NTP Sync has stopped.

jrey · Jul 22, 2023, 12:41 PM

Just noticed time is drifting away and that the NTP Sync to pools has stopped working.
I've gone back in the logs as far as I can (July 12) and haven't seen a sync. I suspect this is related to 23.05 upgrade that was applied or the 23.05.1 upgrade that was also applied. it was working without issue on prior versions.

I've changed the pools to try a couple of others, restarted the service and eventually just rebooted. All providing the same result.
I can ping all the IP addresses returned by the pools.
Not sure what else I can try.

🔒 Log in to view

Never shows any actual time servers and which ones are active.
🔒 Log in to view

Looking at the year graph looks like is stopped around July 1st (23.05.1 install around then as I recall)
🔒 Log in to view

ntplog.txt

NollipfSense · Jul 22, 2023, 1:02 PM

@jrey said in NTP Sync has stopped.:

I've changed the pools to try a couple of others, restarted the service and eventually just rebooted.

Here's mine and I have used these three for the longest time and never had an issue I have noticed. I like to use time.apple.com because most of my devices are Apple's. In the pass, I have used time.google.com also.

🔒 Log in to view

jrey · Jul 22, 2023, 1:06 PM

@NollipfSense Thanks for the reply I've tried a few different ones as part of testing - and until recently have never had an issue. Now the system never gets to finding candidates or setting an active one. The logs don't really show anything I can see as to why. Clearly see the "when it stopped" in the graph provided. Which correlates in time to the upgrade being applied.

johnpoz · Jul 22, 2023, 1:29 PM

@jrey did you validate the ntp pool fqdn your using even resolves?

;; QUESTION SECTION:
;0.ca.pool.ntp.org.             IN      A

;; ANSWER SECTION:
0.ca.pool.ntp.org.      3600    IN      A       162.159.200.1
0.ca.pool.ntp.org.      3600    IN      A       142.4.192.253
0.ca.pool.ntp.org.      3600    IN      A       216.197.156.83
0.ca.pool.ntp.org.      3600    IN      A       209.115.181.107

Can pfsense resolve them to Ips?

🔒 Log in to view

or any other fqdn that your trying to use for ntp?

jrey · Jul 22, 2023, 2:15 PM

@johnpoz Yes, as above "I can ping all the IP addresses returned by the pools." and as is the nature of the pools, you likely get different responses which each subsequent uncached DNS query.
However those IP addresses can be pinged as well..

Nothing has really changed in my configuration and clearly it has stopped around the time I applied the last system update.
But not a DNS issue for sure.

No FW rules have even been changed since it worked last. The log file I originally attached in the first message has IP address, all check.

🔒 Log in to view

I setup a packet trace to check for 123 outbound on the Wan. I don't have an old log file, but I'm pretty sure it use to log the finding and changing of the active.
Meanwhile
The packet trace lead to a WTH moment.
The requests are coming from an IP that I don't use in my network. (10.10.
ifconfig, it is bound to localhost.
Wait localhost, why that? (I don't even listen on localhost.)

🔒 Log in to view

But what I did, was select (WAN, LAN, localhost) on the above screen, then clear WAN, localhost) and NTP almost immediately started working again.
Not sure why, but I pulled an old config and localhost has never been selected.
Seems something in the update made the system think it was, and the system was listening to itself, even though I couldn't see this in the dialog as only LAN appeared selected.

🔒 Log in to view