NTP set to time.google.com not working after reboot
-
NTP set to time.google.com not working after reboot but works fine if I restart the NTP service. I have had this problems for a long time and on all nine firewall I manage. I finally started putting a lower priority sever in the list (us.pool.ntp.org) so I would have a NTP server show up after a reboot but it seems to finally pick up the time.google.com server as time goes on.
Not a huge problem for me but an annoyance for sure.
Roy...
-
@rpsmith only thing I could think of would be dns problem that could delay talking to it right away. Or an issue with interface maybe, are you using a vpn that you route all traffic through?
Are you putting in the fqdn vs just IP? Are you talking to it via IPv4 or IPv6? There is a setting in the ntp service at bottom where you can set auto, IPv4 or IPv6 for dns resolution.
If using fqdn, I would try just IPs
time.google.com. 13786 IN A 216.239.35.12 time.google.com. 13786 IN A 216.239.35.8 time.google.com. 13786 IN A 216.239.35.4 time.google.com. 13786 IN A 216.239.35.0 time.google.com. 9663 IN AAAA 2001:4860:4806:4:: time.google.com. 9663 IN AAAA 2001:4860:4806:c:: time.google.com. 9663 IN AAAA 2001:4860:4806:: time.google.com. 9663 IN AAAA 2001:4860:4806:8::If your just putting in as single time.google.com - do you have that marked as a pool or just server or pool or peer? NTP does like to have more than 1 ntp source.. I really won't just point at 1 unless its a ntp server you control and is local.
-
I actually have these NTP settings:
time1.google.com - Prefer - Server
time2.google.com - Prefer - Server
time3.google.com - Prefer - Server
time4.google.com - Prefer - Server
us.pool.ntp.org - Prefer not checked - PoolThe us.pool.ntp.org is what gets used after a reboot but stopping and restarting the NTP services switches over to a Google server.
also, IPV6 is disabled.
Roy...
-
and the status looks like this:
Pool Placeholder us.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
Unreach/Pending 2001:4860:4806:: .INIT. 16 u - 512 0 0.000 +0.000 0.000
Unreach/Pending 2001:4860:4806:4:: .INIT. 16 u - 512 0 0.000 +0.000 0.000
Unreach/Pending 2001:4860:4806:8:: .INIT. 16 u - 512 0 0.000 +0.000 0.000
Unreach/Pending 2001:4860:4806:c:: .INIT. 16 u - 512 0 0.000 +0.000 0.000
Active Peer 72.30.35.88 31.60.135.175 2 u 32 128 377 34.383 -0.645 0.074
Candidate 158.51.99.19 17.253.26.125 3 u 57 128 377 23.598 -0.078 0.052
Candidate 23.142.248.8 173.162.192.156 2 u 18 128 377 9.630 +0.256 0.226 -
@rpsmith so looks like its trying to talk to time at google via IPv6.. Maybe its taking a while for your ipv6 to come up on a reboot? Change your ntp server to prefer IPv4 Your currently talking to IPv4 for ntp from that.
Or ipv6 just isn't working and it finally fails over to IPv4..
Or use IPv4 address for time google and not the fqdn.
I don't see AAAA for us.pool.ntp.org - so if your having issue with IPv6 - that could be why it jumps to using IPv4 for that. And gets an answer.
;; QUESTION SECTION: ;us.pool.ntp.org. IN AAAA ;; AUTHORITY SECTION: pool.ntp.org. 1300 IN SOA c.ntpns.org. hostmaster.pool.ntp.org. 1748189843 5400 5400 1209600 3600You say it starts working after a while? Check if talking IPv4 or IPv6 to time google when it shows talking to timeX.google.com
Now coming back to me - believe the only ntp.org that comes back with IPv6 is 2.us.pool.ntp.org or 2.pool.ntp.org etc..
