Community discussions

MikroTik App
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

ntp-client status waiting

Mon Jun 06, 2022 5:47 pm

I have an RB3011 (router), a hAP ac lite (bridge) and a cAP (bridge). On the two Mikrotik devices configured as bridge the ntp-client is updated correctly however on the router the status remains 'waiting'.
All devices have the same RouterOS versin (7.2.3) and all three devices work, with exeption of the ntp-client, as expected.
An export of the /system/ntp/client shows:
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
The debug logs show the following.
16:35:31 echo: ntp,debug TMP: Start resolving name: 0.nl.pool.ntp.org
16:35:31 echo: ntp,debug TMP: Start resolving name: 1.nl.pool.ntp.org
16:35:31 echo: ntp,debug TMP: Start resolving name: 2.nl.pool.ntp.org
16:35:31 echo: ntp,debug TMP: Start resolving name: 3.nl.pool.ntp.org

16:35:31 echo: ntp,debug TMP: Resolved address: 0.nl.pool.ntp.org -> 162.159.200.1
16:35:31 echo: ntp,debug TMP: Resolved address: 1.nl.pool.ntp.org -> 212.114.109.139
16:35:31 echo: ntp,debug TMP: Resolved address: 2.nl.pool.ntp.org -> 94.198.159.15
16:35:32 echo: ntp,debug TMP: Resolved address: 3.nl.pool.ntp.org -> 40.119.148.38

16:35:32 echo: ntp,debug TMP: Unreachable and iburst enabled. Send burst
16:35:32 echo: ntp,debug TMP: tx dst-ip:162.159.200.1
16:35:32 echo: ntp,debug TMP: Unreachable and iburst enabled. Send burst
16:35:32 echo: ntp,debug TMP: tx dst-ip:212.114.109.139

16:35:33 echo: ntp,debug TMP: tx dst-ip:162.159.200.1
16:35:33 echo: ntp,debug TMP: tx dst-ip:212.114.109.139

16:35:34 echo: ntp,debug TMP: tx dst-ip:162.159.200.1
16:35:34 echo: ntp,debug TMP: tx dst-ip:212.114.109.139

16:35:35 echo: ntp,debug TMP: tx dst-ip:162.159.200.1
16:35:35 echo: ntp,debug TMP: tx dst-ip:212.114.109.139

16:35:36 echo: ntp,debug TMP: tx dst-ip:162.159.200.1
16:35:36 echo: ntp,debug TMP: tx dst-ip:212.114.109.139
16:35:36 echo: ntp,debug TMP: Unreachable and iburst enabled. Send burst
16:35:36 echo: ntp,debug TMP: tx dst-ip:94.198.159.15

16:35:37 echo: ntp,debug TMP: tx dst-ip:162.159.200.1
16:35:37 echo: ntp,debug TMP: tx dst-ip:212.114.109.139
16:35:37 echo: ntp,debug TMP: Unreachable and iburst enabled. Send burst
16:35:37 echo: ntp,debug TMP: tx dst-ip:40.119.148.38

16:35:38 echo: ntp,debug TMP: tx dst-ip:162.159.200.1
16:35:38 echo: ntp,debug TMP: tx dst-ip:212.114.109.139
16:35:38 echo: ntp,debug TMP: tx dst-ip:94.198.159.15

16:35:39 echo: ntp,debug TMP: tx dst-ip:162.159.200.1
16:35:39 echo: ntp,debug TMP: tx dst-ip:212.114.109.139
16:35:39 echo: ntp,debug TMP: tx dst-ip:40.119.148.38

16:35:40 echo: ntp,debug TMP: tx dst-ip:162.159.200.1
16:35:40 echo: ntp,debug TMP: tx dst-ip:212.114.109.139
16:35:40 echo: ntp,debug TMP: tx dst-ip:94.198.159.15

16:35:41 echo: ntp,debug TMP: tx dst-ip:40.119.148.38

16:35:42 echo: ntp,debug TMP: tx dst-ip:94.198.159.15

16:35:43 echo: ntp,debug TMP: tx dst-ip:40.119.148.38

16:35:44 echo: ntp,debug TMP: tx dst-ip:94.198.159.15
Why do I not receive any replies.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: ntp-client status waiting

Mon Jun 06, 2022 11:31 pm

Are there devices all at the same location - or more important, using the same internet? Recently someone else here on the forum had their ISP blocking NTP traffic.
 
kevinds
Long time Member
Long time Member
Posts: 638
Joined: Wed Jan 14, 2015 8:41 am

Re: ntp-client status waiting

Tue Jun 07, 2022 1:47 am

Try turning the NTP client off (uncheck Enabled), Hit Ok, then go back and turn it back on...

