TryllZ
Hot Shot
Hot Shot

NTP Sync Failure | Server Unreachable | Can Ping | DNS Resolving..

Hi,

I'm facing this issue where the NTP does not sync, NTP is the firewall interface which can be pinged by the vCenter and DNS resolves fine as well. The below is what I got from the logs but it only says Server Unreachable, nothing else.

 

2020-12-30T14:04:55.308 [2449]DEBUG:vmware.appliance.timesync.impl:com.vmware.appliance.timesync.get()
2020-12-30T14:04:55.308 [2449]DEBUG:vmware.appliance.timesync.impl:Executing operation /sbin/service ['ntpd', 'status']

2020-12-30T14:04:55.346 [2449]DEBUG:vmware.appliance.timesync.impl:Operation output = b'\xe2\x97\x8f ntpd.service - Network Time Service\n Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: enabled)\n Active: active (running) since Wed 2020-12-30 13:40:05 UTC; 24min ago\n Docs: man:ntpd\n Main PID: 1384 (ntpd)\n Tasks: 2\n Memory: 1.3M\n CPU: 180ms\n CGroup: /system.slice/ntpd.service\n \xe2\x94\x94\xe2\x94\x801384 /usr/bin/ntpd -g -u ntp:ntp\n\nDec 30 13:40:05 vCSAP.vlab.lab ntpd[1384]: restrict default: KOD does nothing without LIMITED.\nDec 30 13:40:05 vCSAP.vlab.lab ntpd[1384]: Listen and drop on 0 v6wildcard [::]:123\nDec 30 13:40:05 vCSAP.vlab.lab ntpd[1384]: Listen and drop on 1 v4wildcard 0.0.0.0:123\nDec 30 13:40:05 vCSAP.vlab.lab ntpd[1384]: Listen normally on 2 lo 127.0.0.1:123\nDec 30 13:40:05 vCSAP.vlab.lab ntpd[1384]: Listen normally on 3 eth0 192.168.31.133:123\nDec 30 13:40:05 vCSAP.vlab.lab ntpd[1384]: Listening on routing socket on fd #20 for interface updates\nDec 30 13:40:05 vCSAP.vlab.lab ntpd[1384]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized\nDec 30 13:40:05 vCSAP.vlab.lab ntpd[1384]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized\nDec 30 13:48:47 vCSAP.vlab.lab ntpd[1384]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized\nDec 30 07:49:13 vCSAP.vlab.lab ntpd[1384]: frequency error -66179369 PPM exceeds tolerance 500 PPM\n', error = b'' returncode = 0
2020-12-30T14:04:55.346 [2449]DEBUG:vmware.appliance.timesync.impl:NTP status Up
*** *** *** *** *** *** *** *** *** *** *** ***
2020-12-30T14:04:55.385 [2449]DEBUG:vmware.appliance.timesync.impl:com.vmware.appliance.ntp.get()
2020-12-30T14:04:55.418 [2449]DEBUG:vmware.vherd.transport.vapi:State 'UP_TO_DATE'
2020-12-30T14:04:55.418 [2449]DEBUG:vmware.appliance.timesync.impl:com.vmware.appliance.ntp.test(['192.168.31.146'])
2020-12-30T14:04:55.418 [2449]DEBUG:vmware.appliance.timesync.ntpTestUtils:Testing connection to: ['192.168.31.146']
2020-12-30T14:04:55.543 [2449]DEBUG:vmware.appliance.timesync.ntpTestUtils:NTP test out: b'server 192.168.31.146, stratum 12, offset -21574.474246, delay 0.02652\n', err: b'30 Dec 14:04:55 ntpdate[13883]: no server suitable for synchronization found\n', returncode: 1
2020-12-30T14:04:55.545 [2449]DEBUG:root:TestRunStatuses: servers=['192.168.31.146']
statuses=['SERVER_UNREACHABLE']
messages=[Structure('LocalizableMessage', dict(id='com.vmware.appliance.ntp_sync.failure', args=[], defaultMessage='Unable to sync to NTP server.'))]
2020-12-30T14:04:55.557 [2449]INFO:twisted:"127.0.0.1" - - [30/Dec/2020:14:04:54 +0000] "POST /rest/appliance/ntp/test HTTP/1.0" 200 186 "https://vcsap.vlab.lab:5480/ui/time" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36 Edg/87.0.664.47"
2020-12-30T14:04:58.703 [2449]INFO:vmware.vherd.transport.ssh_access_collector:Feature switch: VCSA_SSH_ACCESS_EVENT disabled.
2020-12-30T14:04:58.893 [2449]INFO:vmware.appliance.vapi.auth:Authorization request for service_id: com.vmware.appliance.ntp, operation_id: test
2020-12-30T14:04:58.893 [2449]DEBUG:vmware.appliance.extensions.authorization.authorization_sso:Required privileges = ['ModifyConfiguration']
*** *** *** *** *** *** *** *** *** *** *** ***
2020-12-30T14:04:58.914 [2449]DEBUG:vmware.vherd.transport.vapi:State 'UP_TO_DATE'
2020-12-30T14:04:58.914 [2449]DEBUG:vmware.appliance.timesync.impl:com.vmware.appliance.ntp.test(['192.168.31.146'])
2020-12-30T14:04:58.914 [2449]DEBUG:vmware.appliance.timesync.ntpTestUtils:Testing connection to: ['192.168.31.146']
2020-12-30T14:04:59.41 [2449]DEBUG:vmware.appliance.timesync.ntpTestUtils:NTP test out: b'server 192.168.31.146, stratum 12, offset -21574.474228, delay 0.02660\n', err: b'30 Dec 14:04:59 ntpdate[13903]: no server suitable for synchronization found\n', returncode: 1
2020-12-30T14:04:59.44 [2449]DEBUG:root:TestRunStatuses: servers=['192.168.31.146']
statuses=['SERVER_UNREACHABLE']
messages=[Structure('LocalizableMessage', dict(id='com.vmware.appliance.ntp_sync.failure', args=[], defaultMessage='Unable to sync to NTP server.'))]
*** *** *** *** *** *** *** *** *** *** *** ***
2020-12-30T14:05:03.703 [2449]INFO:vmware.vherd.transport.ssh_access_collector:Feature switch: VCSA_SSH_ACCESS_EVENT disabled.
2020-12-30T14:05:08.704 [2449]INFO:vmware.vherd.transport.ssh_access_collector:Feature switch: VCSA_SSH_ACCESS_EVENT disabled.
2020-12-30T14:05:13.704 [2449]INFO:vmware.vherd.transport.ssh_access_collector:Feature switch: VCSA_SSH_ACCESS_EVENT disabled.
2020-12-30T14:05:18.707 [2449]INFO:vmware.vherd.transport.ssh_access_collector:Feature switch: VCSA_SSH_ACCESS_EVENT disabled.
2020-12-30T14:05:23.705 [2449]INFO:vmware.vherd.transport.ssh_access_collector:Feature switch: VCSA_SSH_ACCESS_EVENT disabled.

