SNTP Client Issues - Does not update

RouterOS Beginner Basics
1

Hello there,

Another noob question; the SNTP client on my router doesn’t appear to be updating correctly, regardless of what NTP server I specify.

[admin@obr1] > /system ntp client print     
  enabled: yes
  mode: unicast
  primary-ntp: 130.102.128.23
  secondary-ntp: 203.171.85.237
  poll-interval: 16s
  active-server: 130.102.128.23

I notice that in /ip firewall connection tracking that the router is sending out UDP packets on port 123 to the active SNTP server address.
Could it be something in my firewall configuration is blocking SNTP?

[admin@obr1] > /ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; accept established connection packets
     chain=input action=accept connection-state=established 

 1   ;;; accept related connection packets
     chain=input action=accept connection-state=related 

 2   ;;; drop invalid packets
     chain=input action=drop connection-state=invalid 

 3   ;;; allow access to router from known network
     chain=input action=accept src-address-list=safe 

 4   ;;; detect and drop port scan connections
     chain=input action=drop protocol=tcp psd=21,3s,3,1 

 5   ;;; suppress DoS attack
     chain=input action=tarpit protocol=tcp src-address-list=black_list 
     connection-limit=3,32 

 6   ;;; detect DoS attack
     chain=input action=add-src-to-address-list protocol=tcp 
     address-list=black_list address-list-timeout=1d connection-limit=10,32 

 7   ;;; jump to chain ICMP
     chain=input action=jump jump-target=ICMP protocol=icmp 

 8   ;;; allow broadcast traffic
     chain=input action=accept dst-address-type=broadcast 

 9 X ;;; allow all bit-torrent connections
     chain=forward action=accept p2p=bit-torrent 

10   chain=input action=log log-prefix="Filter:" 

11   ;;; drop everything else
     chain=input action=drop 

12 X ;;; 0:0 and limit for 5pac/s
     chain=ICMP action=accept protocol=icmp icmp-options=0:0-255 limit=5,5 

13 X ;;; 3:3 and limit for 5pac/s
     chain=ICMP action=accept protocol=icmp icmp-options=3:3 limit=5,5 

14 X ;;; 3:4 and limit for 5pac/s
     chain=ICMP action=accept protocol=icmp icmp-options=3:4 limit=5,5 

15 X ;;; 8:0 and limit for 5pac/s
     chain=ICMP action=accept protocol=icmp icmp-options=8:0-255 limit=5,5 

16 X ;;; 11:0 and limit for 5pac/s
     chain=ICMP action=accept protocol=icmp icmp-options=11:0-255 limit=5,5 

17   ;;; drop invalid ICMP
     chain=ICMP action=drop protocol=icmp 

18   ;;; accept localhost
     chain=services action=accept src-address=127.0.0.1 dst-address=127.0.0.1

Thanks for reading.

2

First of all update routeros to RouterOs 6.15
Have you reboot the router so no do that
Disable firewall rules and look than if it works
If that not helps try with another ntp server

3

Success! :smiley:

Because I couldn’t get any external NTP servers to work, I enabled the w32time service on my Windows 2008 server, and pointed the SNTP client on my routers to it, and bob’s your uncle! I now have SNTP on both my routers.

Still haven’t figured out the root cause of this issue (probably firewall), but this is good enough for me.

4

OK thanks for let me know Goodluck

5

I too am having the same problem, the ntp client will not sync with the configured ntp servers. I tried disabling all firewall rules as well, but no-go. I have included my ntp client config as well as all firewall rules. Via Torch I am able to see incoming ntp packets on my WAN port but can’t see any (in or out) on the bridge interface. Any help in resolving this matter is appreciated. BTW, I am running RouterOS 6.15. The firewall config came from http://wiki.mikrotik.com/wiki/Basic_universal_firewall_script

[admin@router] > /system ntp client print
        enabled: yes
    primary-ntp: 64.6.144.6
  secondary-ntp: 204.2.134.164
           mode: unicast
  poll-interval: 16s
  active-server: 64.6.144.6




[admin@router] > /ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=input action=accept protocol=icmp

 1   ;;; default configuration
     chain=input action=accept connection-state=established

 2   ;;; default configuration
     chain=input action=accept connection-state=related

 3   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway

 4   ;;; default configuration
     chain=forward action=accept connection-state=established

 5   ;;; default configuration
     chain=forward action=accept connection-state=related

 6   ;;; default configuration
     chain=forward action=drop connection-state=invalid

 7   ;;; Add Syn Flood IP to the list
     chain=input action=add-src-to-address-list tcp-flags=syn protocol=tcp address-list=Syn_Flooder
     address-list-timeout=30m connection-limit=30,32

