Community discussions

MikroTik App
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

NTP server problems

Sun May 14, 2023 6:14 pm

I have a RB2011 running ROS 7.6
I activated NTP server on the router (just enabled, no broadcast, multicast, manycast), the NTP client was already set up.
Now the problem is, that some devices are working (synchronizing) and some not.
Openmediavault v 3, 5 and 6 are working (debian based) - NTP client is set up through a GUI, I just enabled it and entered the IP of the router.
Meteohub is not working (very old Debian - etchnhalf), NTP client is set up through a GUI, I just enabled it and entered the IP of the router.
I've tried to dig a little deeper in the command line of the Meteohub.
ntpdate works only if I use the -u parameter (unprivileged ports)
ntpd doesn't work
ntpq -pn 192.168.242.254
192.168.242.254: timed out, nothing received
***Request timed out

ntpq> peers
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 192.168.242.254 .INIT.          16 u    -   64    0    0.000    0.000   0.000


Windows 10 (not in a domain) also don't work - timeout, but when I switch the address to a Windows DC it syncs successfully.
When I run w32tm /stripchart /computer:192.168.242.254 /dataonly /samples:1 /packetinfo The result look OK to me?

Tracking 192.168.242.254 [192.168.242.254:123].
Collecting 1 samples.
The current time is 14.05.2023 17:08:28.
17:08:28, +00.1412267s
[NTP Packet]
Leap Indicator: 0(no warning)
Version Number: 1
Mode: 4 (Server)
Stratum: 2 (secondary reference - syncd by (S)NTP)
Poll Interval: 0 (unspecified)
Precision: -19 (1.90735æs per tick)
Root Delay: 0x0000.0306 (+00.0118103s)
Root Dispersion: 0x0000.05D0 (0.0227051s)
ReferenceId: 0x51191C7C (source IP:  81.25.28.124)
Reference Timestamp: 0xE80B7618CA8D79E1 (154265 15:00:40.7912213s - 14.05.2023 17:00:40)
Originate Timestamp: 0xE80B77ECD0CBB2F1 (154265 15:08:28.8156082s - 14.05.2023 17:08:28)
Receive Timestamp: 0xE80B77ECF504B3C3 (154265 15:08:28.9571030s - 14.05.2023 17:08:28)
Transmit Timestamp: 0xE80B77ECF51287C2 (154265 15:08:28.9573140s - 14.05.2023 17:08:28)
[non-NTP Packet]
Destination Timestamp: Roundtrip Delay: 536200 (+00.0005362s)
Local Clock Offset: 141226700 (+00.1412267s)
Any idea what I'm missing or doing wrong?
I thought it will be a simple job and I'm fighting it for several days already and I'm running out of ideas ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NTP server problems

Sun May 14, 2023 6:18 pm

Ensure all devices have access to NTP in the input chain is usually the problem.
If that is not the issue then its probably device specific and not an MT issue as it works for some............
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

Re: NTP server problems

Sun May 14, 2023 7:46 pm

There is nothing special in the input chain.
Tomorrow I'll try my old RB532 acting only as a NTP server without any firewall, routing etc.
If the problems persists, then it's clearly device specific :-(
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: NTP server problems

Sun May 14, 2023 8:05 pm

Some devices won't let you mess with what NTP they are using. I have a bunch of cameras that absolutely insist on going to whatever NTP server they have set in their firmware. You can change what NTP server to use (either manually or via a DHCP server option 42), and if you try to redirect it, it will fail and then it will keep trying (every few seconds - forever). I finally just gave up and let them connect to whatever NTP server they want to use...
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

Re: NTP server problems

Sun May 14, 2023 8:29 pm

The only device of that kind, that I have, is a Silverstone DC01 (a small NAS), hard coded 0-3.fedora.pool.ntp.org
On all the other I can manually set the NTP server(s)
I discovered another device, which doesn't work with the MT NTP server - a HPE tape library :-(
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

Re: NTP server problems

Mon May 15, 2023 9:18 pm

I did a lot of testing and I'm even more confused.
I did try some of the problematic devices in a different network and they all synced without any problem (with a domain controller).
I revived the old RB532 ROS 6.32.3, only basic setting - one interface, one IP, installed the NTP package and it didn't sync with RB2011 ...
I uninstalled the NTP package and the RB532 synced successfully with the RB2011 and any external NTP server using the internal SNTP client.
Which IMHO means, that the setting on the RB2011 are OK including firewall (the RB532 had to go through the RB2011 to reach external NTP servers).
So it seems to me, it is MT specific ... ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: NTP server problems

Mon May 15, 2023 9:30 pm

What does /system/ntp/client/print show?
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

Re: NTP server problems

Mon May 15, 2023 9:51 pm

I forgot to mention in my previous post, that the RB532 with the NTP package installed, successfully synced with the domain controller.


