VMware Cloud Community
adammcc81
Enthusiast
Enthusiast

vCenter Appliance NTP Following 6.7.0.42100 Patch Build 1505668

Following the latest patch, I can no longer utilize NTP servers for time through appliance management.  I can put them on the host and use host option on the appliance, but I cannot directly connect to any of the pool.ntp.org sites.

Thanks in advance,

Adam

17 Replies
a_p_
Leadership
Leadership

I've installed this build just two days ago at a customer, and everything works perfectly.

Does the URL resolve to its IP address from the vCSA'S command line?

André

Reply
0 Kudos
adammcc81
Enthusiast
Enthusiast

I have two other vcenter servers on the same update, and they work as well.  Just this one stopped working.  I can ping them from anywhere on the network and they resolve to the correct ip.  I'm using 0.north-america.pool.ntp.org, 1.north-america.pool.ntp.org.

Reply
0 Kudos
adammcc81
Enthusiast
Enthusiast

They work from the esxi host as well.

Reply
0 Kudos
a_p_
Leadership
Leadership

Can you ping the URLs from the vCSA's command line, i.e. do the URLs resolve correctly to the any IP addresses?

André

Reply
0 Kudos
nirmalgnair
VMware Employee
VMware Employee

Hi @adammcc81,

Could you please try setting the NTP servers through CLI.

Take SSH to VCSA and try the following command

com.vmware.appliance.ntp.set --servers 0.north-america.pool.ntp.org, 1.north-america.pool.ntp.org

pastedImage_0.png

Regards,

Nirmal Nair

Reply
0 Kudos
adammcc81
Enthusiast
Enthusiast

nirmalgnair​,

It gives me the following error.   com.vmware.applmgmt.err_ntp

ntp on vsca.jpg

Reply
0 Kudos
adammcc81
Enthusiast
Enthusiast

a.p.​,

Yes, I can ping the NTP server from the VCSA command line.

Reply
0 Kudos
NathanosBlightc
Commander
Commander

Please check the result of following command in the VCSA shell, maybe you can find out what's going on to the time request packets from your VCSA to the NTP server:

tcpdump udp port 123 and dst pool.ntp.org

Please mark my comment as the Correct Answer if this solution resolved your problem
adammcc81
Enthusiast
Enthusiast

NathanosBlightcaller​,

This is what happens when I try to set it from the appliance gui with the tcpdump open.

tcpdump2.jpg

Reply
0 Kudos
NathanosBlightc
Commander
Commander

So it seems you have just sending NTP request and there is no reply for time synchronization. Please check any firewall between your VCSA server and the internet connection. I think you set everything well done, but you couldn't receive any reply or somehow your NTP requests didn't go far from to the NTP server (for any possible reason)

Please mark my comment as the Correct Answer if this solution resolved your problem
Reply
0 Kudos
adammcc81
Enthusiast
Enthusiast

NathanosBlightcaller​,

I have whitelisted them on my firewall.  They work on my host within the same firewall.  They work on my other two vcenter applications on different networks.  They worked on this vcenter before I updated it.  Something is wrong within the vcenter, but I just can't pin point it.  I'm out of attempts at this point, and will just have this appliance pull from the host until the next update hopefully repairs the issue.  Thank you for you help and time everyone.

Adam

Reply
0 Kudos
a_p_
Leadership
Leadership

Out of curiosity, are you able to sync time from an internal time source (e.g. a DC) through the UI, and/or using the mentioned tcpdump command?


André

Reply
0 Kudos
adammcc81
Enthusiast
Enthusiast

a.p.​,

It was able to sync with my local domain controller.  That leads me to believe it's a VCSA firewall issue.  It will not work with any outside ntp server.  I've just tried multiple.  The host will work with all of them.  I can also ping all of them from the VCSA SSH command line and any desktop on the network.

Reply
0 Kudos
a_p_
Leadership
Leadership

Please don't get me wrong, I'm not trying to do finger pointing. I'm indeed curious to find out what's going on.

I'm not aware of a default vCSA firewall rule that blocks outgoing traffic on Port 123 (UDP). Assuming that you didn't create one yourself, please double-check your network firewall rules again.

Aside from this, why are you syncing the vCSA with an external time server instead of the DCs?

André

Reply
0 Kudos
adammcc81
Enthusiast
Enthusiast

My primary DC is a VM on this machine. My other DC is a physical host.  I like the host pulling time from the internet. I get your scepticism, but the only change from working to not working was the patch to my vcsa.  If it was a port 123 or firewall issue, the host would not work with the same time servers.  I looked at it before the patch the same morning and it was working, and then noticed the error almost immediately following the patch.  My other vcsa is through the same model of router with the same updates and whitelists, and it works.

Reply
0 Kudos
NathanosBlightc
Commander
Commander

Regardless of what you did for setting up your network asset's time, I strongly suggest to DO NOT set a outside NTP server directly for any local components. Just set the external NTP server as the time source of a router, or a firewall, even a DMZ DC and so on ... that have access to the internet, and then set that device as the local time source of any other internal nodes.

Please mark my comment as the Correct Answer if this solution resolved your problem
HFMudd
Enthusiast
Enthusiast

I've got the exact same problem... was this figured out?

Reply
0 Kudos