 8   ;;; Drop to syn flood list
     chain=input action=drop src-address-list=Syn_Flooder

 9   ;;; Port Scanner Detect
     chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner
     address-list-timeout=1w

10   ;;; Drop to port scan list
     chain=input action=drop src-address-list=Port_Scanner

11   ;;; Jump for icmp input flow
     chain=input action=jump jump-target=ICMP protocol=icmp

12   ;;; Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SU>
RT ADDRESS LIST
     chain=input action=drop protocol=tcp src-address-list=!support dst-port=8291

13   ;;; Jump for icmp forward flow
     chain=forward action=jump jump-target=ICMP protocol=icmp

14   ;;; Drop to bogon list
     chain=forward action=drop dst-address-list=bogons

15   ;;; Add Spammers to the list for 3 hours
     chain=forward action=add-src-to-address-list protocol=tcp address-list=spammers address-list-timeout=3h
     dst-port=25,587 connection-limit=30,32 limit=30/1m,0

16   ;;; Avoid spammers action
     chain=forward action=drop protocol=tcp src-address-list=spammers dst-port=25,587

17   ;;; Accept DNS - UDP
     chain=input action=accept protocol=udp port=53

18   ;;; Accept DNS - TCP
     chain=input action=accept protocol=tcp port=53

19   ;;; Accept to established connections
     chain=input action=accept connection-state=established

20   ;;; Accept to related connections
     chain=input action=accept connection-state=related

21   ;;; Full access to SUPPORT address list
     chain=input action=accept src-address-list=support

22   ;;; Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED
     chain=input action=drop

23   ;;; Echo request - Avoiding Ping Flood
     chain=ICMP action=accept protocol=icmp icmp-options=8:0 limit=1,5

24   ;;; Echo reply
     chain=ICMP action=accept protocol=icmp icmp-options=0:0

25   ;;; Time Exceeded
     chain=ICMP action=accept protocol=icmp icmp-options=11:0

26   ;;; Destination unreachable
     chain=ICMP action=accept protocol=icmp icmp-options=3:0-1

27   ;;; PMTUD
     chain=ICMP action=accept protocol=icmp icmp-options=3:4

28   ;;; Drop to the other ICMPs
     chain=ICMP action=drop protocol=icmp

29   ;;; Jump for icmp output
     chain=output action=jump jump-target=ICMP protocol=icmp
6

Hello all,
I have been having this issue discuseed above when i connected to a new ISP. I discovered that all the places i installed mikrotik as hotspot, the time does not synch with ntp servers. Could it be that they blocked port 123 which ntp client uses.

Is there any workaround incase, they refused to unblock the port 123 (UDP/TCP), what other method will someone use assuming that, there is no computer to be used to setup as ntp server to synch the mikrotik ntp client.

Thanks as your help will be appreciated in this area.

7

you either make tunnel through the firewall.

you can ask ISP to provide local NTP server for time sync.

8

Here in Belgium my iSP block also the port 123
What is the solution to this issue?

9

RB493G FW 3.07 ROS 5.25.

I am fairly new to MT and I have a hard time getting the SNTP client to work. I have tried to search the forum, but have not found the solution to my problem so far. After reboot the date/time starts in jan 1970 and the sntp client setting does not correct this. BTW I’m also puzzled about the active server (I thought that should have been the primary or secondary stratum server ip address…

[admin@M45] > /system clock print
time: 06:29:15
date: jan/02/1970
time-zone-name: Europe/Oslo
gmt-offset: +01:00

[admin@M45] > /system ntp client print
enabled: yes
mode: unicast
primary-ntp: 192.36.143.151
secondary-ntp: 129.240.64.3
dynamic-servers: 1.2.3.1
poll-interval: 16s
active-server: 1.2.3.1

10

dynamic server has a priority. you can configure your router to not to use ntp server address from dynamic configuration.

11

Sorry, but how do I remove this stetting for dynamic servers? (Is it controlled by IP UPNP?)

[admin@M45] > /ip upnp print
enabled: no
allow-disable-external-interface: yes
show-dummy-rule: yes

12

This ip addresses to ntp server, can you connect to that ??
If you have isp telia, you can’t connect to stupi.se, ask Peter Löthberg (http://sv.wikipedia.org/wiki/Peter_Löthberg) why.

My suggestion to use sp.se ntp servers instead.
http://www.sp.se/sv/index/services/time_sync/ntp/Sidor/default.aspx






13

Funny thing when I got back and checked status: It works.