RB532, SNTP client:
enabled: yes
             primary-ntp: 192.168.242.254
           secondary-ntp: 192.168.242.12
        server-dns-names: ntp.wia.cz,0.cz.pool.ntp.org,1.cz.pool.ntp.org,
                          2.cz.pool.ntp.org,3.cz.pool.ntp.org
                    mode: unicast
           poll-interval: 16s
           active-server: 5.1.56.123
    last-bad-packet-from: 192.168.242.3
  last-bad-packet-before: 49m13s470ms
  last-bad-packet-reason: zero-transmit-timestamp
RB2011, NTP client:
enabled: yes
            mode: unicast
         servers: 0.cz.pool.ntp.org,1.cz.pool.ntp.org,2.cz.pool.ntp.org,3.cz.pool.ntp.org,ntp.wia.cz
             vrf: main
      freq-drift: 4.019 PPM
          status: synchronized
   synced-server: 2.cz.pool.ntp.org
  synced-stratum: 1
   system-offset: -0.848 ms
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: NTP server problems

Tue May 16, 2023 10:37 am

Yes it looks OK. But "is synced" is not sufficient, you really need that detail that /system/ntp/client/print provides, e.g. the synced stratum and system offset, and even the synced server.
E.g. when synced stratum is 10 or more, it can still be synchronized but some other clients may refuse to sync to it.
Same when offset is large, or when synced server is the same as the client (loop).

Well, here it works OK.
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

Re: NTP server problems

Tue May 16, 2023 12:25 pm

Maybe I gathered the info in the wrong place?
In Winbox I opened a console and typed in: "system ntp client" pressed enter and the "print" and enter and I copy/pasted the output of the print command here.
Where can I get the additional information (the synced stratum and system offset, and even the synced server)?
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

Re: NTP server problems

Sun May 21, 2023 7:25 pm

I did a lot of testing and the result is, that MT NTP server does not respond, when the source port is 123.

nmap -sU -p 123 --source-port 124 192.168.242.86
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-21 18:17 StoednÝ Evropa (letnÝ eas)
Nmap scan report for 192.168.242.86
Host is up (0.0011s latency).

PORT    STATE SERVICE
123/udp open  ntp
MAC Address: 00:0C:42:04:35:CF (Routerboard.com)

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

nmap -sU -p 123 --source-port 123 192.168.242.86
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-21 18:17 StoednÝ Evropa (letnÝ eas)
Nmap scan report for 192.168.242.86
Host is up (0.00s latency).

PORT    STATE         SERVICE
123/udp open|filtered ntp
MAC Address: 00:0C:42:04:35:CF (Routerboard.com)

Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds

ntpdate 192.168.242.86
21 May 18:21:34 ntpdate[10108]: Raised to realtime priority class
21 May 18:21:42 ntpdate[10108]: no server suitable for synchronization found

ntpdate -u 192.168.242.86
21 May 18:21:50 ntpdate[8532]: Raised to realtime priority class
21 May 18:21:56 ntpdate[8532]: step time server 192.168.242.86 offset +0.229603 sec
The query is from the same subnet.
A query to a Linux PC running crony:
ntpdate 192.168.242.51
21 May 18:51:48 ntpdate[3676]: Raised to realtime priority class
21 May 18:51:54 ntpdate[3676]: step time server 192.168.242.51 offset -0.130858 sec

A nmap with source port 123 to a domain controller shows
PORT    STATE SERVICE
123/udp open  ntp

Can I somehow circumvent this by port mapping or so?
Any other ideas?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: NTP server problems  [SOLVED]

Sun May 21, 2023 10:42 pm

My testing, performed just now, shows that MT NTP server does normally respond when source port is standard 123. Both on ROS v6.49.7 (with add-on package ntp installed) as well as on v7.9.

