VMware Cloud Community
pdrace
Hot Shot
Hot Shot
‎07-24-2007 06:54 AM
Jump to solution

NTP question

I'm trying to switch to using an external source for NTP on my ESX hosts.

This works fine when using an internal physical Windows DC as the source. I haven't had much luck but I think this is due to a Internet routing issue on most servers.

On the one server that is on a different subnet starting the ntpd service seems to synchronize but when I run watch "ntpq -p" this is the result.

Every 2s: ntpq -p Tue Jul 24 09:46:22 2007

remote refid st t when poll reach delay offset jitter

=====================================================

*LOCAL(0) LOCAL(0) 10 l 8 64 7 0.000 0.000 0.008

time-a.nist.gov 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00

I assume the - in when isn't a good thing.

Any ideas?

0 Kudos
1 Solution

Accepted Solutions
esiebert7625
Immortal
Immortal
‎07-24-2007 08:14 AM
Jump to solution

I basically get the same thing with that command although I sync from the pool instead. These are the steps I followed to set this up. Is your ESX server resolving the time server host name correctly. Have you enabled NTP in the ESX firewall and does your network allow for NTP traffic outside your network.

How can I configure my ESX Server to automatically sync the time from a NTP source?

• Login to service console

• Edit /etc/ntp.conf with Nano or Vi

• Add the below lines to the OUR TIMESERVERS section

o restrict default kod nomodify notrap

o server 0.pool.ntp.org

o server 1.pool.ntp.org

o server 2.pool.ntp.org

• Save & exit

• Edit /etc/ntp/step-tickers with Nano or Vi

• Add the below lines

o 0.pool.ntp.org

o 1.pool.ntp.org

o 2.pool.ntp.org

o pool.ntp.org

• Save & exit

• Type “esxcfg-firewall –enableService ntpClient” or use VI Client to enable under ConfigurationSecurity ProfileProperties

• Type “service ntpd restart” – may say failed for stop if not currently running

• Type “chkconfig --level 345 ntpd on” to enable NTP daemon to autostart

• Type “hwclock -–systohc” to set hardware clock to system clock

• Type “ntpdate –q 0.pool.ntp.org” to see the offset between local and ntp clock

View solution in original post

0 Kudos
11 Replies
esiebert7625
Immortal
Immortal
‎07-24-2007 08:14 AM
Jump to solution

I basically get the same thing with that command although I sync from the pool instead. These are the steps I followed to set this up. Is your ESX server resolving the time server host name correctly. Have you enabled NTP in the ESX firewall and does your network allow for NTP traffic outside your network.

How can I configure my ESX Server to automatically sync the time from a NTP source?

• Login to service console

• Edit /etc/ntp.conf with Nano or Vi

• Add the below lines to the OUR TIMESERVERS section

o restrict default kod nomodify notrap

o server 0.pool.ntp.org

o server 1.pool.ntp.org

o server 2.pool.ntp.org

• Save & exit

• Edit /etc/ntp/step-tickers with Nano or Vi

• Add the below lines

o 0.pool.ntp.org

o 1.pool.ntp.org

o 2.pool.ntp.org

o pool.ntp.org

• Save & exit

• Type “esxcfg-firewall –enableService ntpClient” or use VI Client to enable under ConfigurationSecurity ProfileProperties

• Type “service ntpd restart” – may say failed for stop if not currently running

• Type “chkconfig --level 345 ntpd on” to enable NTP daemon to autostart

• Type “hwclock -–systohc” to set hardware clock to system clock

• Type “ntpdate –q 0.pool.ntp.org” to see the offset between local and ntp clock

0 Kudos
pdrace
Hot Shot
Hot Shot
‎07-24-2007 09:14 AM
Jump to solution

I tried the pool addresses to begin with and had no luck that's why I'm trying a different server with a static IP. The ESX firewall isn't an issue as it works with an internal source.

Outbound NTP is allowed and the firewall administrator has shown me the logs with accepts on port 123.

I've added the IP address and name for the server I'm attempting to use to the hosts file but that hasn't helped. Using the external server we use for our Windows DC produces the same result.

Looks like I might have to keep a Windows physical DC! Smiley Sad

0 Kudos
oreeh
Immortal
Immortal
‎07-24-2007 09:20 AM
Jump to solution

What firewall product do you use?

I know of at least one firewall product, widely used by governmental and other public institutions in the US, which has a serious bug which will prevent NTP from working under certain circumstances.

0 Kudos
pdrace
Hot Shot
Hot Shot
‎07-24-2007 09:22 AM
Jump to solution

It's hosted externally but I believe it's Checkpoint.

Wouldn't that cause a problem for our Windows DC also if that was the case?

0 Kudos
oreeh
Immortal
Immortal
‎07-24-2007 09:29 AM
Jump to solution

Checkpoint isn't the product I'm thinking off.

Wouldn't that cause a problem for our Windows DC also if that was the case?

If the Windows DC synchronizes with an external time source - yes.

0 Kudos
oreeh
Immortal
Immortal
‎07-24-2007 09:39 AM
Jump to solution

One thing I noticed in your first post is the LOCAL time source.

This shouldn't be there.

Double check your config against the KB article.

0 Kudos
esiebert7625
Immortal
Immortal
‎07-24-2007 09:49 AM
Jump to solution

Mine also has the LOCAL for that command.

Is your outbound NTP rule UDP and not TCP? Can your network admin sniff the traffic to see why the server is not talking to the NTP server.

0 Kudos
esiebert7625
Immortal
Immortal
‎07-24-2007 10:00 AM
Jump to solution

Also the fact that if you configure it to use a internal NTP source (your DC) which works fine and it is just when you configure it to use with an external NTP source really points to network/firewall configs and not the ESX server. I think putting a sniffer on there will definitely show why it is not working.

BUGCHK
Commander
Commander
‎07-24-2007 11:28 AM
Jump to solution

remote refid st t when poll reach[/b] delay offset jitter

=====================================================

*LOCAL(0) LOCAL(0) 10 l 8 64 7[/b] 0.000 0.000 0.008

time-a.nist.gov 0.0.0.0 16 u - 64 0[/b] 0.000 0.000 4000.00

time-a[/b] has not been reached for 3 cycles now.

There is a connectivity problem.

pdrace
Hot Shot
Hot Shot
‎07-24-2007 11:47 AM
Jump to solution

I reconfigured this box using the IP address for the server and it now it looks like it's working. Looks like it can't find the server using a host name.

Every 2s: ntpq -p Tue Jul 24 14:43:42 2007

remote refid st t when poll reach delay offset jitter

===================================================

*time-a.nist.gov .ACTS. 1 u 99 1024 377 249.999 -59.098 46.586

LOCAL(0) LOCAL(0) 10 l 35 64 377 0.000 0.000 0.008

0 Kudos
pdrace
Hot Shot
Hot Shot
‎07-25-2007 05:01 AM
Jump to solution

Also the fact that if you configure it to use a

internal NTP source (your DC) which works fine and it

is just when you configure it to use with an external

NTP source really points to network/firewall configs

and not the ESX server. I think putting a sniffer on

there will definitely show why it is not working.

It is definitely a firewall problem, it works on one segment using the hostname or IP address. It just doesn't work on the other segment at all.

This was actually the correct answer though I marked your other reply as correct.

0 Kudos