Hi,
I am using centos 6.6, ntpd version 4.2.6p5.
I want to configure ntp in a client mode and ntp should open on specific IP, so I have used "interface listen <ip>" in /etc/ntp.conf.
However when I configure multiple NTP servers, only specific servers get synced up and other get stuck in INIT state.
relevant config from ntp.conf:
interface listen 10.61.0.80
server 10.61.0.2
restrict 10.61.0.2 nomodify notrap nopeer noquery
server 10.41.0.1
restrict 10.41.0.1 nomodify notrap nopeer noquery
server 172.17.3.1
restrict 172.17.3.1 nomodify notrap nopeer noquery
ntpd startup logs:
ntpd[18721]: proto: precision = 0.278 usec
ntpd[18720]: ntpd 4.2.6p5@1.2349-o Sat Dec 20 02:53:39 UTC 2014 (1)
ntpd[18721]: 0.0.0.0 c01d 0d kern kernel time sync enabled
ntpd[18721]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
ntpd[18721]: Listen and drop on 1 v6wildcard :: UDP 123
ntpd[18721]: Listen normally on 2 lo 127.0.0.1 UDP 123
ntpd[18721]: Listen normally on 3 eth0:mgmt-flt 10.61.0.80 UDP 123
ntpd[18721]: Listen normally on 4 lo ::1 UDP 123
ntpd[18721]: peers refreshed
ntpd[18721]: Listening on routing socket on fd #21 for interface updates
ntpd[18721]: 0.0.0.0 c016 06 restart
ntpd[18721]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
ntpd[18721]: 0.0.0.0 c011 01 freq_not_set
ntpq -p output:
# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.61.0.2 123.108.225.6 3 u 26 64 17 2.728 -4.166 4.832
10.41.0.1 .INIT. 16 u - 64 0 0.000 0.000 0.000
172.17.3.1 .INIT. 16 u - 64 0 0.000 0.000 0.000
ntp packets from servers stuck in INIT state are reaching to client as seen in tcpdump:
08:02:18.905731 IP 10.61.0.80.ntp > 10.61.0.2.ntp: NTPv4, Client, length 48
08:02:18.909349 IP 10.61.0.2.ntp > 10.61.0.80.ntp: NTPv4, Server, length 48
08:02:19.905566 IP 10.61.0.80.ntp > 10.41.0.1.ntp: NTPv4, Client, length 48
08:02:19.907552 IP 10.41.0.1.ntp > 10.61.0.80.ntp: NTPv4, Server, length 48
08:02:20.905693 IP 10.61.0.80.ntp > 172.17.3.1.ntp: NTPv4, Client, length 48
08:02:20.907657 IP 172.17.3.1.ntp > 10.61.0.80.ntp: NTPv4, Server, length 48
08:03:24.968856 IP 10.61.0.80.ntp > 10.61.0.2.ntp: NTPv4, Client, length 48
08:03:24.968886 IP 10.61.0.80.ntp > 172.17.3.1.ntp: NTPv4, Client, length 48
08:03:24.969646 IP 172.17.3.1.ntp > 10.61.0.80.ntp: NTPv4, Server, length 48
08:03:24.969681 IP 10.61.0.2.ntp > 10.61.0.80.ntp: NTPv4, Server, length 48
08:03:26.906606 IP 10.61.0.80.ntp > 10.41.0.1.ntp: NTPv4, Client, length 48
08:03:26.907007 IP 10.41.0.1.ntp > 10.61.0.80.ntp: NTPv4, Server, length 48
08:04:29.966853 IP 10.61.0.80.ntp > 10.61.0.2.ntp: NTPv4, Client, length 48
Not sure what could be the issue. Why two server are not getting synced.
Request a kind help from experts.
NTP listen interface option
Re: NTP listen interface option
Well first thing to check is if their clocks are "reasonably" within sync with each other.
Then check UDP/123 and TCP/123 is allowed through firewalls across the entire network path.
Personally I don't use a specific IP address in /etc/ntp.conf, I just pass -I eth0 in the options of /etc/sysconfig/ntpd.