So you may want to verify that firewall doesn't filter udp port 123 (in any of chains).

Anecdote: recently I replaced my "core" switch with a newer one (I got one for free, so I can't be picky ... it's a D-link switch). And all NTP packets with source address of 123 were dropped (i.e. ntpdate would fail but "ntpdate -d" or "ntpdate -u" against same servers woukd work fine; ntp daemon on linux machines would fail to synchronize to any of servers). The switch happened to have a newer firmware installed. So I activated it and after reboot of the switch NTP started to work just fine.
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

Re: NTP server problems

Sun May 21, 2023 10:52 pm

Interesting .. my switch is a D-Link DGS-1100-16V2.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: NTP server problems

Sun May 21, 2023 11:01 pm

Mine says it's DGS-1100-16 (without v2), HW version B2. Firmware, which dropped NTP, was 1.01.018, the one that doesn't interfere is the latest I could find - 1.01.B053
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

Re: NTP server problems

Sun May 21, 2023 11:43 pm

My actual fw version is Ver2.00.003, upgrading to Ver2.00.011 right now ...
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

Re: NTP server problems

Mon May 22, 2023 12:08 am

Good news - the switch is to blame, connected one of the problematic devices directly and it works.
Bad news - the new firmware didn't help and I didn't find any setting of the switch which could cause that.

PS: Thank you very much mkx, I would never suspect the switch
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

Re: NTP server problems

Mon May 22, 2023 12:25 am

Solved.
It was a security feature of the switch protecting against "Blat Attack"
Thank you so so much mkx :-)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: NTP server problems

Mon May 22, 2023 9:18 am

It was a security feature of the switch protecting against "Blat Attack"
Where in configuration did you find that? So I can check if something similar is in config for my switch ...
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

Re: NTP server problems

Mon May 22, 2023 6:30 pm

It's in Security/DoS Attack Prevention Settings
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: NTP server problems

Mon May 22, 2023 8:18 pm

Thanks for the pointer. I guess my has everything disabled, all DoS types have "state" set to "disabled".

It's crazy to pack DoS filters in a GUI driven L2 device. And I hate D-link GUI (I have an older DES-1210 switch with GUI I hated, this one is even worse). Hopefully it's time for second phase of "set and forget".
 
HWTest
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Tue Apr 17, 2007 7:20 pm

Re: NTP server problems

Mon May 22, 2023 9:48 pm

Hopefully it's time for second phase of "set and forget".
I hope so :-)
 
User avatar
EternalNet
just joined
Posts: 6
Joined: Sun Jul 02, 2023 2:27 pm
Location: Poland

Re: NTP server problems

Wed Jul 12, 2023 11:13 am

Thanks everyone for replies, I did manage to make it work on my end.

For me it was this:
- I setup ntp client on rb device, with 1 pool from ntp.org, then i enabled ntp server, but debian would refuse to see it as proper ntp server.

In the end it looked like the server from that one pool I added was ?offline?/?not_working? so my RB device was 4 days in the past 8.07.2023 vs 12.07.2023 (today), so debian that had today date was not looking into using "older?" time from my RB ntp server. After I added 2 pools more to ntp client on RB device I was without any other changes sync time on my debian installation.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NTP server problems

Wed Jul 12, 2023 11:23 am

[quote=EternalNet post_id=1012590 time=1689149581 user_id=219310]
Thanks everyone for replies, I did manage to make it work on my end.

For me it was this:
- I setup ntp client on rb device, with 1 pool from ntp.org, then i enabled ntp server, but debian would refuse to see it as proper ntp server.

In the end it looked like the server from that one pool I added was ?offline?/?not_working? so my RB device was 4 days in the past 8.07.2023 vs 12.07.2023 (today), so debian that had today date was not looking into using "older?" time from my RB ntp server. After I added 2 pools more to ntp client on RB device I was without any other changes sync time on my debian installation.
[/quote]

SpamGPT TAG: ###RCHCK###

Who is online

Users browsing this forum: cciprian, onnyloh, sokalsondha and 43 guests