6.42.1, hap ac, time sync not working

I try “IP, Cloud, Update Time” the result is “Error: request timed out”, no time sync.
I try “System, SNTP Client” no errors but time not sync.
About a half year ago time sync work without issues.

Please help fix it.

/system ntp client print
           enabled: yes
       primary-ntp: 0.0.0.0
     secondary-ntp: 0.0.0.0
  server-dns-names: ntp4.stratum2.ru
              mode: unicast

/log print
17:20:57 ntp,debug Wait for 0 seconds before restarting
17:20:57 ntp,debug Wait for 16 seconds before sending next message
17:21:13 ntp,debug,packet sending to 88.147.254.230 NTP packet (48 bytes)
17:21:13 ntp,debug,packet     VN=4
17:21:13 ntp,debug,packet     Mode=3 (Client)
17:21:13 ntp,debug,packet    TransmitTimestamp=de9c3ee9c41cf787
17:21:13 ntp,debug Wait for 16 seconds before sending next message
17:21:29 ntp,debug Wait for 16 seconds before sending next message
17:21:45 ntp,debug,packet sending to 2001:470:784d:fffd::a NTP packet (48 bytes)
17:21:45 ntp,debug,packet     VN=4
17:21:45 ntp,debug,packet     Mode=3 (Client)
17:21:45 ntp,debug,packet    TransmitTimestamp=de9c3f09c49e3433
17:21:45 ntp,debug Wait for 16 seconds before sending next message

PS: After 10 minutes “IP, Cloud, Update Time” Sync the time, but to incorrect value (abount 5 seconds more than correct time). So I disable “IP, Cloud, Update Time” because I need correct time.

Try to use one of NTP servers … you can specify all of them:

ru.pool.ntp.org
1.ru.pool.ntp.org
2.ru..pool.ntp.org
pl.pool.ntp.org
1.pl.pool.ntp.org
2.pl.pool.ntp.org

EDIT:

Why NTP client is not enabled?

/system ntp client print
enabled: no

Changing NTP server has no effect for example: ru.pool.ntp.org

18:48:05 system,info SNTP client configuration changed by admin
18:48:21 ntp,debug Wait for 16 seconds before sending next message
18:48:37 ntp,debug,packet sending to 80.93.50.95 NTP packet (48 bytes)
18:48:37 ntp,debug,packet     VN=4
18:48:37 ntp,debug,packet     Mode=3 (Client)
18:48:37 ntp,debug,packet    TransmitTimestamp=de9c5365da0ab713
18:48:37 ntp,debug Wait for 16 seconds before sending next message
18:48:53 ntp,debug Wait for 16 seconds before sending next message
18:49:09 ntp,debug,packet sending to 185.22.60.71 NTP packet (48 bytes)
18:49:09 ntp,debug,packet     VN=4
18:49:09 ntp,debug,packet     Mode=3 (Client)
18:49:09 ntp,debug,packet    TransmitTimestamp=de9c5385db2c83ec
18:49:09 ntp,debug Wait for 16 seconds before sending next message
18:49:25 ntp,debug Wait for 16 seconds before sending next message

Why NTP client is not enabled?

It was disabled when I dump info for forum. It was enabled all other time.

Can you post the output of /ip firewall export (if your public IP addresses appear there, replace them with some meaningful strings).
Something in input or output chains may prevent the ntp protocol from getting through.

This sounds like it might be a poorly configured upstream ISP that filters NTP packets for “DDoS protection”.

/ip firewall export
# may/09/2018 00:40:23 by RouterOS 6.42.1
# software id = E3K5-4B0P
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 702205750151
/ip firewall filter
add action=accept chain=input comment="Allow IGMP" protocol=igmp
add action=accept chain=input comment="IPTV UDP incoming" dst-port=1234 in-interface=ether1 protocol=udp
add action=accept chain=forward comment="IPTV UDP forwarding" dst-port=1234 in-interface=ether1 protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment=OpenVPN dst-port=1194 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=10622 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.11.6 to-ports=22
add action=dst-nat chain=dstnat dst-port=10680 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.11.6 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 protocol=tcp to-addresses=192.168.11.11 to-ports=3389
# sstp-out1 not ready
add action=masquerade chain=srcnat out-interface=sstp-out1

OK, nothing in the input chain blocks ntp packets, so I assume @R1CH is right. You can confirm that by running /tool torch on pppoe-out1 and watching src-address=0.0.0.0/0 dst-address=0.0.0.0/0 ip-protocol=udp port=123. After change of NTP server settings, you should see packets to port 123 to be sent. If they only go in one direction, the ISP must filter them. Don’t worry about swapped source and destination addresses. If there are no such packets at all, the only other explanation which comes to my mind would be a DNS issue.

I change ntp server to time.nist.gov and can sync with it time on linux and windows pc behind router, but not on router.

If I try sync time from pc behind router packets are Tx and Rs, but when from router only Tx.
Very strange.

Router sync the time after an hour from time.nist.gov, so possible it ISP problem.
Thanks all for help.

/ip cloud set update-time=no
/system ntp client set enabled=yes server-dns-names=0.ru.pool.ntp.org,ru.pool.ntp.org

Unfortunately *.pool.ntp.org servers not working on my router now.

SNTP client doesn’t work on HAP AC. Even on the default config. I can see the replying packet (to UDP dport 123) on Torch but it never hits the input chain. Without the correct time on the router, SSL dependent services will fail to work (DNS over HTTPS, SSL…). I have to set the time manually after reboot. Even ip cloud timesync doesn’t work. This is very irritating.