[admin@M45] > /system ntp client print
enabled: yes
mode: unicast
primary-ntp: 192.36.143.151
secondary-ntp: 129.240.64.3
poll-interval: 15m
active-server: 129.240.64.3
last-update-from: 129.240.64.3
last-update-before: 12m57s140ms
last-adjustment: 4ms49us
last-bad-packet-from: 184.105.139.126
ast-bad-packet-before: 13m4s80ms
last-bad-packet-reason: bad-packet-length

Active server indicates primary-ntp ip is not accessible so I may have to change that as proposed.

PS The one thing I did do was to set the date/time manually before I left.

Thanks for inputs!

14

Not so funny any more :frowning:

I got back home after the weekend to find my RB has reverted back to old sins and lost ntp contact:

[admin@M45] > /system ntp client print
enabled: yes
mode: unicast
primary-ntp: 192.36.143.151
secondary-ntp: 129.240.64.3
dynamic-servers: 1.2.3.1
poll-interval: 16s
active-server: 1.2.3.1

I used the sytemt shut down from webfig and then powered it back on. No joy. Got the same ntp client print, but now the clock had lost the date/time and was back to 1970… Well it did not look like the ntp setting would correct it self, tried to disable/enable apply, no change. Tried then to set the clock manually (after about one hour), but so far no change…

The main question remains, how to ensure that my RB493G use the set primary or secondary ntp server ip?

15

Disable Use Peer NTP in DHCP client.

16

Thank you. Right to the point!

17

Hello,

For those who still have problems to get sntp or ntp synchronizing, and have been searching all day to resolve this
silly problem, use this code.
It is not highly sophisticated, but it does the job.
Adapt for your time zone, by substracting or adding in human phrasing in english.

You can disable ntp/sntp and just schedule this script.

greetings,
Richard

# This script copyright by Richard Kloostra
# You can use, modify, delete free of any charge
# Please submit modifications back to me. richard@riklsat.com
# last modified,  Dec 12 2014 , v1.0
# Applies to ROS 6.23 / RB1100
# CREDITS
# Credit to www.timeapi.org
############
# Variables
############
:local newgmtmonstring ("newgmtmonstring"."txt")  
:local gmtmonurl "http://www.timeapi.org/gmt/now?format=\\b"
:local mon

:local newgmtdaystring ("newgmtdaystring"."txt")  
:local gmtdayurl "http://www.timeapi.org/gmt/now?format=\\d"
:local day

:local newgmtyearstring ("newgmtyearstring"."txt")  
:local gmtyearurl "http://www.timeapi.org/gmt/now?format=\\Y"
:local year

:local datestring

:local newgmttimestring ("newgmttimestring"."txt") 
:local gmttimeurl "http://www.timeapi.org/gmt/two+hours+ago?\\H:\\M:\\S"
:local gmttime

:local newgmtoffset ("newgmtoffset"."txt")

############
# Script
############
/tool fetch mode=http url=$gmtmonurl dst-path=$newgmtmonstring
:set mon [/file get ($newgmtmonstring) contents]
:log info ($mon)
	
/tool fetch mode=http url=$gmtdayurl dst-path=$newgmtdaystring
:set day [/file get ($newgmtdaystring) contents]
:log info ($day)

/tool fetch mode=http url=$gmtyearurl dst-path=$newgmtyearstring
:set year [/file get ($newgmtyearstring) contents]
:log info ($year)

/tool fetch mode=http url=$gmttimeurl dst-path=$newgmttimestring
:set gmttime [/file get ($newgmttimestring) contents]
:log info ($gmttime)

/system clock set date="$mon/$day/$year" time="$gmttime";
18

Thank you very much! This solved my problem.

19

got also a problem in syncing.
time does not update automatically
the used ip addresses are for
0.at.pool.ntp.org
1.at.pool.ntp.org

[spippan@RP-AT-Hivemind] > sys clo pr # manually set today....
                  time: 14:55:06
                  date: feb/24/2017
  time-zone-autodetect: no
        time-zone-name: Europe/Vienna
            gmt-offset: +01:00
            dst-active: no
[spippan@RP-AT-Hivemind] > sys ntp cl pr
          enabled: yes
             mode: unicast
      primary-ntp: 78.41.115.242
    secondary-ntp: 86.59.80.170
  dynamic-servers: 
           status: started
[spippan@RP-AT-Hivemind] > sys reso pri
             uptime: 7h29m6s
            version: 6.38.1 (stable)
         build-time: Jan/13/2017 05:51:35
   factory-software: 6.36.4
        free-memory: 1766.0MiB
       total-memory: 1956.2MiB
                cpu: tilegx
          cpu-count: 9
      cpu-frequency: 1200MHz
           cpu-load: 0%
     free-hdd-space: 78.7MiB
    total-hdd-space: 128.0MiB
  architecture-name: tile
         board-name: CCR1009-7G-1C-1S+
           platform: MikroTik