So my /etc/sysconfig/ntpd has:
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid -c /etc/ntp.conf -l /var/log/ntpd.log -g -I eth0 -U 0"
(you can see the meaning of these arguments in the ntpd man page).
Then check UDP/123 and TCP/123 is allowed through firewalls across the entire network path.
Personally I don't use a specific IP address in /etc/ntp.conf, I just pass -I eth0 in the options of /etc/sysconfig/ntpd.
So my /etc/sysconfig/ntpd has:
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid -c /etc/ntp.conf -l /var/log/ntpd.log -g -I eth0 -U 0"
(you can see the meaning of these arguments in the ntpd man page).
Re: NTP listen interface option
What's the output from iptables-save
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: NTP listen interface option
Hi,
Thanks for you response.
One point to add here, this is our local lab setup.
I want to test ntp client behaviour on our centos box with multiple ntp servers.
All 3 configured ntp servers are hosted on same physical server (with multiple nics).
Can this result in above mentioned issue?
I have tested with "-I <ip>" option in ntpd, but still the same issue.
iptables-save output is given below.
iptables-save
# Generated by iptables-save v1.4.21 on Wed Jul 27 18:42:47 2016
*raw
:PREROUTING ACCEPT [6376492:5994842024]
:OUTPUT ACCEPT [3344356:371139453]
:TRMON_OUTPUT - [0:0]
:TRMON_PREROUTING - [0:0]
-A PREROUTING -j TRMON_PREROUTING
-A OUTPUT -j TRMON_OUTPUT
-A TRMON_OUTPUT -p tcp -m tcp --dport 9088 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --sport 9088 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --dport 9089 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --sport 9089 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p udp -m udp --dport 9089 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --dport 9085 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --sport 9086 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p icmp -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --sport 80 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p sctp -j MARK --set-xmark 0x14/0xffffffff
-A TRMON_PREROUTING -d 10.31.0.80/32 -i eth2 -p udp -m udp --dport 2152 -j MARK --set-xmark 0x32/0xffffffff
COMMIT
# Completed on Wed Jul 27 18:42:47 2016
# Generated by iptables-save v1.4.21 on Wed Jul 27 18:42:47 2016
*filter
:INPUT ACCEPT [3250394:1595933382]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3519886:392305129]
:TRMON_OUTPUT - [0:0]
-A OUTPUT -j TRMON_OUTPUT
-A TRMON_OUTPUT -p udp -m udp --dport 500 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p udp ! -f -m udp --sport 4500 -m u32 --u32 "0x0>>0x16&0x3c@0x8=0x0" -j MARK --set-xmark 0xa/0xffffffff
COMMIT
# Completed on Wed Jul 27 18:42:47 2016
# Generated by iptables-save v1.4.21 on Wed Jul 27 18:42:47 2016
*nat
:PREROUTING ACCEPT [3412818:4539559728]
:INPUT ACCEPT [124222:7490778]
:OUTPUT ACCEPT [13410:1005403]
:POSTROUTING ACCEPT [13410:1005403]
COMMIT
# Completed on Wed Jul 27 18:42:47 2016
# Generated by iptables-save v1.4.21 on Wed Jul 27 18:42:47 2016
*mangle
:PREROUTING ACCEPT [6369012:5990635530]
:INPUT ACCEPT [3069700:1574266852]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3339302:370629265]
:POSTROUTING ACCEPT [3339302:370629265]
:TRMON_POSTROUTING - [0:0]
-A PREROUTING -d 10.41.0.80/32 -p udp -m udp --dport 2152 -j GTPU GTPU action: transport mode :gtp dir :core
-A PREROUTING -d 10.31.0.80/32 -p udp -m udp --dport 2152 -j GTPU GTPU action: transport mode :gtp dir :access
COMMIT
# Completed on Wed Jul 27 18:42:47 2016
Thanks for you response.
One point to add here, this is our local lab setup.
I want to test ntp client behaviour on our centos box with multiple ntp servers.
