Description
This article describes an alternate way to sync the NTP server to a Google one, in order to avoid FortiGate time being out of sync error messages.
Scope
FortiGate.
Solution
- Verify the NTP status by running the command:
diagnose sys ntp status
synchronized: no, ntpsync: enabled, server-mode: disabled
ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- unreachable(0x0) S:7 T:615 no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- unreachable(0x0) S:7 T:927 no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- unreachable(0x0) S:7 T:777 no data
ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- unreachable(0x0) S:7 T:105 no data
It is shown that the NTP server is not synced with the FortiGuard default NTP servers.
-
Let's review the debug logging at the application layer:
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application ntpd -1
diagnose debug enable
2023-07-31 12:56:18 sys_update_timer_func:1803 synchronized=0
2023-07-31 12:56:18 Sorted NTP endpoints.
2023-07-31 12:56:18 NTP daemon uses a upper end of -2000000000.000000 and a lower end of 2000000000.000000.
2023-07-31 12:56:18 no server suitable for synchronization found
2023-07-31 12:56:18 waiting for 10 seconds ...
2023-07-31 12:56:28 sys_update_timer_func:1803 synchronized=0
2023-07-31 12:56:28 Sorted NTP endpoints.
2023-07-31 12:56:28 NTP daemon uses a upper end of -2000000000.000000 and a lower end of 2000000000.000000.
2023-07-31 12:56:28 no server suitable for synchronization found
2023-07-31 12:56:28 waiting for 10 seconds ...
On the outputs, it is shown the error message 'no server suitable for synchronization found'.
-
Change the NTP configuration to set a custom type and add the Google NTP server:
config system ntp
set type custom
config ntpserver
edit 1
set server time.google.com
next
end
-
Configure a static route to reach the NTP Google segment 216.239.35.0/24 to the desired WAN interface:
config router static
edit <Available_ID>
set dst 216.239.35.0 255.255.255.0
set gateway X.X.X.X <- Change the IP address of the gateway of the proper WAN interface.
set device "wan1" <- Change for the proper WAN interface.
end
-
After applying the recommended configuration, the NTP service is now synced:
diagnose sys ntp status
synchronized: yes, ntpsync: enabled, server-mode: disabled
ipv6 server(time.google.com) 2001:4860:4806:4:: -- reachable(0xfe) S:0 T:212 no data
ipv6 server(time.google.com) 2001:4860:4806:c:: -- reachable(0xfe) S:0 T:212 no data
ipv6 server(time.google.com) 2001:4860:4806:8:: -- reachable(0xfe) S:0 T:212 no data
ipv4 server(time.google.com) 216.239.35.12 -- reachable(0xfe) S:0 T:212 no data
ipv4 server(time.google.com) 216.239.35.8 -- reachable(0xff) S:1 T:212 selected
server-version=4, stratum=1
reference time is e872a60e.36fc711c -- UTC Mon Jul 31 21:28:46 2023
clock offset is 3653.056885 sec, root delay is 0.000000 sec
root dispersion is 0.000076 sec, peer dispersion is 28 msec
