.161.5	.GPS.	1	u	37	64	1	66.148	-138.20	22.031
Unreach/Pending	198.137.202.56	66.220.9.122	2	u	76	64	1	65.255	-116.92	0.004
Unreach/Pending	198.60.22.240	150.143.81.69	2	u	40	64	1	68.234	-140.74	20.050
Unreach/Pending	52.6.160.3	130.207.244.240	2	u	75	64	1	57.044	-113.48	0.004

      The NTP system log doesn't seem to show anything interesting:

      
Mar 1 19:38:43	ntpd	30258	ntpd 4.2.8p10@1.3728-o Sun Oct 8 22:12:06 UTC 2017 (1): Starting
Mar 1 19:38:43	ntpd	30258	Command line: /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid
Mar 1 19:38:43	ntpd	30399	proto: precision = 4.000 usec (-18)
Mar 1 19:38:43	ntpd	30399	leapsecond file ('/var/db/leap-seconds'): good hash signature
Mar 1 19:38:43	ntpd	30399	leapsecond file ('/var/db/leap-seconds'): loaded, expire=2018-12-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
Mar 1 19:38:43	ntpd	30399	Listen normally on 1 vtnet0 192.168.1.1:123
Mar 1 19:38:43	ntpd	30399	Listen normally on 2 lo0 [::1]:123
Mar 1 19:38:43	ntpd	30399	Listen normally on 3 lo0 127.0.0.1:123
Mar 1 19:38:43	ntpd	30399	Listening on routing socket on fd #24 for interface updates
Mar 1 19:38:45	ntpd	30399	Soliciting pool server 204.9.54.119
Mar 1 19:38:45	ntpd	30399	Soliciting pool server 96.244.96.19
Mar 1 19:38:46	ntpd	30399	Soliciting pool server 74.82.59.149
Mar 1 19:38:46	ntpd	30399	Soliciting pool server 45.79.111.114
Mar 1 19:38:46	ntpd	30399	Soliciting pool server 192.92.6.30
Mar 1 19:38:47	ntpd	30399	Soliciting pool server 129.6.15.29
Mar 1 19:38:47	ntpd	30399	Soliciting pool server 45.127.112.2
Mar 1 19:38:47	ntpd	30399	Soliciting pool server 45.56.118.161
Mar 1 19:38:47	ntpd	30399	Soliciting pool server 45.76.244.202
Mar 1 19:38:48	ntpd	30399	Soliciting pool server 12.167.151.1
Mar 1 19:38:48	ntpd	30399	Soliciting pool server 128.138.141.172
Mar 1 19:38:48	ntpd	30399	Soliciting pool server 104.131.53.252
Mar 1 19:38:49	ntpd	30399	Soliciting pool server 72.29.161.5
Mar 1 19:38:49	ntpd	30399	Soliciting pool server 171.66.97.126
Mar 1 19:38:49	ntpd	30399	Soliciting pool server 129.6.15.30
Mar 1 19:38:50	ntpd	30399	Soliciting pool server 198.137.202.56
Mar 1 19:38:50	ntpd	30399	Soliciting pool server 2604:880:50:6f::ffff:53
Mar 1 19:38:50	ntpd	30399	Soliciting pool server 198.60.22.240
Mar 1 19:56:19	ntpd	30399	Soliciting pool server 52.6.160.3

      Anyone have any ideas?

      Edit:
      I should mention, pfSense is running in a VM under proxmox. I think this NTP problem started when I upgraded to pfSense 2.4.2… I think I may have had 2.3.X prior?....

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Well ntp is clearly not talking to pool servers.. None of your status is good.  From that you have never talked to any ntp server you have setup… NTP server will show reach of 377 when you can talk to them without issue and they have gotten multiple updates from them, etc..  Looks like the highest reach you have ever gotten is 1..

        You need to figure out why pfsense is not talking to the pool servers.

        Do you have something upstream of pfsense blocking ntp?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          jason00
          last edited by

          Thanks for the hint…
          I ran "ntpdate -d 0.us.pool.ntp.org" from the pfSense shell, and it appears to execute succesfully.
          I am unable to copy/paste the output but it receives the time with .8 sec offset, stratum 1 server, precision -18, leap 00, trust 000

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Well clearly from your output pfsense ntpd which is not ntpdate is not able to talk outbound.. Did you mess with outbound nat?  Do you have any floating rules..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.