SOLVED: all NTP servers are unreachable after upgrade from 2.1.5 to 2.2.2

  • Hello,

    after upgrading our pfSense firewalls from version 2.1.5 to version 2.2.2 the NTP server on the
    firewall started not to answer ntpdate requests. The reason was, that all the ntp servers, configured
    on the firewall were always unreachable after the upgrade.

    The firewalls have CARP addresses for LAN and WAN. Only these two CARP addresses were listened to
    by the firewalls' ntp server.


    the ntp server was configured to listen also to the WAN interface.
    Servers behind the firewall could not access the ntp server on the firewalls. The second
    change was to listen to the LAN interface.

    It seems, that now NTP does not work with CARP interfaces or something must be additionally
    configured comparing to the version 2.1.5.

    After that, not all the local servers requests were answered:

    testserver1:~ # ntpdate -d
    22 Apr 12:14:04 ntpdate[22131]: ntpdate 4.2.0a@1.1190-r Wed Jan 26 17:34:57 UTC 2005 (1)
    Looking for host and service ntp
    host found :
    transmit( Server dropped: strata too high
    server, port 123
    stratum 16, precision -6, leap 11, trust 000
    refid [], delay 0.04271, dispersion 56.00000
    transmitted 4, in filter 4
    reference time:    00000000.00000000  Thu, Feb  7 2036  7:28:16.000
    originate timestamp: d8e1f2ee.c48f7553  Wed, Apr 22 2015 12:14:06.767
    transmit timestamp:  d8e1f2ee.c4f3dc05  Wed, Apr 22 2015 12:14:06.769
    filter delay:  0.00000  0.00000  0.04271  0.00000
             0.00000  0.00000  0.00000  0.00000
    filter offset: 0.000000 0.000000 -0.00073 0.000000
             0.000000 0.000000 0.000000 0.000000
    delay 0.04271, dispersion 56.00000
    offset -0.000739
    22 Apr 12:14:07 ntpdate[22131]: no server suitable for synchronization found

    This problem was solved by unchecking the check box "Access restrictions: Enable Kiss-o'-death packets"

    Thank you, the pfSense Team for the great job!

    Best regards

  • At the end I have excluded all CARP interfaces from the NTP-configuration. It seems to be the best solution. Otherwise the ntpd on the Standup firewall was not started while it was inactive.

  • Banned

    Hmmm… IMHO the CARP interfaces/IPs should be used for what they've been designed. Not for random other services.

  • IMHO the CARP interfaces/IPs should be used for what they've been designed.

    Agree. It was just an upgrade issue - in 2.1.5 worked, in 2.2.2 without tuning - not. In any case I would not qualify this as an error in pfSense :)

Log in to reply