 

Any way to get this working as I believe this is what is causing failure to join Active Directory domain as well.

Nothing being blocked in firewall either.

Thank You

0 Kudos
7 Replies
msripada
Commander
Commander

you can try checking for port 123 to ntp if not reachable. if ping is working then icmp is working but port 123 may have communication issues. 

 

0 Kudos
TryllZ
Hot Shot
Hot Shot

Thanks but where do I check 123 port, on firewall ?

Firewall has all ports and protocols open/allowed.

0 Kudos
TryllZ
Hot Shot
Hot Shot

Also I have tried this with firewall off (OPNSense).

Then I tried with Windows Firewall off in both cases I got the attached error.

LW_ERROR_UNKNOWN [code 0x00009cfc].

0 Kudos
msripada
Commander
Commander

check this and see if it helps 

https://communities.vmware.com/t5/vCenter-Server-Discussions/Error-trying-to-join-AD-error-code-4018...

ON VCSA, you can try packet capture .. I dont know if nc commands works on vcsa

if it works, you can use nc -uz ntpserverfqdn/ip 123 to test connectivity

AD and NTP has same time?

thanks,

MS

0 Kudos
TryllZ
Hot Shot
Hot Shot

Thanks for the link,

I have been through the link before, unfortunately did not help.

I have done this before just not with through a firewall, plus there's windows default firewall as well. So that's getting me confused.

I had been trying to setup NTP and only after posting came to know about vCenter syncing from AD domain and not through NTP directly.

So now I'm trying to get the AD joining to work.

I'll test the port 123 and see whats going on.

Appreciate the help @msripada 

0 Kudos
TryllZ
Hot Shot
Hot Shot

I finally found the issue with VCSA not joining AD, and it makes no sense to me as to why.

I had 2 interfaces on the Windows Server for redundancy 192.168.31.162 (main), 10.0.31.162 (Backup, IP configured, but not connected anywhere).

When I ran the netstat -tcp command in vcsa ssh it showed ldap communicating back via the 10.0.31.162 interface, I completely removed the backup interface to test and it joined AD instantly. Not sure if this is a windows server behavior.

Any thoughts on this as to why its doing this.

Thanks again 

0 Kudos
msripada
Commander
Commander

Hi,

Not sure why the communication going to second nic however we are unsure if there is any dns or other entry for that nic/ip address which might have lead to the problem or as you mentioned it may be windows behavior. Good to know issue is fixed now

thanks,

Ms

0 Kudos