GlennL10
Contributor
Contributor

Help needed with NTP

Hi all,

We have a couple of vSphere ESXi 4.1 hosts in our environment, set to sync with pool.ntp.org.

However the time on the ESXi hosts has drifted out to being 14minutes ahead of the Windows Domain Controllers.

When a virtual machine is rebooted, it comes back up with it's time 14minutes ahead, however the virtual machines are not set to sync their time with the hosts, they are set to sync via the Domain Controllers (which are virtual).

I have tried following this article, but don't get any output from the command other than sh:ntpq: not found.

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1036357

I've looked in Server log /var/log/messages location and there's nothing in there about NTP.

Can anyone offer any advice on how to get this sorted?

0 Kudos
17 Replies
Alceryes
Enthusiast
Enthusiast

Do you have port 123 UDP open both ways?

GlennL10
Contributor
Contributor

Thanks for the reply.

Yes the relevant ports are open both ways.

0 Kudos
Alceryes
Enthusiast
Enthusiast

So your virtual DC is syncing time correctly but your VM host is not? Do you have the NTP port forwarded to your virtual DC? Try pointing your VM host to your virtual DC for time sync and see what happens.

0 Kudos
GlennL10
Contributor
Contributor

Actually, when the DC's reboot (there are four of them, all virtual), their time changes to 14min ahead as well.

0 Kudos
Alceryes
Enthusiast
Enthusiast

Do you have VMTools installed with the 'sync time with host' checked? Maybe try switching your time server too. I heard that the round-robin pool.ntp can be off by several mins.

0 Kudos
GlennL10
Contributor
Contributor

VMTools is installed, but the sync with host option is disabled.

Are there any commands specific to ESXi 4.1 that I can use to see whether the hosts are communicating with the NTP servers properly?

0 Kudos
Alceryes
Enthusiast
Enthusiast

You can use the following command once you SSH into the host -  watch "ntpq -p" (Ctrl+C to cancel).

Edit - check out this article - http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1318. Even with time sync unchecked in the VMtools it still does a one time sync on startup, snapshots, and vmotion.

0 Kudos
ewilts
Enthusiast
Enthusiast

RhodanNZ wrote:

We have a couple of vSphere ESXi 4.1 hosts in our environment, set to sync with pool.ntp.org.

Can you actually get to pool.ntp.org from inside your domain?  Do you have routes to get there and firewall ports open?  Can you ping the IP addresses of the hosts (I show 3 right now) in pool.ntp.org?

GlennL10
Contributor
Contributor

With the watch "ntpq -p" command, I get this: sh: ntpq: not found

I've set the ESXi host to use a router here on our network from the Telecom's company, which we can get too. The host did not update the time. How can I check via command line or logs that it's communicating?

0 Kudos
GlennL10
Contributor
Contributor

I cannot ping the pool.ntp.org hosts (it resolves the IP but does not reply) ... should I be able to or have they disabled ICMP replies?

0 Kudos
ewilts
Enthusiast
Enthusiast

RhodanNZ wrote:

I cannot ping the pool.ntp.org hosts (it resolves the IP but does not reply) ... should I be able to or have they disabled ICMP replies?

All 3 hosts respond to a ping from my home system.

$ ping pool.ntp.org
PING pool.ntp.org (169.229.70.201): 56 data bytes
64 bytes from 169.229.70.201: icmp_seq=0 ttl=49 time=88 ms
64 bytes from 169.229.70.201: icmp_seq=1 ttl=49 time=86 ms

0 Kudos
Alceryes
Enthusiast
Enthusiast

I use nist1-ny.ustiming.org for my time source whom I can ping fine.

I can't ping pool.ntp.org...

C:\Users\Administrator>ping pool.ntp.org

Pinging pool.ntp.org [169.229.70.95] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 169.229.70.95:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Administrator>ping nist1-ny.ustiming.org

Pinging nist1-ny.ustiming.org [64.90.182.55] with 32 bytes of data:
Reply from 64.90.182.55: bytes=32 time=12ms TTL=56
Reply from 64.90.182.55: bytes=32 time=13ms TTL=56
Reply from 64.90.182.55: bytes=32 time=16ms TTL=56
Reply from 64.90.182.55: bytes=32 time=13ms TTL=56

Ping statistics for 64.90.182.55:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 12ms, Maximum = 16ms, Average = 13ms

C:\Users\Administrator>

Edit - SOB, I get sh: ntpq: not found as well. I know my virtual environment is sync'ing with my DC which is syncing with the external time source. Not sure why my host is not.

0 Kudos
GlennL10
Contributor
Contributor

Are you able to telnet into port 123 at pool.ntp.org ?

0 Kudos
CRR3200
Contributor
Contributor

did you ever get a solution to this problem? My ESXi hosts are always 14 minutes ahead, despite being setup properly for NTP.

thanks

0 Kudos
Alceryes
Enthusiast
Enthusiast

Did you add your VMhost to a Windows domain?

http://www.vfrank.org/2010/09/01/esxi-4-1-ntp-active-directory/

Apparently, if the host is part of the domain it will ignore the NTP setting and sync with the PDC. My DC sync's to nist1-ny.ustiming.org and my host has apparently been getting time from my DC (they're all correct) so I haven't been able to verify this on way or the other.

Edit - In my case if the NTP service was stopped on the ESXi host the host time started to drift slow. Once I put in my DC's IP and started the NTP service it started syncing with my DC. So, take the above link with a grain of salt...

0 Kudos
CRR3200
Contributor
Contributor

Thank you, that seems to have worked...my DC was the machine that was not synced properly.

0 Kudos
GlennL10
Contributor
Contributor

The solution we used was to ensure the firewall allowed access out to the NTP servers on the internet, and then used our switch core to sync with the internet servers. We then set the ESXi hosts to sync with the switch core, and ensured that the correct services and ports were open on the ESXi hosts security profile.


It all works perfectly now.

0 Kudos