All 3 configured ntp servers are hosted on same physical server (with multiple nics).
Can this result in above mentioned issue?
I have tested with "-I <ip>" option in ntpd, but still the same issue.
iptables-save output is given below.
iptables-save
# Generated by iptables-save v1.4.21 on Wed Jul 27 18:42:47 2016
*raw
:PREROUTING ACCEPT [6376492:5994842024]
:OUTPUT ACCEPT [3344356:371139453]
:TRMON_OUTPUT - [0:0]
:TRMON_PREROUTING - [0:0]
-A PREROUTING -j TRMON_PREROUTING
-A OUTPUT -j TRMON_OUTPUT
-A TRMON_OUTPUT -p tcp -m tcp --dport 9088 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --sport 9088 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --dport 9089 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --sport 9089 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p udp -m udp --dport 9089 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --dport 9085 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --sport 9086 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p icmp -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p tcp -m tcp --sport 80 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p sctp -j MARK --set-xmark 0x14/0xffffffff
-A TRMON_PREROUTING -d 10.31.0.80/32 -i eth2 -p udp -m udp --dport 2152 -j MARK --set-xmark 0x32/0xffffffff
COMMIT
# Completed on Wed Jul 27 18:42:47 2016
# Generated by iptables-save v1.4.21 on Wed Jul 27 18:42:47 2016
*filter
:INPUT ACCEPT [3250394:1595933382]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3519886:392305129]
:TRMON_OUTPUT - [0:0]
-A OUTPUT -j TRMON_OUTPUT
-A TRMON_OUTPUT -p udp -m udp --dport 500 -j MARK --set-xmark 0xa/0xffffffff
-A TRMON_OUTPUT -p udp ! -f -m udp --sport 4500 -m u32 --u32 "0x0>>0x16&0x3c@0x8=0x0" -j MARK --set-xmark 0xa/0xffffffff
COMMIT
# Completed on Wed Jul 27 18:42:47 2016
# Generated by iptables-save v1.4.21 on Wed Jul 27 18:42:47 2016
*nat
:PREROUTING ACCEPT [3412818:4539559728]
:INPUT ACCEPT [124222:7490778]
:OUTPUT ACCEPT [13410:1005403]
:POSTROUTING ACCEPT [13410:1005403]
COMMIT
# Completed on Wed Jul 27 18:42:47 2016
# Generated by iptables-save v1.4.21 on Wed Jul 27 18:42:47 2016
*mangle
:PREROUTING ACCEPT [6369012:5990635530]
:INPUT ACCEPT [3069700:1574266852]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3339302:370629265]
:POSTROUTING ACCEPT [3339302:370629265]
:TRMON_POSTROUTING - [0:0]
-A PREROUTING -d 10.41.0.80/32 -p udp -m udp --dport 2152 -j GTPU GTPU action: transport mode :gtp dir :core
-A PREROUTING -d 10.31.0.80/32 -p udp -m udp --dport 2152 -j GTPU GTPU action: transport mode :gtp dir :access
COMMIT
# Completed on Wed Jul 27 18:42:47 2016
Re: NTP listen interface option
Another observation:
When I remove "interface listen 10.61.0.80", all 3 configured servers binds successfully.
ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
10.61.0.2 123.108.225.6 3 u 15 64 1 2.095 29.936 0.000
10.41.0.1 123.108.225.6 3 u 14 64 1 0.542 30.117 0.000
172.17.3.1 123.108.225.6 3 u 13 64 1 0.971 30.260 0.000
Could it be related to this bug:
http://bugs.ntp.org/show_bug.cgi?id=2637
When I remove "interface listen 10.61.0.80", all 3 configured servers binds successfully.
ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
10.61.0.2 123.108.225.6 3 u 15 64 1 2.095 29.936 0.000
10.41.0.1 123.108.225.6 3 u 14 64 1 0.542 30.117 0.000
172.17.3.1 123.108.225.6 3 u 13 64 1 0.971 30.260 0.000
Could it be related to this bug:
http://bugs.ntp.org/show_bug.cgi?id=2637