Skip to main content
rajamanickam
rajamanickam
Explorer II
March 9, 2022
Question

NTP not syncing - Fortinet SDWAN

  • March 9, 2022
  • 3 replies
  • 9258 views

Hi,

 

  I am using our datacenter Fortigate as NTP server. From all the branches, could see NTP sync towards Datacenter. From DC, I am using Fortiguard as the NTP servers. My DNS reachability is fine. But still my NTP server is in unreachable state. I have created a firewall policy for this traffic, since my source interface of NTP  is a different interface which will be forward the traffic to the internet interface. (But not seeing hit in that policy) I understand NTP is a self-originating traffic. Initially for few seconds, could see NTP server as reachable but later went into unreachable status. It hasnt synched post that..

 

Not sure, what config I am missing.

 

diagnose sys ntp status
HA master: yes, HA master ip: 1.0.0.0, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=-1
synchronized: no, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- unreachable(0x0) S:7 T:699
no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- unreachable(0x0) S:7 T:699
no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- unreachable(0x0) S:7 T:699
no data
ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- unreachable(0x0) S:7 T:699
no data

3 replies

jintrah_FTNT
Staff
jintrah_FTNT
Staff
March 9, 2022

@rajamanickam

 

It appears that the current link through which NTP traffic is send does not succeed. You can try to force the traffic to FortiGuard NTP servers through other links and check the NTP status, https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/848980/local-out-traffic. 

 

Best regards,

Jin

aahmadzada
Staff
aahmadzada
Staff
March 9, 2022

Hi,

Try to configure the interface-select-method parameter as sdwan so the sdwan policies will be respected fo the ntp traffic

https://docs.fortinet.com/document/fortigate/6.4.8/cli-reference/125620/config-system-ntp

    rajamanickam
    rajamanickamAuthor
    Explorer II
    March 10, 2022

    When I point NTP to Fortiguard servers, I am not getting option to select SDWAN interface-select-method option. I could see that only when I create custom NTP servers.

     

    Regards

    Raja

    vtsonev
    Staff
    vtsonev
    Staff
    March 10, 2022

    Hello Raja,

     

    When you use "set type fortiguard" in NTP settings, then it will use the configuration under "config system fortiguard". 

     

    config system fortiguard
        set interface-select-method {auto|sdwan|specify}

     

    Best regards,

    Vasil

    rajamanickam
    rajamanickamAuthor
    Explorer II
    March 10, 2022

    Thanks Vasil, let me try this and update.

    Terms & ConditionsAccessibility statement