To check the NTP status on FortiAuthenticator, use the 'diagnose system ntp status' command. This command prints the NTP synchronization status:

The way to validate the response from the NTP server is through the execution of a TCPDUMP.

In this case, the response is that the NTP server is unreachable:

execute tcpdump -i any port 123

This is reflected in the FortiAuthenticator log as: NTPD no server suitable for synchronization found:

If the NTP server is not reachable, change it to a different NTP server and verify afterward if the time got synced properly.

To list the current NTP Status run:

diagnose sys ntp status

Execute the TCPDUMP again for the NTP port:

execute tcpdump -i any port 123

In this case, the synchronization was satisfactory for the NTP server 'time.google.com':

If the problem persists, it is necessary to validate that the FortiAuthenticator has permission to reach the NTP server.

Note that FortiAuthenticators system time is important to be in sync for certain services.

• FortiToken by default are time-based. If the FortiAuthenticator system time is off too much, the token codes (OTPs) with a validity of 60 seconds may be seen as invalid. A quick workaround can be seen in this Troubleshooting Tip: FortiToken OTP drift adjustment at step 5. Preferably, the system time will be adjusted with a correct NTP server.
• If FortiAuthenticator is domain joined, it uses Kerberos to authenticate. Kerberos is time-sensitive. An offset of 60 seconds, may break the domain join.
• SAML issues tokens with validity time. If the SP system time differs by typically more than 10 minutes, SAML authentication will not work anymore as the SAML validity time would be 10 minutes.

Also note that the information of an NTP cannot be validated and is taken as correct - if the environment has multiple NTPs in which one of them servers an incorrect time, flapping of functioning and non-functioning services may be noticed.