I had this recently on one of mine and that fixed it.
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: ntp-client status waiting

Tue Jun 07, 2022 8:57 am

Try turning the NTP client off (uncheck Enabled), Hit Ok, then go back and turn it back on...

I had this recently on one of mine and that fixed it.
Did not solve it, neither as rebooting the device...
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: ntp-client status waiting

Tue Jun 07, 2022 9:20 am

Are there devices all at the same location - or more important, using the same internet? Recently someone else here on the forum had their ISP blocking NTP traffic.
Yep, all are at the same locations and using the same internet. The RB3011 is behind the ISP router where the RB3011 is (currently) set as DMZ.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: ntp-client status waiting

Tue Jun 07, 2022 10:45 am

It could be that the ISP blocks packets with source port 123, and thus the router which sends direct untranslated queries won't get replies.
The other two devices are behind NAT, their port number is translated by the NAT, and they get replies.
It is becoming more or less common to block source port 123 to prevent clients from running NTP servers.
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: ntp-client status waiting

Tue Jun 07, 2022 9:19 pm

It could be that the ISP blocks packets with source port 123, and thus the router which sends direct untranslated queries won't get replies.
The other two devices are behind NAT, their port number is translated by the NAT, and they get replies.
It is becoming more or less common to block source port 123 to prevent clients from running NTP servers.
OK, interesting! Would it be possible to NAT the request to the ntp-server from the router internally?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: ntp-client status waiting

Tue Jun 07, 2022 9:27 pm

Yes. Try that, it should work. When it solves the problem, it is an ISP filter.
Of course you can also (at least with v7) specify the different devices mutually as servers. Then at least you have time sync while you are trying to solve the issue.
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: ntp-client status waiting  [SOLVED]

Wed Jun 08, 2022 6:46 pm

OK, recollecting, my router with RouterOS 7.2 could not update the date/time information from NTP servers. Some tests (ping/traceroute) revealed that the IP addresses of the NTP servers were actually resolved but UDP port 123 was blocked, probably by my ISP. Searching and collating some of the forum posts on NTP lead me to the following firewall rule. This solved the problem.
/ip firewall nat
add action=masquerade chain=srcnat comment="NTP NAT masquerade " dst-port=123 protocol=udp to-ports=12300-12390
The ports (12300-12390) can be changed ad lib. It does not matter very much where you put this rule in the NAT-records, but if it does not work out of the box you may need to move it upward. After disabling/enabling the NTP-client, in just a few seconds the time settings are synchronised, of course under the condition that you entered some valid NTP-servers (like 0.pool.ntp.org, ...)

Thanks all for your help!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: ntp-client status waiting

Wed Jun 08, 2022 8:01 pm

Ok it would be advisable to also include an out-interface matcher e.g. out-interface-list=WAN (assuming you have that list and your internet interface is in it).
 
klema
just joined
Posts: 1
Joined: Tue May 14, 2019 12:03 pm

Re: ntp-client status waiting

Mon Nov 14, 2022 11:36 am

OK, recollecting, my router with RouterOS 7.2 could not update the date/time information from NTP servers. Some tests (ping/traceroute) revealed that the IP addresses of the NTP servers were actually resolved but UDP port 123 was blocked, probably by my ISP. Searching and collating some of the forum posts on NTP lead me to the following firewall rule. This solved the problem.
/ip firewall nat
add action=masquerade chain=srcnat comment="NTP NAT masquerade " dst-port=123 protocol=udp to-ports=12300-12390
The ports (12300-12390) can be changed ad lib. It does not matter very much where you put this rule in the NAT-records, but if it does not work out of the box you may need to move it upward. After disabling/enabling the NTP-client, in just a few seconds the time settings are synchronised, of course under the condition that you entered some valid NTP-servers (like 0.pool.ntp.org, ...)

Thanks all for your help!
Thank you very much, it works

Who is online

Users browsing this forum: CodeAlpha, Majestic-12 [Bot] and 47 guests