Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
arcabah
Staff
Staff

Created on ‎10-23-2023 12:39 AM

Article Id 280309

Technical Tip: An alternate way to sync the NTP server to avoid FortiGate time is out of sync error

Description

 

This article describes an alternate way to sync the NTP server to a Google one, in order to avoid FortiGate time being out of sync error messages.

 

Scope

 

FortiGate.

 

Solution

 

  • Troubleshooting steps:

 

  1. Verify the NTP status by running the command:

 

diagnose sys ntp status
synchronized: no, ntpsync: enabled, server-mode: disabled

ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- unreachable(0x0) S:7 T:615  no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- unreachable(0x0) S:7 T:927  no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- unreachable(0x0) S:7 T:777  no data
ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- unreachable(0x0) S:7 T:105  no data

 

It is shown that the NTP server is not synced with the FortiGuard default NTP servers.

 

  1. Let's review the debug logging at the application layer:

     

    diagnose debug reset
    diagnose debug console timestamp enable
    diagnose debug application ntpd -1
    diagnose debug enable

     

  • Output:

 

2023-07-31 12:56:18 sys_update_timer_func:1803 synchronized=0
2023-07-31 12:56:18 Sorted NTP endpoints.
2023-07-31 12:56:18 NTP daemon uses a upper end of -2000000000.000000 and a lower end of 2000000000.000000.
2023-07-31 12:56:18 no server suitable for synchronization found
2023-07-31 12:56:18 waiting for 10 seconds ...
2023-07-31 12:56:28 sys_update_timer_func:1803 synchronized=0
2023-07-31 12:56:28 Sorted NTP endpoints.
2023-07-31 12:56:28 NTP daemon uses a upper end of -2000000000.000000 and a lower end of 2000000000.000000.
2023-07-31 12:56:28 no server suitable for synchronization found
2023-07-31 12:56:28 waiting for 10 seconds ...

 

On the outputs, it is shown the error message 'no server suitable for synchronization found'.

 

  • Solution procedure:

 

  1. Change the NTP configuration to set a custom type and add the Google NTP server:

     

    config system ntp
        set type custom
            config ntpserver
                edit 1
                    set server time.google.com
                next
    end

     

     

  2. Configure a static route to reach the NTP Google segment 216.239.35.0/24 to the desired WAN interface:

     

    config router static
        edit <Available_ID>
            set dst 216.239.35.0 255.255.255.0
            set device "wan1" --> change for the proper WAN interface.
    end

     

     

  3. After applying the recommended configuration, the NTP service is now synced:

     

    diagnose sys ntp status
    synchronized: yes, ntpsync: enabled, server-mode: disabled

    ipv6 server(time.google.com) 2001:4860:4806:4:: -- reachable(0xfe) S:0 T:212 no data
    ipv6 server(time.google.com) 2001:4860:4806:c:: -- reachable(0xfe) S:0 T:212 no data
    ipv6 server(time.google.com) 2001:4860:4806:8:: -- reachable(0xfe) S:0 T:212 no data
    ipv4 server(time.google.com) 216.239.35.12 -- reachable(0xfe) S:0 T:212 no data
    ipv4 server(time.google.com) 216.239.35.8 -- reachable(0xff) S:1 T:212 selected
    server-version=4, stratum=1
    reference time is e872a60e.36fc711c -- UTC Mon Jul 31 21:28:46 2023
    clock offset is 3653.056885 sec, root delay is 0.000000 sec
    root dispersion is 0.000076 sec, peer dispersion is 28 msec

3475
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.