;; QUESTION SECTION: ;2.us.pool.ntp.org. IN AAAA ;; ANSWER SECTION: 2.us.pool.ntp.org. 130 IN AAAA 2600:3c00:e000:318::1 2.us.pool.ntp.org. 130 IN AAAA 2600:1702:7400:9ac0::314:5c 2.us.pool.ntp.org. 130 IN AAAA 2600:3c00::f03c:91ff:fe96:a6 2.us.pool.ntp.org. 130 IN AAAA 2603:c020:0:8369:0:ba11:ba11:ba1 -
If I only use "time.google.com" set as Pool and no other entry I get "No active peers available" after a reboot bet restarting the NTP service it works.
Roy...
-
Changing DNS to IPv4 made no difference.
Roy...
-
setting it to 216.239.35.12 as a Pool works.
Roy...
-
Under: | System | Advanced | Networking |
I have "Allow IPv6" unchecked.Roy...
-
Enabling IPv6 in | System | Advanced | Networking | made no difference.
I forward all my DNS request to my two Pi-Hole servers. I wounder if that could be causing the problem. I'll try 1.1.1.1 and see if that helps.
Roy...
-
That didn't help!
Roy...
-
The only configuration I can get to work immediately after a reboot is:
216.239.35.12 set to Pool.
Roy...
-
I guess for now I'm going with this:
216.239.35.0 - Server
216.239.35.4 - Server
216.239.35.8 - Server
216.239.35.12 - ServerI should be OK as long as Google sticks with those addresses.
Roy...
-
@rpsmith said in NTP set to time.google.com not working after reboot:
I have "Allow IPv6" unchecked.
well that would actively block all IPv6 - even if pfsense had a ipv6 address your not going anywhere..
-
It didn't matter whether is was allowed or not it still didn't work. Why does pfSense prefer IPv6 by default or does it?
Roy...
-
Got this from Grok3:
"Google supports IPv6, and time.google.com may return an AAAA record like the one above. Google only serves AAAA records to clients with good IPv6 connectivity to optimize performance."
So is there anything pfSense can do to stop google's DNS servers from giving out IPv6 addresses instead of IPv4? My firewall only have IPv4 addresses on the WAN.
Also, why does it resolve properly when I restart the NTP service?
Roy...
-
@rpsmith said in NTP set to time.google.com not working after reboot:
Google only serves AAAA records to clients with good IPv6 connectivity to optimize performance.
that is highly unlikely.. AAAA is returned even over IPv4 - I get answers and I sure am not talking to them via IPv6 when I do my query to 8.8.8.8 for dns, etc..
The services prob drops over to IPv4 then.. I would suggest you prefer IPv4 down near the bottom of the ntp settings page.
All things that have IPv6 try and prefer IPv6 over IPv4 if they have a valid address. I would be really curious do you actually have IPv6? when you allow it via that checkbox.. Try and ping say at
time1.google.com. 3600 IN AAAA 2001:4860:4806::
[24.11-RELEASE][admin@sg4860.home.arpa]/: ping 2001:4860:4806:: PING(56=40+8+8 bytes) 2001:470:1f10:2f6::2 --> 2001:4860:4806:: 16 bytes from 2001:4860:4806::, icmp_seq=0 hlim=119 time=8.586 ms 16 bytes from 2001:4860:4806::, icmp_seq=1 hlim=119 time=8.419 ms 16 bytes from 2001:4860:4806::, icmp_seq=2 hlim=119 time=8.737 ms 16 bytes from 2001:4860:4806::, icmp_seq=3 hlim=119 time=9.745 msIf you have no IPv6 address, and don't want anything to get a AAAA response almost anything will ask for both A and AAAA when you lookup something, even if it doesn't have an IPv6 address - yeah its stupid if you ask me, but that is not a pfsense/freebsd thing - that is just a stupid shortcut OSes and applications take..
You can set unbound not to use IPv6 and not to return IPv6 addresses..
firefox is horrible with doing that. but you can disable it in firefox for example with
-
I tried setting the NTP service to IPv4 but that made no difference. Also my WAN interface is set to IP configuration type set to None.
This smells like a BSD or pfSense bug to me but I'm not a programmer.
Roy...
-
I thought KEA didn’t like domain names in NTP
-
I'm not using KEA and it works flawlessly when I restart the NTP service.
Last time I tried switching to KEA it stop renewing leases and I had to scramble to reset a bunch of firewalls to stop using it. I'm not impressed.
Roy...